Can you give high-risk users access to critical infrastructure and the web?


By Garrison


The challenge of securing system administrators and other high-risk users – while giving them the internet access they need to work – has long troubled cybersecurity professionals. Recently, there’s been a move to adopt privileged access workstations (PAWs), but this brings problems of its own.

While security best practice tells us system admins working on privileged tasks shouldn’t be accessing the web at all, this isn’t usually a practical answer. If you’re hunting for a fix or workaround to an IT issue, Google is a fundamental everyday tool of your trade.

So, what’s a security-conscious organisation to do?

In this article, we’ll look at the established options – jump boxes and PAWs – and then consider an alternative approach which might give you the best of both worlds.

The balance between security and search
Any user with internet access could potentially download malware, click a phishing link, or compromise their device through another web-based cyber attack. And for many user groups, the risk and potential fallout of this is low enough that little action needs to be taken beyond your existing security policies.

But some users pose a greater risk. Typically, you might think of IT administrators whose elevated privileges would, if compromised, give the attacker instant access to your data and systems. Other organisations might also need to secure engineers working on critical national infrastructure, or executives with sensitive information.

In theory, one answer is to remove these users’ access to the web completely when they’re working on privileged tasks. In practice, however, people still need to find information on the web. Just as programmers regularly check Stack Overflow, engineers may need to access information online to solve complex issues.

And they can’t access this without compromising their security. Or can they?

Options are limited for truly secure web browsing
If you’re looking to give your high-risk users access to the web without increasing your cybersecurity risk, you’ll find few options available.

Historically, one popular method is for systems administrators to use “jump boxes” and remotely access a locked-down virtual desktop that’s disconnected from the web to carry out privileged tasks. However, many security professionals are realising how keyloggers and other advanced malware can still help bad actors compromise or threaten a jump server by infecting devices that connect to it.

Instead, it’s becoming increasingly popular to use a PAW. With this model, the user has two completely separate physical devices: one with web access for everyday browsing, and a privileged access workstation that’s fully locked down for sensitive tasks.

This feels secure, but the added complexity and workload inevitably lead to pushback from users, who quickly feel frustrated that they can’t copy and paste complex commands, or click links from a trusted source. While a separate PAW can theoretically give the user the web access they need, it removes a lot of the functionality and convenience they need to work.

Thankfully, there is another option.

Browser isolation for high-risk users
One of the better ways to secure high-risk users without limiting their access to the web is to use a browser isolation solution.

Browser isolation lets users browse the web through a remote server that sends back websites as harmless images – creating a clear gap that harmful code can never cross. This means privileged access users can access the information they need, without their device ever coming into contact with the internet.

However, if you’re looking into browser isolation technologies for the first time, you’ll quickly find you need to choose between different approaches to remote browsing. The wrong choice can impact web usability – taking you back to where you started – or, worse, only partially protect a high-risk user from web-based threats.

We recently put together a guide to browser isolation to help demystify the options available. If you’re concerned about how to keep your network administrators, domain heads and field engineers secure and productive, it’s a great place to start figuring out your options.

Download the eBook