Essential Eight Maturity Level Assessment, Roadmap & Uplift
When a member-based financial services provider needed to improve their security posture amidst ongoing digital transformation, they turned to Chamonix. Our team conducted a thorough assessment of their existing systems, developed a roadmap in line with their current posture and future requirements, and recommended an actionable strategy. Implementing this roadmap led to an improved security posture, streamlined and modernised systems, and greater alignment with industry and insurance cybersecurity requirements. Moreover, our ongoing managed IT support services ensure a sustainable, strategic, and efficient operation for our customer.
- The client, a member-based financial services provider for the construction industry, was facing a security and data protection challenge. Their existing measures, while functional, lacked a strategic focus on the core operational systems.
- There was a pressing need to assess and uplift the current security posture, ensuring robust protections and mitigations against potential threats.
- Several ongoing projects, including a sizeable digital transformation initiative, introduced new complexities to the organisation’s security infrastructure, necessitating a partner that could both advise and implement the necessary solutions.
- The organisation sought to explore potential consolidation of services to reduce their attack surface, enhance security controls, and decrease operational expenses
- The customer was also looking towards adopting a cloud-first approach to enable mobility and align with Zero Trust principles
Our customer, a premier member-based service entity, offers financial solutions primarily to construction industry workers. In the rapidly evolving digital age, they are acutely aware of the need to maintain strong security measures and protect the vast amount of data they handle. Recognising the potential vulnerabilities in their existing security setup, they sought to evaluate and upgrade their current security posture to ensure the right level of protection and proactive threat mitigation. Although they had rudimentary measures in place, they were in search of a comprehensive, strategic approach with an exclusive focus on the systems critical to their operations. They sought a partner with dual expertise, capable of both guiding them through this complex process and implementing the necessary changes.
Assessment & Recommendations
Chamonix was engaged to conduct a thorough evaluation of the customer’s existing security posture. Our experienced team began with an in-depth analysis of the existing security controls against the customer’s current state posture. From this, a roadmap was created, reflecting both the current status and future needs of the organisation. Through this assessment we were able to create a tailored roadmap, encapsulating the customer’s present state and future aspirations. In the development of this strategic roadmap, we carefully factored in the guidelines provided by the Australian Cyber Security Centre’s (ACSC) Essential Eight Maturity Model. We also acknowledged and incorporated the customer’s concurrent projects, which notably included a large-scale digital transformation aimed at adding new services to their portfolio. Through this approach Chamonix was able to provide a roadmap harmonising with both our customer’s present undertakings and prospective goals. Our collaboration with the customer led to the establishment of several guiding principles:
- Understanding and Reducing the Attack Surface: Focusing on comprehending the potential vulnerabilities and actively working towards minimising them.
- Consolidation of Services: A shared understanding was achieved that consolidation would be beneficial if it resulted in a reduced attack surface, stronger controls and mitigations over the attack surface, or decreased operational expenditures.
- Cloud-First Approach: Embracing a ‘Cloud-first’ mindset when introducing new services or extending the lifespan or improving the security posture of existing services.
- Mobility Enablement and Zero Trust Principles: Aligning with modern cybersecurity strategies, promoting mobility, and implementing Zero Trust principles.
Following the assessment, we formulated our recommendations with an emphasis on the following key areas:
- Implementing Controls: Alignment with the ACSC Essential Eight Maturity Model for comprehensive security control measures.
- Upgrading Networking Controls: Enhancement of networking controls to align with Zero Trust mobility strategies for a more secure and efficient network.
- Transitioning Security Services: Migration of security services into the robust and dynamic environment of Microsoft 365.
- Migrating Legacy Applications: Transitioning of outdated, legacy applications into a more secure, reliable, and scalable Azure-hosted IaaS infrastructure.
- Decreasing Operational Costs: Consolidation of infrastructure and hardware into managed cloud services to reduce ongoing management and maintenance overheads, thereby saving on operational expenditures.
These recommendations formed the basis of our strategic action plan, designed to drive the customer’s security posture transformation, streamline operations, and set them on a path to a secure and efficient future.
Based on our in-depth recommendations, our customer approved a series of changes to their core business systems, along with the ongoing management and maintenance of these services. The approved roadmap considered improvements to general network health and security alongside in-flight cloud migration and digital transformation efforts. To align with the ACSC Essential Eight Maturity Model, we leveraged key services within Azure and Microsoft 365:
- Azure Active Directory: Used for identity and access management, ensuring a secure environment by enabling features such as multi-factor authentication and conditional access policies.
- Azure Security Centre: Employed to centralise security management, allowing for continual monitoring and quick response to potential threats.
- Azure Backup and Site Recovery: These tools were used to provide regular, automated data backups and disaster recovery capabilities, thereby mitigating potential data loss threats.
- Microsoft Defender for Endpoint: Utilised to provide threat protection for endpoints, enabling detection, investigation and response to advanced threats.
- Microsoft Intune: Deployed for mobile device management, providing secure access to company resources and implementing application control policies.
- Office 365 Advanced Threat Protection (ATP): Utilised to safeguard against malicious threats posed by email messages, links (URLs) and collaboration tools.
- Office 365 Data Loss Prevention (DLP): Deployed to detect, monitor, and prevent the accidental sharing of sensitive information, thereby ensuring data security.
These implementations were critical for enhancing the organisation’s cybersecurity posture:
- Migration to Cloud-Based Services: The IT systems and services were migrated to cloud-based infrastructure, with Microsoft Azure providing a secure and scalable solution.
- Transition to Microsoft Teams: Telephony services were moved to Microsoft Teams, providing a modern, cloud-based communication platform.
- Data Migration to SharePoint Online: Files and data were migrated to Office 365, utilising SharePoint Online for secure and efficient document management.
- Network Infrastructure Upgrade: The network infrastructure and hardware were upgraded to modern standards, increasing both security and performance.
- Microsoft Defender Deployment: Microsoft Defender, an enterprise endpoint security platform, was deployed to protect, detect and respond to threats.
- Patch Management Infrastructure: A system for managing the deployment of OS and Application patches was established, further reducing potential vulnerabilities.
- Billing Process Transition: The billing processes were also transitioned, improving efficiency and streamlining operations.
Each implementation was tailored to enhance the security posture and align with the ACSC Essential Eight uplift. With the application of these principles, the organisation achieved the desired maturity levels across several key areas, further enhancing its resilience against cybersecurity threats.
Our customer expressed a desire for a strategic, efficient service provider to deliver continuous, managed IT support. Chamonix was engaged not only for the assessment and implementation stages but also to provide ongoing IT services and managed support. This full lifecycle approach ensured transparency and cohesion throughout the advisory, implementation and operational stages of the project.
The comprehensive review and subsequent implementation of advanced security measures resulted in a notable uplift in the customer’s cybersecurity posture. With new, robust protections in place, the customer enjoys increased confidence and reduced risk exposure in their daily operations.
The consolidation of services and transition to cloud-based solutions have led to a significant modernisation and streamlining of the customer’s systems. This not only enhances efficiency but also fosters an environment for future innovation.
Improved Mobility and Remote Work Capabilities
By embracing cloud-first and Zero Trust principles, the customer has effectively enabled greater mobility and remote work capabilities. This directly improves operational flexibility and employee satisfaction, particularly in a world where remote work is becoming increasingly prevalent.
Alignment with Industry Standards
The implemented solutions are in line with the ACSC Essential Eight Maturity Model and other industry and insurance cybersecurity requirements. This alignment assures regulatory compliance and the mitigation of potential legal and operational risks.
Up-skilling of Internal Workforce
As a result of the engagement with Chamonix, the customer’s internal workforce has been up-skilled. They now have a better understanding of advanced security measures, cloud services, and modern IT infrastructure, empowering them to support the newly implemented systems and sustain the gained benefits over time.