How does a privileged access workstation (PAW) compare to a jump server? Each provides a way for administrators to safely access secure, privileged network segments. However, how they fit into an organization and the most suitable use case for each differ. This post will examine pros and cons to both approaches.
What is a Jump Server?
A jump server is a piece of hardware (a server usually running Windows) that is configured to “jump” between multiple privileged segments of a network. These are sometimes referred to as separate “security zones.” Typically found in multi-tenant hosting environments, the jump server enables an administrator to switch between exclusive environments. For example, if client A is on sub-network A, and client B is on sub-network B, a jump server lets a local administrator log on and switch between the A and B sub-networks while doing administrative tasks. Jump servers are also favored in organizations that require access to sensitive resources which could be anything from routers and cloud servers, to Automated Teller Machines (ATMs) and the like.
The benefits of this approach are twofold:
- Improve productivity: Jump servers make it possible for the admin to do his or her work on the two sub-networks without the time-wasting process of logging out and logging back into each privileged area. It provides effective access control. In a multi-tenant environment like a co-location facility, an administrator may need to perform tasks like running Microsoft Remote Desktop Protocol (RDP) sessions on multiple client systems. Without a jump server, or a comparable privileged access device, the work will slow down significantly.
- Improve security: Jump servers create separation between a user’s workstation (which is at high risk of being compromised) and the privileged assets within the network. This separation helps to isolate privileged assets so that they are not directly in contact with potentially compromised workstations. In addition, because of their access to potentially sensitive areas, jump servers are usually “hardened” in the extreme, i.e. it’s not easy to install software on them, update their firmware and so forth. They’re never used for non-administrative work and access is tightly controlled and monitored.
What is a Privileged Access Workstation (PAW)?
A “Privileged Access Workstations” (PAW) or “Secure Access Workstations” (SAW) is a dedicated operating system used to securely access privileged resources, similar to a jump server. Instead of living in the datacenter, a PAW is a workstation that is dedicated solely to accessing sensitive tasks and information. These devices are typically locked-down and therefore insulated from Web-based attacks and other threat vectors. Recommended by Microsoft, PAWs require that privileged users operate with isolated operating systems: one for day-to-day corporate tasks and another for privileged use.
Let’s examine some of the similarities and differences between PAWs and Jump Servers.
- Both jump servers and PAWs are primarily used by privileged users for the purpose of securely access sensitive resources
- A jump server is a server in the datacenter, while a PAW is a dedicated workstation
- Both jump servers and PAWs are for privileged use only and not for general-purpose use
- A PAW is a workstation which an administrator could take home, and use from any location (depending on company policy) while a jump server may have limitations on accessibility
- Both jump servers and PAWs are hardened, controlled, and closely monitored
- A jump server requires connectivity between the endpoint and the server, a PAW doesn’t necessarily require connectivity to function (depending on how the PAW is implemented)
It’s important to know that while many implementations of PAW require a dedicated physical machine, there are implementations that virtualize the dedicated Operating System. A workstation with an isolated OS offers a viable alternative and additional security. This model, which Hysolate enables, puts two completely separate Virtual Machines (VMs) – each running their own separate OS – on the same hardware. With virtualization, one zone is for general corporate use, with the ability to have Internet access, download files, install software, access email and the Web. The second zone is for privileged use, with locked-down access to sensitive resources. The privileged zone is hardened, permitting no web browsing, email and the rest.
The two zones run separate operating systems (OS’s) and aren’t even “aware” of the other. If a malicious actor penetrates the corporate zone, he cannot hop over onto the privileged zone. This control is possible because the VMs are running below the OS layer. With isolated operating systems, a privileged user can have one physical machine that provides access to everything he needs (corporate and privileged environments)
PAW or Jump Server?
One may not be the answer. There are plenty of companies out there that use both a PAW and a jump server together. In these cases, organizations want to ensure administrators access sensitive resources from a dedicated operating system and leverage a jump server for added security and productivity benefits. So which one do you go with? At the end of the day, it depends on your unique use case and environment.
Learn how Hysolate makes privileged access workstations a reality without impacting user productivity. Start your free trial here.