How to Stop Privileged Accounts From Being Compromised

Yuki Arbel
February 1, 2019
privileged access hysolate

In recent years, enterprises have started to become much more aware of the importance of IT hygiene for privileged accounts. With so many public cases of hackers gaining access to critical resources and causing insurmountable damage, it’s hard to escape the reality of today’s ever-increasing cyberattacks.

One prominent example is the attack on the Ukrainian power grid, where criminals gained control over privileged accounts and shut down power stations, causing a prolonged power outage for hundreds of thousands of people.

Users who have access to privileged resources are prime targets for attackers, either directly or via lateral movement throughout the organization. To combat this, enterprises have started taking steps to protect these users.

The Account Split

So what safety measures do companies take? Most start by segregating access to privileged resources from access to “other” resources that are required for day-to-day work and personal use (such as email, web browsing and other applications).

To accomplish this, many organizations mandate a separate privileged account for any user carrying out privileged work, in addition to the standard user account for accessing corporate resources – and where the user is exposed to various attack vectors.

While this qualifies as a necessary first step, it is not sufficient on its own. Although it mitigates the risk of straightforward identity theft, attacks that are only slightly more advanced can use the compromised user account to obtain access to the privileged credentials, rendering this approach useless.

The Ineffective Extra Hop

To step up security further, some organizations require privileged users to access privileged resources only through a Jump Box or a VDI (Virtual Desktop Infrastructure) session. In these cases, users must enter their set of privileged credentials, usually in conjunction with two-factor-authentication, to protect against credential theft attacks. This may sound adequate for keeping attackers away from privileged accounts. However, in truth, any malware that compromises an endpoint that is used for accessing the privileged VDI session can fully track that privileged session, and even take control over it. And let’s not forget, VDI sessions result in performance hits that frustrate users. 

The Expensive Air Gap

Some organizations, which go to even greater lengths to protect privileged accounts, require privileged users to log on to privileged accounts through a dedicated physical machine. This is called Privileged Access Workstation, or PAW. This type of physical air gap approach definitely cripples most attack vectors available to cybercriminals. But it also cripples the users’ ability to do their day-to-day work efficiently, forcing them to carry and use two machines. This has tremendously negative impacts on user productivity. So eventually, these users look for (and find) ways to bypass the limitations in order to do their work in a more streamlined way – which exposes privileged accounts to cyberattacks.

This two-workstation approach also results in considerable costs for the organization, which now has to procure and maintain an additional physical machine for each privileged user.

An Alternative Approach

Hysolate takes what some consider a revolutionary approach to Privileged Access Workstations by seamlessly splitting a single physical device into multiple, completely isolated virtual environments. With this approach, organizations no longer have to choose between security and productivity for their privileged users.

Users can securely access privileged assets from the same device that they conduct their day-to-day corporate activities. The device is equipped with two isolated VMs: A sensitive VM where all privileged activity takes place, and a corporate VM where all other corporate activities, including internet access, are conducted. Any attack perpetrated against the corporate VM remains completely contained within that VM and cannot compromise the sensitive VM.

How it works

This is all made possible by bringing virtualization into the endpoint. Hysolate places a hypervisor platform layer between the hardware and the OS. On top of this hypervisor layer, multiple operating systems run at the same time, side-by-side on your machine. It’s even possible to run a Windows machine next to a Linux machine within your single physical device. To enhance productivity, Hysolate allows the user to work using “seamless mode”, where applications from both VMs are displayed side by side on a single desktop, providing an experience that is just like the familiar, standard Windows OS.

All network traffic is inspected and controlled by a built-in network security VM where a strict lock-down policy can be applied to the sensitive VM.

The time is now

Cybercriminals will continue to go after privileged accounts, and will only become more sophisticated as time goes by. A basic measure any organization must take is identifying all privileged resources and making sure they are accessed only through separate privileged accounts.

Once privileged accounts are implemented, attention must be paid to how they are accessed, since a compromised endpoint defeats the purpose of a privileged account.

If you’d like your privileged users to remain both secure and productive, you should check out Hysolate’s approach to PAW.

Yuki Arbel

An industry veteran with 20 years of IT, networking and cloud experience, Yuki serves as Hysolate's VP of Product Management. Yuki started his career at P-Cube, a networking startup that was later acquired by Cisco. After his position as system architect at Cisco, Yuki became CEO of Comsleep, an energy saving startup. Most recently, Yuki served as Head of Product for Nokia’s NFV infrastructure, driving telecom networks towards virtualization.