We previously blocked all internet access on our PAWs (Privileged access workstations). But now with more and more of our applications moving to the cloud, we need to access things like the O365 admin console, Cloudflare admin console, Duo admin console, Cisco Meraki admin console etc… from our PAWs.
We initially used a proxy server to do this, we had explicit allow rules for these admin consoles, and then a final rule to block all other sites at the end. It was okay, but there were issues with this model working remotely, so we switched to using Umbrella.
We implemented Cisco Umbrella just for our PAWs, and used their Allow-Only mode for this purpose Create and Apply Policies.
Umbrella works okay but it is a bit quirky at times, as sometimes it allow all names to resolve for the first few minutes a users logs in. We have just learnt to live with this.
We are now looking at setting up web security solution for all of our machines company wide and have been trailing Cloudflare Gateway, and it works well. Really well . Ideally we would like to move our PAWs to the same platform that we use for the rest of our machines, but to do this we would need an Allow-only mode.