Hey everyone! I'm part of an Infrastructure team responsible for managing servers, network, and firewalls. We currently use dedicated Physical Access Workstations (PAWs) for each team member, ensuring they have no access to the domain, internet, or email to maintain the security of our critical systems. Soon, we're planning to implement Privileged Access Management (PAM) to handle all our privileged accounts across the infrastructure. My question is whether we still need to use PAWs after we start using PAM, or is it better to access the PAWs through PAM and manage those accounts that way? I'd really appreciate your thoughts and advice on this! Thanks a lot!
4 Answers
That really depends on your implementation too. If you can, it'd be ideal to have a hardware PAW for domain admins to handle Tier 0 tasks separately. For regular sysadmin tasks, the normal workstation can suffice, just ensure it's not the daily driver! Moving to a Virtual Desktop Infrastructure (VDI) can also enhance security while giving you the flexibility you need for tasks.
It really boils down to your specific setup. In most PAM solutions, you’ll find session management functionalities where sessions go through the secure PAM server, basically acting like a PAW. So whether you need both may depend on how your workflow is structured.
It's a good idea to keep your PAWs for physical and logical routing. Each PAW can serve specific roles—like having your domain admins using a DA-PAW just for domain controllers, while server admins work off their own SA-PAW only for server access. PAM can layer on top of this to manage which accounts can access what resources. This combo really boosts your security, supporting a zero-trust model.
Why do you ask about using a PAW along with M365? Just trying to understand how that's relevant.
Just thinking about overall security! M365 brings its own access controls, so I'm curious how that fits with traditional PAWs.