Implementing the ACSC Essential 8 with Microsoft 365Alex Fields
I have had this project on my backburner for a while, and I finally got around to knocking it out: a special request from a reader in the Land Down Under–Australia!
This is a free publication, entitled Implementing the ACSC Essential 8 using Microsoft 365.
The Australia Cyber Security Center (ACSC) published Strategies to Mitigate Cyber Security Incidents some years back. The most effective of these strategies were identified as the “Essential 8” (last updated April 2020 at the time of this writing). These have a lot of visibility in Australia and New Zealand, and other organizations around the world have picked them up as well–they act as a sort of “baseline” or reference point for cyber incident mitigation efforts.
Above, I have mapped these to the CIS Controls so that you can see how implementing this list will also help you to meet (at least partially) specific sub-controls in other cyber security frameworks; or said another way: these are the CIS sub-controls you would focus on to move the needle on the Essential 8.
Even though it overlaps with areas in CIS, it is not a complete cyber security strategy on its own—remember that if you fail to meet the Basic CIS Controls up to at least the Implementation Group 1 maturity level, then other mitigation strategies may be undermined (for instance, without an accurate hardware and software inventory up front you cannot implement these strategies effectively across all of your systems). Yet, the Essential 8 can be seen as another way of prioritizing your risk reduction backlog.
No Detection Strategies?!
I was also initially surprised that none of the ACSC’s Mitigation Strategies to Detect Cyber Security Incidents and Respond made it into the Essentials list. I suspect this is due to the additional expense and pre-requirement for on-going monitoring and human labor—which many small and mid-sized organizations simply have not had access to historically. I believe this should change within the next couple of years with more MSP’s offering services focused around cybersecurity, including Incident Response. In any case, note that the Essentials as they stand today tend to focus primarily on Protect, rather than Detect and Respond.
Nevertheless, detection and response is going to be a very important area for you to focus on as a service provider—so do not lose sight of it! For further reference on this topic, see my document on Microsoft Threat Protection and Microsoft 365 E5 Security.
I’ve had a lot of discussion about whether it necessary to do an external backup of Office 365, at least one Aus gov department has decided that the redundancy provisions and retention capability in the E5 license is enough. I have since heard (from a backup vendor) that this would not meet Essential 8 requirements, but I can’t find a definitive statement one way or the other.
What would your take on this position?
The fact is that no backup vendor out there can truly back up everything in Office 365. Ask them if they backup flows, or planner, or forms, or any app other than mailboxes, onedrive accounts and sharepoint sites. The answer is always no. So you can protect your email and file data in the MSFT cloud natively using stuff like Retention policies, labels, litigation hold, etc. OneDrive even has a restore feature which is great for ransomware situations. It would be nice if we had that same feature on all data locations, but for now just OneDrive. To do a restore of deleted data is not super easy but it can be done provided you have the proper protections in place. The real benefit of a third party is: how easy and painless can they make the restore process?
As for whether it “meets the requirements” I think this is a dubious statement. What precisely does the native protection option fail on? Here in the US, in Exchange Online at least we know that their solution meets SEC 17a-4 which means there is separate storage isolated from the primary storage, and you cannot alter the secondary storage. I am unsure whether they are meeting that requirement for SharePoint yet. So that is one possible area for clarification.