Privileged access management – why use a secure workstation?
Cloud computing has become a vital part of modern business, offering many benefits such as scalability, flexibility and cost-efficiency. However, cloud environments also pose significant security challenges, especially when it comes to managing privileged access to critical systems and data.
Privileged access management (PAM) is a security measure that allows organisations to control and monitor the activity of privileged users, such as administrators, developers and service account holders, who have elevated permissions to access high-risk systems and resources.
In this blog post, I will explain how to use secure workstations known as privileged access workstations.
Privileged management
Privileged management is a critical security measure that every company should implement in their environment. In financial institutions, privileged management is especially important because of the high stakes and risks involved. Financial data, transactions, customer information and regulatory compliance are some of the areas that require strict security and oversight. A breach or misuse of privileged access can result in financial losses, reputational damage, legal liabilities and regulatory penalties.
Every company should have a plan for how to implement privileged management in their environment following the zero-trust model.
Some of the best practices regarding how to implement privileged management include:
- Use dedicated workstations for privileged tasks: Privileged users should not use their regular workstations for performing privileged tasks. Instead, they should use separate workstations that are dedicated to this purpose.
- Implement strong authentication and authorisation mechanisms: Privileged users should be required to authenticate themselves using multiple factors, such as passwords, tokens, biometrics, or certificates, and be authorised based on their roles and responsibilities.
- Access control: Implement ‘Just in time’ and least privileged mechanisms based on a need-to-know and least-privilege basis.
- Monitor and audit privileged activities: Privileged users should be monitored and audited for their actions and behaviours on their workstations and cloud environments.
Why use a privileged access workstation?
One of the most common methods for protecting the cloud is to secure all administrative access to the cloud computing environment via a dedicated workstation, called a privileged access workstation (PAW).
PAWs reduce the attack surface and limit the exposure of privileged credentials. PAWs also help enforce the principle of least privilege, which means that users only have the minimum level of access required to perform their tasks.
To protect privileged accounts from compromise, it is recommended to use PAWs for any administrative tasks.
How to build a privileged access workstation
A PAW is a dedicated hardened workstation managed with modern mobile device management such as Intune.
To start building a PAW, first we need to establish a root of trust which starts with the hardware and operating system. Hardware capabilities that must be considered in the selection should include the following:
- Trusted Platform Module (TPM) 2.0
- BitLocker Drive encryption
- UEFI Secure Boot
- Drivers and Firmware Distributed through Windows Update
- Virtualisation and HVCI Enabled
- Drivers and Apps HVCI-Ready
- Windows Hello
- DMA I/O Protection
- System Guard
The operating system must be obtained following the ‘clean source principle’ from a trusted provider.
Once the OS is installed, PAW will be enrolled into the mobile device management system and hardening policies will be applied.
Hardening policies include security controls that restrict local administrative access and productivity tools to minimise the attack surface. Dedicated PAWs cannot be used for web browsing, email and other risky applications. This is sometimes the biggest challenge for companies as web traffic is restricted and limited only to necessary destinations. (e.g., access to the management portal, access to Secure Virtual Desktop).
Hardening policies also include the use of credential guard, device guard, app guard and exploit guard to help to protect the workstation from malicious behaviour. Application installation is managed with AppLocker and all default unnecessary applications are removed to minimise the attack surface.
To successfully implement privileged access workstations, all other privileged management elements need to be considered, including accounts, intermediaries, cloud security policies and application security policies.
Conclusion
In conclusion, privileged access management is essential for securing cloud environments and protecting critical systems and data from unauthorised access or misuse.
Companies can enhance their privileged management capabilities by implementing privileged access workstations. This can help them protect their systems and data from internal and external threats, comply with regulatory requirements, and maintain their trust and reputation in the market.
The GFT cybersecurity team can help organisations implement privileged access workstations following the zero-trust model. By leveraging our expertise and experience, GFT can provide guidance and support to ensure that organisations are able to effectively secure their systems and data.
Find out more about our security capabilities by downloading our new thought leadership paper here
Keywords: privileged access workstations, privileged access management, clean source principle, security, secure workstation, hardening, security baselines, GFT
Sources:
Gain trust in your management devices – NCSC.GOV.UK
Why are privileged access devices important | Microsoft Learn
Rapidly modernize your security infrastructure | Microsoft Learn
