Managing Administrator Privileges for Australia’s Essential Eight Cybersecurity Compliance

The concept of least privileged access has been around for a while and is widely understood. However, overprivileged users with more rights than necessary, such as administrators, continue to be a common source of breaches.  It’s such a concern that the restriction of administrative privileges is included as one of the Australian Government’s Essential Eight Maturity Model to mitigate cybersecurity incidents. So, what can be done to manage administrator privileges without impacting their ability to manage the systems and applications in their care?

What is Australia’s Essential Eight?

The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) recommend that all organisations as a cyber security baseline implement eight essential mitigation strategies from the ACSC’s broader Strategies to Mitigate Cyber Security Incidents guidelines.  Implementation of this baseline, generally known as the ‘Essential Eight’, makes it much harder for adversaries to compromise systems.

The Essential Eight Summarized

1. Application control – Check programs against a pre-defined approved list and block all programs not included.
2. Patch applications – Apply security patches for applications within a timely manner Patch anything that poses an ‘extreme risk’ (a software flaw that allows ransomware to spread) within 48 hours using the latest version of the application. Eliminate applications that are no longer supported and do not receive security fixes.
3. Configure Microsoft Office macro settings – Only allow vetted macros (automated commands) either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
4. User application hardening – Apply security settings to programs such as web browsers, office, PDF software, etc., making it more difficult for an attacker or compromised website to successfully run commands to install malware.
5. Restrict administrative privileges – Limit how privileged accounts with the ability to administer and alter key system and security settings can be accessed and used. Review all user access to privileges annually at a minimum.
6. Patch operating systems – Apply security fixes/patches or temporary workarounds/mitigations for operating systems within a timely manner (48 hours for internet reachable applications). Do not use operating systems applications that no longer receive security fixes.
7. Multi-factor authentication (MFA) – Require users to present two or more credentials to verify their identity for login, such as a password and a code from an SMS/Mobile application.
8. Regular backups – Perform regular backups of new and changed data, software and configuration settings, store them disconnected and retain them for at least three months. Test the restoration process regularly including during implementation, annually and after IT infrastructure changes.

Why #5 – the Restriction of Administrative Privileges – is a Challenge

Seven of the Essential Eight cyber security controls are essentially best practices for IT systems and are easy to administer, albeit they become more difficult depending on the age of an environment and the extent to which it is still supported by vendors and the organisational maturity level

However, the Restriction of Administrative Privileges has been considered the more difficult security step to implement of the Essential Eight.

Traditionally, systems administrators (admins) require the highest levels of clearance because there were no easy means to restrict their ability to access/view all data. However, in most cases, their role is to run the environment with no need to view the data – whether sensitive or not. Therefore, admins are often referred to as overprivileged users.

Their ability to view unlimited sensitive data poses a significant security risk. Admin accounts are considered ‘the keys to the kingdom’ making them an attractive target for an attacker. By successfully gaining access to an admin account an attacker can gain significant control over systems, the ability to move laterally in environments, as well as access to sensitive data. For example, a recent hack of an Australian Healthcare Insurer was due to an attacker gaining the login credentials of a worker with excessive privileges to systems. In this case, MFA was in use yet the privileges of the credentialled user allowed for a more intrusive invasion.

There are also several notable cases where admins have maliciously exfiltrated data for personal gain or for what they perceive as the greater good. Edward Snowden is probably the most recognizable culprit in this type of ‘insider’ attack by an admin.

Managing Privileged Access Controls

The good news is that managing administrative privileges is not an insurmountable challenge. Technology now exists to enable strict access controls to be applied to all users, including system admins.  That means that while admins can access applications to manage them, they cannot open or view the files stored within them unless they are authorized to do so.

This granular access approach is the foundation of a variety of methodologies, including:

• Zero Trust Architecture
• Data-Centric Security
• Attribute Based Access Control (ABAC)
• Multi-Level Security

Specifically, attribute-based access control or ABAC can be applied to all users within an environment, including admins. ABAC policies manage access rights at the data level by evaluating attributes to approve or deny access, as well as managing what users can ‘do’ with the data if access is granted.  ABAC policies could take into consideration any combination of the following attributes to determine access rights:

• Organisation
• Classification of documents and data
• Security clearance of the user
• Type of network being used for access
• Sensitivity level of the data being accessed
• Time of access (e.g., during or after business hours)
• Location of the User (e.g., office home, airport, country, etc.)
• Any custom access policy an organisation might wish to apply

An ABAC-enabled approach can tightly restrict access to an individual file based on its sensitivity and the user’s role, thus limiting admins from accessing information they are not authorised to. It applies the policy each time any user attempts to access a file, regardless of whether they are authenticated into the system and/or the application. This level of fine-grain, real-time access control supports a data-centric zero trust architecture, as well as enables multi-level security by allowing documents of different classifications to be stored in a single repository.

archTIS Offers Dynamic ABAC-enabled Products to Suit a Variety of Applications

archTIS offers dynamic ABAC-enabled information security products to meet a variety of needs. Selecting the right solution depends on the nature of the collaboration, applications and security infrastructure your organisation requires.

• Using the Microsoft 365 document management and collaboration stack? NC Protect allows you to enhance the security in Microsoft Purview Information Protection by adding dynamic ABAC policies and unique security controls to files stored in M365 applications, including SharePoint Online, OneDrive, Exchange and Office. Learn more.
• Using SharePoint on-premises or other File Shares? NC Protect allows you to add dynamic ABAC policies and unique security controls to files stored in SharePoint Server on-premises, Windows File Shares and Nutanix Files. Learn more.
• Need a SaaS-based document management system accredited to store and share PROTECTED files? Kojensi SaaS is a cloud-based Software as a Service environment to enable sharing across and between organisations using ABAC policies. Instantly establish a secure cloud-based sharing environment for government, defense and industry partners to share and collaborate on file up to PROTECTED. Learn more.
• Need an on-premises multi-level security document management system to store and share PROTECTED files and up? Kojensi on-premises enables sharing of higher sensitivity documents and data across and between organisations. It is ideal when higher security classification levels are required for sharing of classified information between organisations and governments. Learn more.

The archTIS portfolio of information security platforms can help you meet requirements in the Essential Eight and other Australian (DISP, PSPF, SLACIP, CI-SoNS, etc.) and global regulations (ITAR, CMMC, NIST, etc.). Contact us today to explore any of these products or use cases further.