Like you probably know, most of the threats enter your company through users. The most common scenarios are:
- infected emails
- browsing malicious or infected web sites
- opening infected documents (Word, Excel, …)
That’s where the Privileged Access Workstation(PAW) or Secured Admin Workstation (SAW) come in.
The main principle behind
- You separate the user’s environment from the administrator’s environment (VDI session, VM, or separate computer)
In the user’s environment, you cannot perform administration tasks (manage any application or computer)
In the administrator’s, environment you cannot perform user’s tasks (email, web, office documents, …)
The administrator’s environment is hardened and locked down.
It is very important to understand that it’s the user’s environment which has to be in a VDI session or VM and not the opposite.
That’s because when you access from computer A to computer B, you credential’s hash or Kerberos token is stored on computer A. Then if computer A is compromised, the malware or hacker can steal the hash or the token and impersonate you.
Conversely, if computer B is compromised, the malware or hacker cannot easily steal the hash or the token because it is not stored locally.
That’s why computer B must be the one where you perform the riskiest actions (user’s environment)
That doesn’t mean that your company is completely safe when a malware or a hacker take a control of an ordinary computer. However, once he’s in, he has more steps to perform before he can access or control critical equipment.
But that’s the key point. Security is not about preventing all malwares and all hackers from entering your company, because this is utopia land! Security is about preventing the most possible of malwares and hackers from entering, and then for the few who came in, to render their action as difficult you can.