The Essential Eight Meets Identity

The Australian Cyber Security Centre's Essential Eight is the de facto baseline for Australian organisations, and it is refreshingly concrete in a field full of abstraction. What is less discussed is how much of it is, in practice, an identity programme wearing an endpoint-hardening label. If you run identity, at least half the Essential Eight is partly or wholly yours.

Restrict administrative privileges — this is yours, end to end

This mitigation is pure privileged access management. The maturity expectations escalate exactly as a good PAM programme would: validate privileged access requests, separate privileged from unprivileged environments, prevent privileged accounts from accessing the internet and email, and — at higher maturity — move toward just-in-time administration. If you have built PAM properly, you are most of the way to this mitigation's top tier. If you haven't, this is the forcing function.

Multi-factor authentication — the maturity ladder is the point

MFA is its own mitigation, and the interesting work is in the maturity progression. Lower maturity accepts MFA broadly; higher maturity demands it be phishing-resistant and applied to a widening scope — not just remote access but privileged actions and access to important data repositories. The trap is treating "we have MFA" as done. The standard is asking what kind, for whom, and against which threats.

The identity-adjacent four

Application control, patching applications, patching operating systems, and macro/application hardening are not identity mitigations per se — but they intersect identity at the privilege boundary. Application control is undermined if too many users hold the admin rights to bypass it. Patching cadence collapses when privileged service accounts are too sensitive to touch. The lesson: over-provisioned privilege quietly erodes every other mitigation. Tightening admin access raises the whole baseline.

Maturity is a journey across all eight together

The Essential Eight is assessed as a maturity level across the mitigations — you are only as mature as your weakest applicable control. This is why a lopsided programme with brilliant MFA and sprawling standing privilege scores poorly: the admin-privilege gap drags the assessment down. For identity teams, the implication is to advance privileged access and authentication in lockstep, because the framework will not reward strength in one while the other lags.

The Essential Eight is a gift to identity practitioners: a concrete, government-backed mandate for exactly the privileged-access and authentication discipline we should be doing anyway. I use it less as a compliance checklist and more as a shared language to explain to executives why the unglamorous identity work is non-negotiable.