3 Perspectives on Physical Air Gaps

By Jessica Stanford. October 18, 2019

A popular endpoint security strategy for users who have access to important data is to implement a physical air gap, also known as “Privileged Access Workstations” (PAW) or “Secure Access Workstations” (SAW).  With PAWs, each end user has a separate laptop or desktop that is dedicated solely to sensitive tasks and information. These devices are typically fully locked-down and therefore, insulated from web-based attacks and other threat vectors. Recommended by Microsoft, PAWs often require that the end user work on two machines: one for day-to-day corporate tasks and another for sensitive use.

Let’s examine 3 perspectives on how cyberattackers, users, and IT administrators view this strategy.

ATTACKER

A physical air gap makes it much more difficult for an attacker to penetrate sensitive data. Attacks originating from the internet or email will not be able to infiltrate a locked-down PAW device. Administrators can also render threats from external drivers (i.e., USBs) impossible by disabling access. While PAW machines are still penetrable by attack vectors in the hardware itself, they are safe from the most popular attacks. The “corporate use,” unlocked machine will likely have standard security protections, but are much more susceptible to attackers. What’s important is that corporate-use machines don’t have access to the corporate “crown jewels,” which is the reason cybercriminals are targeting endpoints in the first place.

USERS

End users are heavily impacted. Each person has two machines working side-by-side, and must physically move back and forth from one to the other, depending on what task they’re doing at the moment. While shifting may only take seconds, over the course of a work week each user, on average, loses five hours of lost productivity. And when they travel for business or work from home, they have to carry two computers . To say this is cumbersome is a vast understatement.  

IT

IT administrators have their own set of challenges with PAWs. IT directors have to manage twice the number of devices with two very different permissions settings. The IT team is tasked with twice the inventory, twice the troubleshooting requests, and twice the amount of initial endpoint configuration required. And, of course, there’s the cost of maintaining all those extra physical devices.

THE BOTTOM LINE

Today’s most popular operating system has 40+ million lines of code, which is one of the main reasons there are endless vulnerabilities to exploit on endpoints. Implementing a physical air gap is a great step toward mitigating risk by isolating access to sensitive assets, however it comes at a cost in lost productivity, high end-user frustration, and higher IT overhead.

 

We’d love to hear your thoughts! How are you benefiting from PAWs? How do you view the pros and cons of having two dedicated machines?

 

Make sure to also read our 3 Perspectives on browser isolation, app sandboxing, VDI, and strong authentication for a full picture of popular endpoint security approaches.

About the Author

As Global VP of Marketing, Jessica brings more than a decade of experience to Hysolate. With her in-depth product knowledge, market expertise and passion for cybersecurity, she has a long track record of driving strategic and revenue growth, leading product launches such as RSA’s Authentication Manager and CyberArk’s Privileged Threat Analytics. Most recently, she served as Director of Product Marketing at Cybereason where she was responsible for the full portfolio of product and service offerings. A proud buckeye, Jessica earned her BSBA from The Ohio State University and her MBA from Brandeis University.

Share this article: