The PAW — which can be a physical or virtual machine — is used exclusively for privileged access to the cloud, and the sensitive secrets it holds are far less likely to fall into the wrong hands because users that have access to it while having privileged credentials are only using the machine for one purpose – cloud administration. Even then, users are restricted to a narrow scope of tasks. And if the slim chance of credentials compromise comes to pass, any attempt to use those credentials to access the environment from another workstation (even another PAW) will be an obvious red flag.

Read the full story here: