Australia's Essential Eight Maturity Model (E8MM) establishes a baseline of mitigation strategies to help organizations protect themselves from common cyber threats. The Australian Signals Directorate (ASD) distilled the eight essential mitigation strategies from the Strategies to Mitigate Cyber Security Incidents published by the Australian Cyber Security Centre (ACSC).
First published in June 2017, the Essential Eight defines four maturity levels (0-3) to protect organizations’ internet-connected information technology networks. All Australian government agencies and departments subject to the PGPA Act must comply with Essential Eight maturity level 2. While non-governmental organizations aren’t required to prove compliance, the ACSC recommends all Australian organizations implement the Essential Eight mitigation strategies.
IS Decisions’ solutions, UserLock and FileAudit help organizations implement key controls required for the following Essential Eight pillars across all four maturity levels:
- Multi-factor authentication (MFA)
- Restrict administrative privileges
Multi-factor authentication
MFA implementation is a key component of Essential Eight’s baseline security controls. UserLock MFA helps you meet almost all of the Essential Eight MFA requirements across all three maturity levels.
Below, you’ll see the Essential Eight MFA requirements that UserLock can help with. Essentially, the only MFA controls UserLock does not allow you to meet are those that concern customer authentication.
Maturity Level One |
Maturity Level Two |
Maturity Level Three |
Multi-factor authentication is used to authenticate users to their organisation’s online services that process, store or communicate their organisation’s sensitive data. |
Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation’s sensitive data. |
Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their organisation’s non-sensitive data. |
– |
Multi-factor authentication is used to authenticate privileged users of systems. |
– |
Multi-factor authentication is used to authenticate unprivileged users of systems. |
– |
– |
Multi-factor authentication is used to authenticate users of data repositories. |
Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are. |
– |
Multi-factor authentication used for authenticating users of online services is phishing-resistant. |
– |
Multi-factor authentication used for authenticating users of systems is phishing-resistant. |
– |
– |
Multi-factor authentication used for authenticating users of data repositories is phishing-resistant. |
– |
Successful and unsuccessful multi-factor authentication events are centrally logged. |
– |
Event logs are protected from unauthorised modification and deletion. |
– |
Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events. |
– |
– |
Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events. |
– |
– |
Event logs from workstations are analysed in a timely manner to detect cyber security events. |
– |
Cyber security events are analysed in a timely manner to identify cyber security incidents. |
– |
Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered. |
– |
Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered. |
MFA for organizational and third-party online services
With UserLock, you can authenticate your Active Directory user accounts’ access to your organization’s sensitive and non-sensitive data stored in cloud apps. UserLock allows you to combine MFA with single sign-on (SSO) to authenticate your Active Directory users’ access to online services and applications such as Microsoft 365, Google Workspace, Salesforce, Dropbox, and other SAML-based cloud apps.
Administrators can choose how and when to require MFA.
There are two edit modes available for modifying the MFA settings. Make sure to read the documentation for the use case for each type of session to ensure users will receive an MFA prompt.
- All session types at once: By selecting this option, you can apply the same policy for all session types that are protected by UserLock.
- By session type: Select this option to apply different MFA policies for each session type.
You can also apply MFA by connection type.
For each session type, you can choose how often to prompt your users with MFA.
MFA for privileged and unprivileged users
Maturity levels two and three require MFA across both unprivileged and privileged users of systems, such as your Active Directory.
UserLock provides straightforward, effective MFA to verify identity across all Active Directory accounts, whether privileged or non-privileged. This allows your organization to properly apply the principle of least privilege, which is key to lowering security risk as well as a cornerstone of zero trust architecture.
MFA on access to data repositories
At Essential Eight maturity level two, MFA must be enforced on user access to data repositories.
UserLock makes it possible to implement MFA on AD user access to data repositories. UserLock is compatible with data repositories that integrate with Microsoft Entra, as well as data repositories on SAML-based apps such as AWS thanks to UserLock's single sign-on (SSO).
At Essential Eight maturity level three, authentication to data repositories must be phishing-resistant.
To ensure that MFA is resistant to phishing, UserLock supports MFA using hardware tokens or keys such as YubiKey and Token2.
MFA methods
UserLock satisfies this requirement with secure MFA methods, and offers the flexibility to choose between two of the following MFA methods:
From Essential Eight’s maturity level two, the scheme requires MFA on access to systems such as AD and online services to be phishing resistant. As mentioned above, UserLock allows phishing-resistant MFA via secure keys and tokens from YubiKey and Token2. UserLock’s Push app also uses secure push notifications designed to minimize the risk of accidental approval.
MFA event logs
To meet level two requirements, Essential Eight requires organizations to prove they log MFA events.
UserLock’s MFA event reports provide a complete log of all events related to which users are prompted for MFA upon logon, including details on whether or not MFA was completed successfully or not.
UserLock’s event logs cannot be modified or deleted.
With UserLock, administrators get easy visibility on all multi-factor events from internet or non-internet-facing servers and workstations. Administrators can set up alerts for certain event types, such as MFA denials, or MFA prompts outside of working hours, so they can quickly detect potential threats.
UserLock also allows admins to set up and run scripts to respond automatically to certain events, ensuring their ability to threats before any damage is done.
MFA reporting and analysis
With UserLock, administrators can set up alerts for certain MFA event types that may pose a cyber security threat, so they can quickly detect and respond.
Administrators can create custom reports or choose from report templates currently available in the UserLock dashboard. These reports can be pre-programmed to send automatically from the UserLock dashboard to specified recipients, such as the CIO or ASD.
Restrict administrative privileges
UserLock also helps organizations ensure they’re implementing the controls needed to respond to requirements to restrict administrative privileges, from levels one to three.
Maturity Level One |
Maturity Level Two |
Maturity Level Three |
– |
Privileged access to systems, applications and data repositories is disabled after 12 months unless revalidated. |
– |
Privileged access to systems and applications is disabled after 45 days of inactivity. |
– |
– |
Privileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties. |
– |
– |
Secure Admin Workstations are used in the performance of administrative activities. |
Unprivileged accounts cannot logon to privileged operating environments. |
Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. |
– |
– |
Just-in-time administration is used for administering systems and applications. |
– |
Administrative activities are conducted through jump servers. |
– |
Privileged access events are centrally logged. |
– |
Privileged account and group management events are centrally logged. |
– |
Event logs are protected from unauthorised modification and deletion. |
– |
Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events. |
– |
– |
Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events. |
– |
– |
Event logs from workstations are analysed in a timely manner to detect cyber security events. |
– |
Cyber security events are analysed in a timely manner to identify cyber security incidents. |
– |
Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered. |
– |
Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered. |
Privileged account provisioning and deprovisioning
UserLock allows you to set a time limit on access to your Active Directory, SaaS and RemoteApps, and data contained within.
With FileAudit, you can also track access by user, group, or organizational group (OU) across Windows files, file servers, and cloud storage. These logs provide proof of which users are or are not able to access your data.
Control access to only what’s needed
UserLock allows administrators to set access policies for different types of employees, by user, group or organizational group (OU) in line with least privilege principles.
In other words, you can prove your users only have access to the information they need to do their job.
To go one step further, UserLock also allows IT administrators to set granular, contextual access restrictions based on factors like IP address, time, machine, session type, or geolocation.
UserLock also allows admins to limit the number of concurrent sessions allowed.
Secure admin workstations
You can ensure your admins perform administrative activities from a secure admin workstation thanks to UserLock’s MFA and contextual access restrictions. With UserLock’s access restrictions, you can allow your administrative users to log on only via a workstation connection. With UserLock’s MFA, you can authenticate each administrative logon via a workstation connection, proving its security.
Restricting access to operating environments based on account privilege
UserLock allows administrators to set access policies for different types of employees, by user, group or organizational group (OU) in line with least privilege principles.
Administrative activities are conducted via jump servers
UserLock allows you to enable MFA for jump server connections, ensuring you authenticate access for your administrator accounts, before allowing administrative activities.
Reporting and analysis
With UserLock, administrators can also record and report on all privileged access, account, and group management events thanks to a central audit across the whole network. The administrator actions report also allows organizations to quickly see and report on all administrator account actions.
Secure access to event logs
UserLock’s event logs cannot be modified or deleted.
Analyze event logs from internet-facing and non-internet facing servers and workstations
With UserLock, administrators get easy visibility on all multi-factor events from internet or non-internet-facing servers and workstations.
Administrators can set up alerts for certain event types, such as privileged account access denials, or privileged account logon attempts outside of working hours or from an unusual location, so they can quickly detect potential threats. UserLock also allows admins to block user sessions with one click.
With UserLock, admins can also set up and run scripts to respond automatically to certain events, ensuring their ability to threats before any damage is done.
Cyber security incident analysis
With UserLock, administrators can set up alerts for certain privileged access event types that may pose a cyber security threat, so they can quickly detect and respond.
Administrators can create custom reports or choose from report templates currently available in the UserLock dashboard. These reports can be pre-programmed to send automatically from the UserLock dashboard to specified recipients, such as the CIO or ASD.