Business Problem

Organizations of all sizes today face escalating risks from threat actors seeking information assets. One of the most valuable and vulnerable targets is a privileged credential. Once a threat actor gains control of a privileged account, most organizational controls are effectively compromised. To protect privileged credentials, you must (i) secure the endpoint devices where the credentials are presented and (ii) enforce strong authentication to ensure that the person gaining access to the privileged digital identity is in fact authorized.

Scenarios

  • The logon machine used for privileged access could be vulnerable to pass-the-hash or other credential theft vulnerabilities and exploits, but carrying a dedicated laptop or tablet for each administrative user is not practical or cost effective.
    • Network Administrative Access needs to be performed whenever needs arise and this often requires secure access from a local on premise machine or a remote location.
    • Secure Cloud System Access needs to be available from most any location, but the identities for each cloud system must be carefully controlled to keep risk within tolerable limits.
  • The company needs multi-factor, audit friendly controls that restrict privileged access to specific users specific machine sources while allowing access from multiple locations to ensure timely, convenient assistance. These controls empower detective security incident and event (SIEM) alerts if a privileged credential is attempted from unauthorized machines and protect against lateral movement exploits.
  • The company needs to restrict access to key information assets (Enterprise Admin account, intellectual property, financial assets…) unless two or more people or multiple independent controls are involved.
  • The company needs a way to easily and safely grant and revoke temporary privileged access; this often means marrying access to something physical that can be easily given and taken back.
  • If a privileged access device is compromised, lost, or stolen, the company needs a way to immediately disable the device for forensic investigation upon recovery as well as an option to destroy the device.
  • The organization needs a way to audit use of the privileged access device.

Solution

Windows To Go WorkSafe Pro

The milspec hardened WorkSafe Pro is the best practice administrative workstation device that ensures security, portability and durability. With a form factor that is 25 timed smaller than a laptop and a price point that is one third the cost, the encrypted WorkSafe Pro SSD drive securely boots into a host computer via a USB 3.0 interface, bypassing the host computer’s hard drive and security threats. This process provides a secure, isolated, hardened instance of the company’s standard Windows image for use with activities requiring escalated privilege. Built with hardware based encryption, an embedded FIPS certified smart card, and a rugged, tamper protected chassis, the WorkSafe Pro secures the endpoint where important credentials are often compromised. Leveraging the integrated PKI based smart card as a part of a high assurance, auditable multi-factor authentication process, the device ensures that an authorized individual is granted privileged access.

Benefits
  • Purpose built high assurance environment – following audit standards like NIST 800, PCI, and ISO 27001, activities that allow different security or risk levels should not co-exist in the same environment. The WorkSafe Pro used as a PAW isolates sensitive transactions to a portable, high security device that can also be configured for secure remote access.
    • By enabling a read-only mode, the device can allow temporary writes to the drive that are rolled back to a known secure starting point each time the device is restarted. This eliminates undesired changes during its use.
    • By enabling remote device management, audit logging, remote disable and remote wipe capabilities address additional risks.
  • Smart Card – the WorkSafe Pro includes an embedded FIPS 140-2 Level 3 certified, tamper-proof smart card. This enables companies to map an Active Directory user to a Worksafe Pro’s smart card, enforcing the “something you have” requirement in a multi-factor authentication. This assures that the network user is who he or she claims to be.
  • Secure Boot – The host computer hard drive is bypassed, including threats contained on it. The device’s drive remains encrypted until a boot password is satisfied; the device enforces preboot validation to secure the boot process and it supports UEFI Secure Boot
  • Hardware encryption – the entire storage drive is built on military-grade XTS-AES 256 hardware encryption, providing strong operating system, application, and data protection. The hardware encryption requires that a PIN be satisfied in order to gain access to the encrypted information. Leveraging this encryption with computer certificates issued through Active Directory Enterprise Certificate Authority (PKI), the company gains assurance that the machine is authorized as a PAW and has the right to allow a user to connect for privileged access.
  • BitLocker encryption – BitLocker software encryption provides an optional, additional layer of security with its own configurable PIN. BitLocker keys are stored in the hardware-encrypted compartment where they remain inaccessible to threat actors.
  • Up to Four (4) independent authentication controls – The WorkSafe Pro can be used to require up to four different people to participate in gaining access to a protected system. This helps to enforce separation of duties and strengthen processes around sensitive data access. The four factors that can optionally map to different people are: (i) possessing the device, (ii) satisfying the hardware encryption PIN, (iii) satisfying the BitLocker PIN, (iv) satisfying the smart card PIN.
  • Durability – The WorkSafe Pro device, like all the “To Go” family devices deliver the highest physical standards in design and component materials. They meet military specifications for shock, vibration, hot and cold temperatures, and even water immersion. These environmental conditions are generally destructive to laptops and tablets.
  • Care-free Portability – You can carry this device as your “PC in your Pocket” and do not have to be careful – it protects itself.
  • Cost effective – 1/3 the cost of an average laptop and 25 times smaller.
  • Optional management – with the optional remote management enabled, the device access PIN can be remotely reset and the device itself can be audited, disabled, and wiped. The management data is encrypted and access to the management system is governed by smart card based authentication from specific PAW devices assigned to your organization