Priya PatelTLDR: The Australian government’s Essential Eight Maturity Model, designed to help businesses protect themselves against cyberattacks, fails to address key factors needed to secure cloud and SaaS environments. The Essential Eight, first published in 2010 and regularly updated, provides guidance on issues like patching and backups but does not adequately recognize the transition to the cloud and the use of SaaS applications. It lacks directives on configuration management, identity security, third-party app integration management, and resource control, all important components of modern cybersecurity. Security frameworks must be updated to address these aspects and protect organizations against evolving threats.
Australia has invested heavily in improving its cybersecurity posture in recent years, but cyberattacks and data breaches continue to plague the country. The Australian government’s Cyber Threat Report for 2022-2023 classified 58 incidents as Extensive Compromises and 195 incidents as Isolated Compromises. Major organizations like Port operator DP World Australia and healthcare providers SA Health, Services Australia, and NT Health have all experienced significant breaches. In response, Australia updated the levels in its Essential Eight Maturity Model, a comprehensive guide for businesses looking to protect themselves against cyberattacks.
While the Essential Eight offers valuable guidance on issues like patching, backups, and application control, it fails to fully address security requirements in cloud and SaaS environments. The model does include a recommendation on restricting administrative privileges, an important principle in SaaS security. However, most of the guidance is tailored toward on-premises networks and does not adequately cover the unique challenges of cloud and SaaS applications. The Essential Eight also falls short in its recognition of the role SaaS applications play in today’s business environment, with no mention of the words “cloud” or “SaaS application.” This omission overlooks the fact that SaaS applications comprise 70% of all software used by businesses and contain critical data that must be secured.
To address the shortcomings of the Essential Eight, security frameworks need to incorporate directives on configuration management, identity security, third-party app integration management, and resource control. Configuration management is essential for preventing misconfigurations that can lead to data exposure. Identity security is crucial in a world where traditional network perimeters no longer exist, and user authentication is the primary barrier to threats. Third-party app integration management is necessary to address the risks associated with external applications that enhance core functionality but introduce new vulnerabilities. Finally, resource control is vital in securing valuable company assets stored in SaaS applications.
Australia, as well as other countries that look to the Essential Eight as a model for cybersecurity, must update their frameworks to address these modern network infrastructures and protect against evolving threats. The Essential Eight Maturity Model needs to evolve to provide comprehensive guidance that includes these vital components of cloud and SaaS security.
