Victoria public agencies fail to make full use of Microsoft 365 identity controls

Microsoft 365 cloud-based identity and device controls have not been fully set up across nine public agencies in Victoria, according to Victorian Auditor General's Office (VAGO) report Cybersecurity: Cloud Computing Products. Government departments, a local council, a water authority, a health service and other entities--including Cenitex--were selected to have their approaches to cybersecurity assessed.

This came after the Department of Premier and Cabinet reported that 90% of Victorian Government agencies experienced cybersecurity incidents in 2022. With the report stating that "successful attacks on Victorian Government agencies have seriously disrupted critical services".

Microsoft 365 not being used to its full capacity

VAGO assessed 33 identity controls and found that none of the agencies have fully implemented all these controls.

Out of the eight agencies assessed only two use privileged access devices for highly privileged roles and none of the agencies have implemented all six privileged access controls assessed. Only half of the agencies require multi-factor authentication (MFA) for all users, and none of the agencies use passwordless authentication.

A total of 22 device controls were assessed and the report found that seven out of eight agencies have not set up any conditional access policies for devices. Even when agencies were found to have device controls that not always meant they were using it effectively.

With increasing attacks using compromised accounts to access target's systems, these agencies are setting themselves up for failure by not having effective e identity and device controls. "This is because agencies cannot stop malicious users from using unsecured accounts and noncompliant devices to access their networks," stated the report.

With restrictive administrative privileges and MFA being two of the Essential Eight, it is surprising to see government agencies across the country still failing to ensure basic access controls.

"I think that there’s a degree of ignorance because the Essential Eight are not nice to have eights. They’re essential," John Blaxland, Professor of International Security and Intelligence Studies – SDSC, ANU, tells CSO. "They [some people] don’t realize that we’re actually an open democracy, with accountability with checks and balances, and that we’ve got a body like Australian Cybersecurity Centre is giving you advice," he added following a KordaMentha event in Sydney on 10 August.

Victoria public sector don't know who owns cybersecurity

Not all audited agencies properly understand and oversee cybersecurity services delivered by third-party providers, found the report. And even when using third-party services providers the agency is accountable for its cybersecurity risks.

Another issue reported is the public sector does not use its size and economy of scale to address cybersecurity risks in a coordinated way.

But there is light at the end of the tunnel as agencies move away from on-premises computing to cloud computing platforms, they are also increasingly changing their control configurations from agency-specific settings to universal uniformed ones. This means that the identity and device control options for agencies are more likely to become well defined and near identical.

Not all agencies use SOCs, found the report, and the current arrangements do not provide services for agencies to protect against cyber attacks. Which means that individual agencies are delivering this function independently. The health sector is one of the exceptions having set up its SOC in 2020.

Recommendations to address cybersecurity issues

Overall, the report recommended that the Department of Government Services and the Office of the Victorian Information Commissioner lead a whole-of-government approach to improve the public sector's cybersecurity.

Furthermore, VAGO recommended:

• The Department of Government Services extend the cyber hubs and SOCs use.
• All agencies that do not use a SOC have to complete an independent (internal or external) risk assessment to inform whether they need a SOC to improve their cybersecurity and report the results of this assessment to their accountable officer and audit and risk committee.
• All agencies have to address the technical compliance control configuration weaknesses.
• All agencies have to report Microsoft Secure Score; breakdown of controls completed by native solutions, third-party solutions and alternative mitigations; and share an adjusted Microsoft Secure Score that reflects the effectiveness of controls implemented by third-party solutions and alternative mitigations.
• All agencies have to ensure accountable risk owners document their risk acceptance for controls marked as risk accepted, resolved via third-party solutions or alternative mitigations.
• Agencies who use third-party services must oversee and ensure that the services they buy from third-party providers meet their cybersecurity requirements; third-party service providers have implemented the controls they are responsible for; the implemented controls are effective.