COMMENTARY
In recent years, Australia has made some key moves to improve the country’s security posture. In 2020, the country invested AUD $1.67 billion (US$1.1 billion) as part of Cyber Security Strategy 2020.
Despite these efforts, the Australian government’s “Cyber Threat Report 2022-2023” reported 58 incidents that it classified as Extensive Compromises, and 195 incidents that it classified as Isolated Compromises. Port operator DP World Australia suspended operations due to a cyberattack in November. SA Health, Services Australia, and NT Health were just a few of the healthcare providers that were breached last year, following November 2022’s Medibank breach that affected nearly 10 million people.
In response, Australia updated the levels in its Essential Eight Maturity Model, the nation’s comprehensive guide for businesses trying to protect themselves against cyberattacks. A framework created in 2010 to help businesses withstand cybersecurity threats, the Essential Eight has been updated several times, most notably when it added its maturity model to help companies of different sizes determine appropriate security actions to take, and most recently in November 2023.
However, with cybercrime running rampant in Australia, it’s time to ask whether the Essential Eight is providing the right direction for Australian organizations and if it should be used as a model for other countries.
Inside the Essential Eight
The Essential Eight has remained intact since being published in 2010. It provides direction on patching, backups, and application control. Among other things, 2023’s update recommends restricting Microsoft macros and includes directives on user application hardening.
While all those issues are important, they fail to recognize the transition to the cloud and, specifically, the use of software-as-a-service (SaaS) applications. The Essential Eight does include a section on restricting administrative privileges, a key SaaS security principle.
However, reading through the Maturity Levels, it is clear that its guidance remains tailored toward on-premises networks. Maturity Level 2 includes guidance like “Requests for privileged access to systems, applications, and data repositories are validated when first requested” and “Privileged users use separate privileged and unprivileged operating environments.”
Of the 29 admin privileges recommendations in the three maturity levels relating to admin privileges, only one addresses online accounts (“Privileged accounts explicitly authorized to access online services are strictly limited to only what is required for users and services to undertake their duties”).
The Essential Eight does include multifactor authentication (MFA). This is a critical step in securing online services. However, MFA is just one piece of cloud and SaaS security. Limiting guidance to just MFA does a disservice to the businesses and government entities that rely on the Essential Eight for direction in securing their entire digital footprint.
Essential Eight Misses on Today’s Work Environment
Unfortunately, the Essential Eight and its Maturity Models miss out on today’s computer environment. It doesn’t contain the words “cloud” or “SaaS application.” By omission, it fails to recognize the role SaaS applications play in today’s business world and the data that is stored on the cloud.
Today, SaaS applications comprise 70% of all software used by businesses. Each of those applications contains business-critical data or plays a role in operations that must be secured. MFA is an important tool used to limit access to authorized users, but it falls far short of the measures required to secure SaaS and cloud instances.
Updating the Essential Eight for the Modern Workplace
The Essential Eight is missing four key cloud-centric security directives: configuration management, identity security, third-party app integration management, and resource control.
-
Configuration management: A security framework that doesn’t address misconfigurations is missing a key piece of security guidance. A Tenable Research report found that 800 million records were exposed in 2022 due to misconfigurations. This is a serious issue that requires automated monitoring to ensure app and cloud administrators don’t accidentally adjust a setting that exposes data to the public.
-
Identity security: Identity security posture management (ISPM) is another glaring omission from the Essential Eight. SaaS and cloud have obliterated the traditional network perimeter. Identity stands in its place, the sole barrier between the application and threat actors. While MFA does address user authentication, it fails to address issues relating to deprovisioned users, external users, user permissions, admin risk, and other user-based risks.
-
Third-party app integration management: Third-party applications help improve core app functionality and simplify workflows. They also introduce new avenues of risk. The simple OAuth integration often asks for intrusive scopes that empower the application with write permissions, which include the ability to delete folders, files, and entire drives and manage email privileges.
-
Resource control: SaaS and cloud applications store millions of company assets and resources. These include files, folders, planning boards, proprietary software code, and product plans. These assets must be secured behind robust security measures rather than accessible to anyone with a link or searchable through an Internet browser.
Preparing Businesses for Today’s Threats
Australia, as well as cybersecurity organizations in the Middle East and Africa that look to Australia for guidance, must update its security framework to address modern network infrastructures.
Introducing security measures relating to misconfiguration management, ISPM, third-party applications, and protecting company assets stored in SaaS applications should be the next step for the Essential Eight.
Source: www.darkreading.com