Implementing Privileged Access Workstations For Zero Trust Architecture

by Tal Zamir on January 21, 2020

The Problem with Zero Trust

With more and more enterprises moving to mobile and cloud technologies, it’s becoming extremely difficult to enforce perimeter security. That’s why so many organizations are adopting Zero-Trust Architecture (ZTA). It enables them to grant access based on device/user credentials instead of a user’s presence in the corporate network. But as we explained in our blog Taking Zero Trust Network Access to The Next Level, the existing ZTA model is inherently flawed. It creates a huge loophole that allows attackers to breach a privileged user’s device and ride the authenticated user’s session to inflict damage.

Hysolate prevents this from happening. It makes ZTA truly secure via a new breed of Privileged Access Workstations (PAW). With the Hysolate platform, privileged users can securely remain on one physical machine without putting sensitive information at risk. Multiple isolated virtual operating systems run side-by-side — and keep sensitive data completely separate from other corporate and personal data.

True ZTA in Action

To bring this to life, l’ll describe a real-world, secure ZTA that leverages Hysolate for privileged access workstations, along with the latest Microsoft technologies.

In this case, all privileged applications are gated by Microsoft Azure Active Directory (AD) Conditional Access. These access policies ensure that the only way to logon as a privileged user to privileged applications is by 1) successfully authenticating to Azure AD with multi-factor authentication and 2) doing so from an operating system that is considered trusted, i.e., either a locked-down privileged operating system on a separate laptop or a privileged virtual machine on a Hysolate laptop that is segregated from the day-to-day general use virtual machine.

Sponsorships Available

When a new user is granted a laptop, the ZTA administrator adds the user’s privileged OS into the privileged OS group. Only devices in that group are granted access to privileged resources.

The onboarding experience is made simple by leveraging Microsoft Autopilot to register operating systems in Azure Active Directory and Intune. With Hysolate, a user simply logs in with his Azure AD credentials and then can browse to any privileged or non-privileged application. Hysolate will take care of the rest, running the right application in the right virtual machine and – in combination with Azure Conditional Access – verifying that the user cannot inadvertently access the wrong application in the wrong virtual machine.

To dramatically reduce the chances of compromising the privileged OS, the following mechanisms are applied to it:

The OS is locked-down to the extreme. This includes turning on security controls like app whitelisting, removing administrator rights, disabling removable devices, etc.
The OS is not allowed to access any other network resources beside privileged network resources. On a Hysolate machine, this is enforced by the hypervisor on the physical device. Doing so ensures that even if the OS is compromised, malware on the privileged OS cannot reach the command-and-control server.
The Hysolate hypervisor can ensure that the privileged VM never directly connects to any external devices, such as thumb drives, printers, and other risky peripherals.
The Hysolate hypervisor can ensure that content copied-and-pasted into the privileged VM (if allowed) is audited and limited to certain types of content, or even detonated by CDR systems.
The privileged OS can be optionally tunnelled through a cloud VPN service that ensures all of its traffic is encrypted (and, as such, resilient against most network attacks). It also ensures that all traffic comes out of a specific Internet static IP that can be whitelisted by Azure and by third parties that want to limit access to privileged resources to trusted devices only.

With these controls in place, an attacker who found a way into the general VM on the Hysolate device cannot cross over to the privileged VM, unless she found a combination of multiple zero-days, including a rare VM escape vulnerability. Chances of this happening are very small.

The beauty of this Hysolate-enabled ZTA is that the PAW user does not know the credentials into the specific privileged applications. She can only access them through the privileged OS. This means she cannot mistakenly or deliberately jeopardize the enterprise by doing privileged access from an untrusted device.

Everything is much simpler and more efficient for users. They can safely use a single laptop, working seamlessly across day-to-day general productivity applications like email and privileged applications that access sensitive customer information, critical production systems, and more. The experience is of a single familiar desktop environment.