One of the most common methods for protecting the cloud is to secure all administrative access to the cloud computing environment via a dedicated asset, called a Privileged Access Workstation (PAW). Everyday workstations used by individuals with privileged credentials are appealing targets for threat actors. This is because those credentials can be stolen and then used to initiate or progress attacks, such as via lateral movement. When the asset (PAW) used to perform administrative access is dedicated, hardened, and strictly monitored, it can mitigate many of the risks as compared to assets used for daily activities, such as email. Therefore, the best practice for protecting administration of the cloud and against threats related to privileged users is by leveraging a PAW (physical or virtual machine) exclusively for privileged access into the cloud. A privileged access workstation helps secure any secrets or passwords from attacks that could be leveraged against an everyday workstation such as phishing.
In a typical environment, an identity (user) is provided a dedicated PAW for cloud administration, with unique credentials and/or secrets to perform tasks that are linked to the asset and user. If access using those secrets is attempted from a non-PAW resource or on another PAW, it can be an indicator of compromise.
When logging into their PAWs, users still should not have direct access to the cloud. A privileged access management solution should broker the session, monitor activity, and inject managed credentials (to obfuscate them from the user) to enable users to securely perform their mission. When this is set up correctly, all these steps are completely transparent to the end user and take a few seconds to automatically complete. This approach is a security best practice for the most sensitive of systems.
Enterprise privileged access management systems are crucial to managing privileged access through PAWs, especially when connecting to the cloud.
What’s the difference? PAW vs Jump Server vs Bastion Host?
One of the common misconceptions about PAWs is that they are the same as a jump server or bastion host. The reality is that they are different, but share some similarities.
A jump server is an intermediate asset that acts as a gateway or proxy to broker and/or route access to a device on a secure network. It does not specify security controls for the asset that initiates the communication, but rather is a conduit for which all access can be monitored, logged, and controlled. If the source asset is compromised, a jump server can monitor for inappropriate behavior, but it is limited if privileges or exploits are leveraged as a part of an attack from the source. This limits risk mitigation potential for the overall source since only the session is managed--but not the source of the connection.
An untrusted source making a secure connection through a monitored gateway—that could be a conduit for an attack if valid credentials or software exploits are leveraged—poses an unacceptable risk for many organizations.. If you implement a PAW, then you can ensure a safe connection end-to-end. A jump server is just one component in the overall design for secure privileged access to the cloud, or for that matter, on premise.
Now, let’s look at how a bastion host is different. A bastion host is a special-purpose asset on a network specifically designed and configured to withstand a wide variety of physical and cyberattacks. It is appropriately named “bastion” by analogy to the military fortification. The asset generally hosts a single application or process, and all other services are block-listed, disabled, or removed to shrink the risk surface of the asset. In addition, a bastion host is also hardened based on its deployment on the Internet, DMZ, or other network to mitigate cyberattacks based on its placement.
In some cases, a PAW could be considered a bastion host, if it allows user interaction to limited applications. However, a bastion host typically refers to other services, like firewalls and load balancers, that would not be used for privileged administration of a cloud environment. Therefore, while the the term 'bastion host' may sometimes be used to describe a PAW, a PAW is rarely, if ever, a bastion host unless its purpose is strictly controlled for a single function.
Implementing a Privileged Access Workstation: 9 Best Practices
Below are the attributes that should be present to ensure the optimum security and effectiveness of a PAW:
- Uses hardened, dedicated assets (physical or virtual), which are actively monitored for all activity—from keystroke logging to application launches and command line tools
- Operates with the concept of least privilege for every operation
- Operationalizes application allow and block listing
- Installed on modern hardware that supports TPM (Trusted Platform Module)--preferably 2.0 or higher to support the latest biometrics and encryption
- Managed for vulnerabilities, and automated for timely patch management to ensure the software itself is not exploited
- Requires MFA for authentication into sensitive resources and step-up authentication, or even change control, for the most sensitive operations
- Operates on a dedicated or trusted network that is segmented away from networks that may have potentially unsecure devices
- Only uses a wired network connection. Wireless communications of any type are unacceptable for PAWs
- Is physically secured with tamper cables to prevent device theft (especially a concern if the PAW is a laptop and in a high-traffic area)
While a PAW provides increased security for any cloud administrator, it should never be used for:
- Browsing the Internet, regardless of browser
- Email and messaging applications
- Activity over unsecure network connectivity, such as Wi-Fi or cellular
- Use with USB storage media or unauthorized USB peripherals
- Remote access into the PAW from any workstation
- Used with applications or services in a manner that would unharden security best practices and make it potentially vulnerable in the future
To streamline this approach and avoid use of two physical computers, many organizations leverage virtualization technologies (from VMware, Microsoft, Parallels, Oracle, etc.) that allow a single asset to execute a PAW side-by-side with the base operating system. The primary system is used for daily productivity tasks, and the other serves as the PAW. When using this approach, however, it is preferred that both daily activity and the PAW be virtual on a hardened OS to provide better segmentation. However, segmentation in this manner may not always be practical. The PAW, if nothing else, should be virtualized and isolated from the OS (no clipboard sharing, file transfer, etc.) and not used as the daily productivity machine.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
