Written by Arye Zacks, Senior Technical Researcher, Adaptive Shield.
MIT Technology Review Insights named Australia the leader in its inaugural Cyber Defense Index country rankings for 2022-2023. In recent years, Australia has made some key moves to improve the country’s security posture. In 2020, they invested $1.67B as part of Cyber Security Strategy 2020. A year later, they updated maturity levels to the Essential Eight, their comprehensive guide for businesses trying to protect themselves against cyberattacks. In 2022, they appointed Clare O’Neil as their first-ever dedicated Minister for Cyber Security.
It is undeniable that Australia has made significant investments and strides to defend against major cybersecurity attacks.
Despite these efforts, the Australian Signals Directorate (ASD) Cyber Threat Report 2022-2023 identified 58 incidents that they classified as Extensive Compromise and 195 incidents that it classified as Isolated Compromise. One port operator suspended operations due to a cyberattack in November, while government agencies, global enterprises, healthcare agencies, and financial services providers all experienced significant data breaches.
Australia’s cybersecurity efforts begin with the Essential Eight. This framework, originally composed in 2010, was intended to guide businesses in their cybersecurity efforts. Since its initial publication, the framework has been updated several times, most notably when it added its maturity model to help companies of different sizes determine appropriate security actions to take, and most recently, in November 2023. However, with cybercrime seemingly running rampant in Australia, it’s time to ask whether the Essential Eight is providing the right direction for Australian organisations.
Inside the Essential Eight
The Essential Eight has remained largely intact since its initial publication. As you would expect from a security mandate of that era, it offers direction on patching, backups, and application control. The model recommends restricting Microsoft macros and includes directives on user application hardening.
While all those issues are important, the Essential Eight has failed to keep up with the changes that have taken place in the software industry. At the time it was published, the SaaS delivery model was something of an anomaly in Australia. Few companies were using them. It’s understandable why securing those applications wouldn’t be a serious concern to those tasked with developing Australia’s cybersecurity framework.
SaaS adoption rose throughout the 2010s, and received a boost when the workforce started working from home. It has cemented itself as the accepted go-to software delivery model for businesses of all sizes. Despite those changes, updates to the Essential Eight haven’t provided guidance for securing SaaS applications.
The Essential Eight does include a section on restricting administrative privileges, a key SaaS security principle. However, reading through the Maturity Levels it becomes clear that the guidance is tailored toward on-prem networks. For example, Maturity Level 2 includes “Requests for privileged access to systems, applications and data repositories are validated when first requested” and “Privileged users use separate privileged and unprivileged operating environments,” both of which are tailored to on-prem installations. In fact, of the 29 admin privileges recommendations in the three maturity levels relating to admin privileges, only one addresses online accounts (“Privileged accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties”).
Multi-factor authentication (MFA) is one of the Essential Eight. This is a critical component in securing online services, and should not be overlooked. However, MFA is just one piece of SaaS security. By limiting its guidance to MFA, the Australian Signals Directorate (ASD) misses out on true SaaS security.
The Importance of Securing SaaS Applications
Most businesses today rely on SaaS applications. Globally, Australia is the third highest user of Microsoft 365, a SaaS application. Australian companies also use Salesforce, GitHub, Slack, Teams, Google Workspace, ServiceNow, Workday, Miro, and hundreds of other applications.
These applications contain sensitive business files and documents, planning boards, customer data, medical records, email, and employee data. Threat actors recognise the value contained within these applications, and are continuously working to breach applications. Businesses must understand the risks facing their SaaS applications, and put security measures in place to secure them. For that to happen at scale, the Essential Eight must update their guidelines and educate Australian businesses.
Unfortunately, the Essential Eight and its Maturity Models miss out on today’s work environment. It doesn’t contain the words “cloud” or “SaaS application.” By omission, it fails to recognise the role SaaS applications play in today’s business world and the data that is stored on the cloud.
Today, 70% of all software used is SaaS applications. Each of those applications contains business-critical data or plays a role in operations, which must be secured. MFA is an important tool used to limit access to authorised users, but it falls far short of the measures required to secure SaaS and cloud instances.
Update the Essential Eight for Today’s Workplace
The Essential Eight is missing four key cloud-centric security directives: Configuration Management, Identity Security, Third Party App Integration Management, and Resource Control.
Misconfiguration Management
Every SaaS application includes security configurations. These settings control access, protect against data leakage, and ensure operational resilience. Poorly configured applications can be accessed by outsiders through user accounts or other methods.
A recent Tenable Research report found that 800 million records were exposed in 2022 due to misconfigurations alone. This is a serious issue that requires automated monitoring to ensure app and cloud administrators don’t accidentally adjust a setting that exposes data to the public.
Identity Security
The move from on-prem software to SaaS applications has changed the network perimeter. Today’s applications rely on user identity to keep non-users from accessing the application. While MFA is a critical component of identity security, it only addresses one area of access.
It fails to address issues stemming from users with excessive permissions, fully deprovisioning users from applications, managing external users who were granted temporary access that was never removed, risks stemming from app administrator accounts, or other identity-security-related issues. A modern security framework must address the need for a sophisticated, multi-layer identity fabric.
Third-party Connected App
SaaS users often connect third-party applications to improve their apps’ functionality. This integration happens with the click of a button, far from the security team’s watchful eye. Users rarely read the permissions that they have granted to the application, which often includes allowing the app to delete files or folders, send email on behalf of a user, and download data.
These permissions must be monitored in the event that the application is either taken over by a threat actor or is malicious. Guidelines should be included in the Essential Eight to help guide security teams into gaining visibility into connected apps and their permissions.
Resource Control
As mentioned earlier, SaaS applications store millions of company resources, such as documents, software code, videos, links and more. These resources must be secured behind robust security measures, rather than be accessible to anyone with a link or searchable through an internet browser.
Preparing Businesses for Today’s Threats
It’s time for Australia to update its security framework to address modern network infrastructures. Introducing security measures relating to misconfiguration management, identity security, third-party applications and the protection of company assets stored in SaaS applications should be the next step for the Essential Eight.
This guidance will enable businesses and government organisations to meet the threats to their SaaS environments head-on, using tools like SSPM. Failure to do so will only prepare these organisations to secure themselves against yesterday’s threats.
About the author
Arye Zacks, an experienced senior technical research professional in the cybersecurity sector, excels in driving innovation and securing digital landscapes. With a proven track record in developing cutting-edge solutions, leading research teams, and staying ahead of evolving cyber threats, he specializes in threat intelligence, vulnerability analysis, and strategic risk mitigation. Passionate about advancing cybersecurity knowledge through publications and industry collaboration, Arye is committed to fostering a secure digital future.