073: Deploy Cloud Privileged Access Workstations
Overview
Design procurement procedures and security controls for privileged access workstations for all management activities. Privileged Access Workstations require specific management of the procurement pipeline to prevent tampering. Once the devices are acquired these devices should have hardened MDM policies and network controls that lock them down to admin-specific tasks - capabilities like web browsing should be limited or blocked.
If PAW program pricing concerns preclude the use of physical PAWs then consider adopting a hosted PAW model where the PAW is hosted in a dedicated VDI environment, such as Azure Virtual Desktop in a dedicated Azure subscription with heavily controlled access.