Privileged Access Workstations and the Web

Henry Harrison

By Henry Harrison



Some users have the digital keys to the kingdom: systems administrators, or administrators of critical systems. If the endpoints of these privileged access users are compromised by an attacker, that attacker can gain that same privileged access. With attack techniques such as Man in the Browser, an attacker can achieve that privileged access even when a “jump box” or other remote access approach is used.

It is therefore essential that these users’ endpoint devices – commonly known as Privileged Access Workstations – remain trusted. To ensure this, best practice dictates that these endpoints should have access only to the most essential, highly trusted websites on the Internet. Other websites should be blocked to prevent the risk that they are used as a means to attack and compromise the endpoint.
But web access is often an essential part of these privileged access users’ jobs. Modern systems administration requires constant research, looking for information about bugs, features, and updates. Strong Internet research skills are as much a required skill for today’s systems administrator as book learning and certifications.

How can this research be done if almost all websites are blocked?

One answer is to require users to use a second physical device for Internet research. But apart from the inevitable user push-back, there are real workflow problems that this can introduce. In many cases, research starts with links that are found in highly trusted systems which must only be accessed using the Privileged Access Workstation. If a second physical device is used, links must be retyped – often a hugely laborious task for complex URLs.

Strong Web Isolation (also known as Remote Browser Isolation) can provide the answer. Web Isolation solutions exist today that are trusted by some of the world’s leading governments to provide Internet access from even government classified endpoints: providing access to the online world while protecting critical national security secrets and systems. In the same way, commercial organisations can use strong Web Isolation solutions to achieve the seemingly impossible: access to even the riskiest websites without putting endpoints at risk.