A popular endpoint security strategy for users who have access to important data is to implement a physical air gap, also known as “Privileged Access Workstations” (PAW) or “Secure Access Workstations” (SAW). With PAWs, each end user has a separate laptop or desktop that is dedicated solely to sensitive tasks and information. These devices are typically fully locked-down and therefore, insulated from web-based attacks and other threat vectors. Recommended by Microsoft, PAWs often require that the end user work on two machines: one for day-to-day corporate tasks and another for sensitive use.
Let’s examine 3 perspectives on how cyberattackers, users, and IT administrators view this strategy.
A physical air gap makes it much more difficult for an attacker to penetrate sensitive data. Attacks originating from the internet or email will not be able to infiltrate a locked-down PAW device. Administrators can also render threats from external drivers (i.e., USBs) impossible by disabling access. While PAW machines are still penetrable by attack vectors in the hardware itself, they are safe from the most popular attacks. The “corporate use,” unlocked machine will likely have standard security protections, but are much more susceptible to attackers. What’s important is that corporate-use machines don’t have access to the corporate “crown jewels,” which is the reason cybercriminals are targeting endpoints in the first place.
End users are heavily impacted. Each person has two machines working side-by-side, and must physically move back and forth from one to the other, depending on what task they’re doing at the moment. While shifting may only take seconds, over the course of a work week each user, on average, loses five hours of lost productivity. And when they travel for business or work from home, they have to carry two computers . To say this is cumbersome is a vast understatement.
IT administrators have their own set of challenges with PAWs. IT directors have to manage twice the number of devices with two very different permissions settings. The IT team is tasked with twice the inventory, twice the troubleshooting requests, and twice the amount of initial endpoint configuration required. And, of course, there’s the cost of maintaining all those extra physical devices.
THE BOTTOM LINE
Today’s most popular operating system has 40+ million lines of code, which is one of the main reasons there are endless vulnerabilities to exploit on endpoints. Implementing a physical air gap is a great step toward mitigating risk by isolating access to sensitive assets, however it comes at a cost in lost productivity, high end-user frustration, and higher IT overhead.