What are the Essential Eight?

Written by Zach DeMeyer on November 18, 2020

Share This Article

Regardless of where your organization operates, it’s likely that, as an IT administrator, you are concerned about compliance regulations. Although all countries and industries have their own unique compliance frameworks and requirements, many share similarities, especially in regard to how identity and access are managed.

The Australian Cybersecurity Centre recognizes these similarities and recommends a security baseline called the Essential Eight for organizations to follow so they’re set up for success for compliance. In this post, we’ll discuss what the Essential Eight entails, and how a cloud directory platform can help you streamline your compliance needs.

What are the Essential Eight?

Although none can claim a perfect cybersecurity approach, the Essential Eight provides a solid foundation for IT admins and security personnel to build their compliance posture around. As the name suggests, the Essential Eight comprises eight mitigation strategies that organizations can implement to proactively address compliance requirements — regardless of the framework.

The 8 strategies are as follows:

  1. Application Control
  2. Application Patching
  3. Application Hardening
  4. Macro Setting Configuration
  5. Admin Permission Restriction
  6. OS Patching
  7. Multi-factor Authentication (MFA)
  8. Daily Backups

These are by no means in order of importance as all eight should be enforced to set a strong security foundation. Let’s break them each down in a bit more detail.

1. Application Control

Malicious applications, browser extensions, and other executable files are a clear and present danger to an organization’s security. When installed, these can cause a number of issues on an end user’s device, most notably malware, which can open that device up as an attack vector to the rest of an organization.

By creating a list of approved and denied applications that can exist on a device, admins can prevent end users from installing unapproved applications or browser extensions through shadow IT, as well as prevent the perpetuation of malicious apps/extensions that may already be installed.

2. Application Patching

Once an admin has prescribed a list of their organization’s approved applications, the next step is to ensure that they are all as up-to-date as possible. When apps are unpatched, they can be exposed to zero-day vulnerabilities, in-app issues that create attack vectors for bad actors. Additionally, older versions of apps are often left unsupported by developers, meaning that any other vulnerabilities that arise in the app are no longer covered.

Investing in routine application patching ensures that end users only leverage the most recent version of an app, and in theory, the most secure version as well. Many have opted to use cloud-based SaaS applications to ensure their organization’s work apps are as up to date as possible.

3. Application Hardening

Beyond keeping apps up to date, there can often be unnecessary functionality in applications and web browsers that can be used to execute malicious code on a user’s device as well. Flash, ads, and Java are all potentially compromising ways a bad actor can manipulate an end user machine through the internet.

Putting company-wide hardening policies in place circumvents these vulnerabilities, preventing them from becoming issues in the first place.

4. Macro Setting Configuration

Macros allow end users to repeat routine actions in a tool like Microsoft® Office by pressing a selection of hotkeys. Although many are created as needed on the user’s device, some macros can be downloaded from the internet. Unfortunately, while convenient, these macros can also be used to log keyboard actions and mouse movements on the device, leading to potential compromise if the user inputs a password or other critical information.

Admins need to block these macros from being installed to avoid malicious code deployment and the dissemination of critical data. Running company-wide device policies can prevent malicious macros at scale, but IT admins need the correct tool to apply them en masse.

5. Admin Permission Restrictions

The principle of least privilege, a major force behind zero trust security, is one of the most important policies IT admins can apply to their access permissions. In essence, end users should only have the minimum amount of access that their role demands. When a user has more permissions than they need, such as admin access on their device or application, they can make potentially damaging changes to their settings, either opening themselves up to an attack unwittingly, or worse, acting as an insider to achieve their own nefarious goals.

With a proper identity and access management approach through a solution like a cloud directory platform, IT admins can dole out privileges as needed through group enrollment/management and ensure that no one has more access than they immediately need.

6. OS Patching

Much like with applications, out-of-date versions of operating systems can also present zero-day vulnerabilities and create other issues that leave user devices exposed to attacks. Using device management tools, admins can control when and how devices update, ensuring that the most secure versions of their OS is being run, as well as preventing updates that are known to break functionalities.

7. Multi-Factor Authentication (MFA)

MFA is arguably one of the most influential measures to put in place for security and compliance purposes. In practice, MFA requires an additional unique factor at login to a device or service, making it very difficult for a bad actor — even one armed with compromised credentials — to successfully breach an organization.

When possible, MFA should be required at any and all login locations, whether at the device level, on applications, VPNs, or elsewhere.

8. Daily Backups

Backups are always an integral part of an IT admin’s role, but when it comes to compliance, an up-to-date catalogue of data surrounding events and authentications is key to prove to auditors that your organization is prepared for anything. By funneling critical compliance data into storage — whether on-premises or stored in cloud infrastructure — you can ensure that it’s available and accurate for presenting to auditors.

Implementing the Essential Eight with JumpCloud

When put in practice, the Essential Eight sets IT organizations up for success, both for upcoming compliance audits and continuous security. In many scenarios, however, the solution stack required to implement each of the eight baselines is extensive: 

  • A core directory service like Active Directory® for access management and Windows® device policies
  • A mobile device management (MDM) tool for rolling out device policies on Windows, Mac®, and Linux®
  • A remote monitoring and management (RMM) solution for managing applications, patching, and backup
  • A security tool providing MFA
  • And more

Instead of purchasing a multitude of point solutions, IT organizations can instead leverage a full-scale cloud directory platform like JumpCloud®.

What is JumpCloud?

JumpCloud provides identity, access, and device management from a centralized directory platform — accessible everywhere through a cloud-based Admin Portal. Using JumpCloud, IT admins can manage Windows, Mac, and Linux devices and roll out all eight of the Essential Eight baselines recommended by the Australian Cybersecurity Center.

JumpCloud’s device management capabilities enable IT admins to roll out cross-OS Policies to tackle requirements like OS and application patching, hardening, and other crucial controls. Admins can also set Policies to control macros as well. The JumpCloud directory allows IT admins to control how users access their applications, networks, infrastructure, and other key resources, including the ability to control privileges based on group membership. Along with implementing conditional access controls, steps like these are crucial towards building a zero trust security posture.

For MFA, IT admins can use JumpCloud to enforce additional authN factors including TOTP, Duo Push, or U2F security keys upon entry to the JumpCloud User Portal, where users access applications and other resources they’ve been given access to. JumpCloud MFA can also be enforced at device login, as well as the VPN level through the RADIUS protocol. Admins can also opt to weave in conditional access controls, relaxing MFA for users on trusted devices or networks.

For audit trail purposes, organizations can employ the Directory Insights™ product with their JumpCloud platform to monitor authentications and events across their entire directory service. Event logs are stored in JumpCloud for up to 90 days, but can be exported to an AWS bucket for further processing and storage.

Try JumpCloud Free

You can see how the JumpCloud platform supports your security and compliance needs by scheduling a free live demo with one of our experts. Alternatively, you can also try the product yourself absolutely free for 10 users and devices.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter