The U.K. National Cyber Security Centre (NCSC) has introduced a comprehensive set of eight principles for privileged access workstations, designed to assist organizations and cybersecurity experts deploy privileged access workstation solutions. The principles detail the key features of these workstations and offer practical advice for their implementation in everyday scenarios. Additionally, they provide a framework for evaluating whether third parties with high-risk access to the environment are utilizing securely configured devices.
Prescribed for cybersecurity professionals, large organizations, and the public sector, the eight principles laid down by the NCSC include establishing the organization’s privileged access workstations’ strategy; designing the privileged access workstation solution to be usable and secure; establishing a foundation of trust; scaling the solution; reducing the attack surface; isolating high-risk activity from the privileged access workstation; putting in place protective monitoring; and controling data entering and leaving the privileged access workstations solution.
The privileged access workstation is a trusted physical user device designed to protect high-risk accesses from compromise by an attacker. Its primary goal is to minimize the attack surface of the device used for high-risk access, increasing the difficulty of compromise. Ideally, these workstations should not be directly exposed to high-risk functions that could jeopardize their integrity. However, if access to these functions is necessary, such as for email services or web browsing, it should occur in a carefully constrained manner.
NCSC identified that the privileged access workstation must incorporate a range of robust defenses tailored to the organization’s needs and the specific threats encountered. While the workstation is a physical user device, it is equally important to consider the supporting infrastructure and the systems to which it connects, as these factors significantly influence overall effectiveness and security.
“The principles provide best-practice guidance to put in place a PAW solution. It is for your organisation to choose how to implement the principles for your own context. The principles explain this in more detail,” David G, senior cyber physical security architect at NCSC, Tom B, senior telecoms security consultant at NCSC, and Tim D, senior security architect at NCSC, wrote in a Tuesday blog post.
Adding why the principles have been written, the NCSC executives said, “Our secure system administration guidance recommends using PAWs, but it may not always be clear what a PAW is or when one is required. At a time when organisations face a range of different threats, there is a need to better protect paths to avoid privilege escalation to minimise the impact if an attack happens.”
They noted that these principles highlight the importance of understanding organizational needs, integrating privileged access workstations as part of broader controls, and building trust in these devices. “Trust must be established through systems that enforce auditable and validated controls from a single source of truth, so that systems are designed and maintained to a unified standard. It’s worth remembering that while PAWs are a critical control, they are just one component of the broader set of controls an organisation should use to defend against cyber threats.”
For the first principle, the NCSC called upon organizations to design the privileged access workstations to be an effective security control. It is necessary to understand how it will fit into an organization’s existing privileged access management (PAM) strategy. Each organization is unique, with a different set of threats, risk tolerances, and access requirements. Consideration should be given to which use cases and accesses the privileged access workstation requires, and how to design it in a way that is appropriate for the wider threat context.
A good understanding of the threats to the business, as well as the risk appetite, helps establish which types of accesses are high risk and should be secured with a privileged access workstation. This principle helps in understanding how a PAW complements other privileged access management approaches and where it provides unique benefits.
For the second principle, an effective privileged access workstation solution is crafted to align with the organization’s user needs and risk tolerances. While privileged access workstations are inherently restrictive, they must also serve as enabling technologies. They should equip users with the necessary tools to perform their tasks efficiently, reducing the likelihood of seeking less secure alternatives.
To ensure a secure and practical solution, it is essential to understand these needs. Designing privileged access workstations to balance user requirements and risk minimizes the chances of individuals resorting to insecure workarounds. As organizational and user needs evolve, the design and implementation of privileged access workstations should also adapt. Regular updates and revisions are necessary to maintain the effectiveness of the workstations and to prevent the use of insecure alternatives.
For the third principle, the NCSC emphasizes that a privileged access workstation possesses some of the highest levels of access and permissions within an organization, necessitating a robust foundation of trust from inception and throughout its lifecycle. Neglecting this could compromise its security controls. Additionally, it is vital to consider the supply chain for all components, software, and services involved in the privileged access workstation solution.
Effective control and oversight should be established during the design phase and maintained throughout its lifecycle. Building trust in the privileged access workstation solution requires a ‘clean’ environment. A building-block approach is recommended, starting with a clean standalone initial device, before expanding and operating the privileged access workstations across the organization at scale. Beginning with a small-scale implementation helps establish a foundation of trust for further development.
As the fourth principle, the NCSC recognized the importance of effectively scaling security controls when a privileged access workstation solution comprises multiple devices. This necessitates a well-secured management platform administered from a trusted system. Modifications or changes to privileged access workstations must be consistent and reliable, utilizing Infrastructure as Code (IaC) to automate the provisioning and configuration of infrastructure, thereby reducing human error and facilitating the duplication of environments. This streamlines updates and maintains compliance across the estate. A unified view of device compliance should be maintained, and any configuration changes must be closely monitored to ensure authorization.
Regarding the fifth principle, the NCSC emphasized that a privileged access workstation device should be configured to meet the organization’s administrative access needs while minimizing its attack surface. The objective is to mitigate risk on the privileged access workstation while ensuring the effective performance of administrative tasks. Every feature, application, and connection to a privileged access workstation should be carefully evaluated to ensure adequate protection.
Also, disabling unnecessary functionalities or connections helps prevent exploitation by threat actors. Any component of a system that connects externally can pose a threat; therefore, external connections should only be allowed when essential and managed carefully. Direct access to any services on the PAW that pose a risk should not be possible, including corporate applications, email, and communication tools. If access to these services is required, it must be managed carefully to maintain the integrity of the privileged access workstation.
Examples may include the use of isolation and cross-domain solution (CDS) technologies. These controls should apply to any device used to access high-privileged or critical services, including when access is by a third party, ensuring that suitable controls are in place for these users as well.
The sixth principle emphasizes the importance of maintaining trust. However, there are instances where enabling certain software or features might be necessary, even if they could compromise security and introduce additional vulnerabilities.
Examples include running potentially vulnerable legacy software or allowing local system administration for device configuration. Such actions should be minimized, but if unavoidable, a comprehensive understanding of the associated risks is essential. An alternative approach is to isolate these actions from the privileged access workstation through virtualization.
The seventh principle, as detailed by the NCSC, highlights the importance of detecting and responding to any attacks, compromises, or abuses of privileged access workstations. Implementing protective monitoring and auditing is crucial for maintaining trust in these workstations and the broader systems they access. A strong privileged access workstation strategy and effective system administration should clearly define permissible and prohibited actions, aiding in the detection of misuse cases.
The eighth principle addresses the necessity, in certain situations, of importing files from untrusted third-party locations to privileged access workstations. If such data is malicious, it can compromise the workstation’s integrity. Similarly, exporting data from these workstations risks sensitive information being exposed to adversaries. This creates a data import and export challenge for organizations. Without effective data transfer measures, there is a risk of resorting to shadow IT or other poor practices.
Last week, the NCSC presented a strategic roadmap for key sectors and organisations as they transition to post-quantum cryptography (PQC) to safeguard against future quantum computing threats. The NCSC guidance sets out the necessary steps towards PQC migration, describes how the preparatory work might vary across different sectors, and advises on timescales for key activities on the long journey to PQC. It also includes a three-phase timeline to assist organizations in adopting quantum-resistant encryption techniques by 2035.
