An Analyst’s Take: The Essential 8 & Using Zero Trust to Avoid Compliance-as-a-Strategy

Mar 10, 2026

Author:

Scott Hesford

Senior Director of Solutions Engineering

An Analyst’s Take: The Essential 8 & Using Zero Trust to Avoid Compliance-as-a-Strategy

Scott Hesford

Senior Director of Solutions Engineering

The Forrester Zero Trust Model

It’s old news now – the pandemic spurred a “quantum leap” in digital transformation. Yet, the fact remains, security has yet to catch up.

Work-from-home (WFH), and even work-from-anywhere (WFA) is now commonplace, and cloud /multicloud footprints continue to rapidly expand. Within this “new normal”, there are plenty of operational tasks we are now performing from home, or on the go, that require privileged access. This runs the gamut, from administrating servers, databases, applications, and SaaS solutions, to even managing the organisation’s social media accounts.

As a consequence, we are allowing unsecure home and public Wi-Fi networks to be an extension of our information technology ‘perimeters’ to perform tasks in our business environments. And threat actors are gleefully taking advantage of the opportunities presented, as witnessed by the surge of ransomware and other attacks over the last couple years.

This environment is compelling organizations to embrace a zero trust model and Australia’s Essential Eight risk mitigation strategies to better manage cyber risk. Privileged access management (PAM) is foundational to both of these initiatives. A Forrester Report, Embrace Zero Trust For Australia's Essential Eight lays out how organizations can align and optimize roll-out of these initiatives for maximum risk reduction.

Read on for key insights from the report.

What is the Essential Eight?

Maintained by the Australian Cyber Security Centre (ACSC), the Essential Eight came into being in 2017, with updates to the strategies being released just last year. The Australian government has made it mandatory for federal government departments and agencies to meet the requirements of the Essential Eight. However, while these cybersecurity best practices honed by the ACSC were primarily created for Australian organizations, the principles have universal appeal, and thus, have seen strong interest and adoption across the globe.

While the Essential Eight distills highly effective cybersecurity controls, as Forrester notes in the report, “The Essential Eight requirements set the minimum standard, not the high bar. They address some, but not all, elements of a ZT [zero trust] framework, such as the capabilities relating to user authentication and workload validation. Achieving compliance is a necessary step in the right direction, but it's not the end state.”

Going Beyond the Essential Eight with Zero Trust

The relative security of the corporate network, with its firewalls and known users sitting inside it, has, for much of the business community, disappeared since the start of COVID. In its place are hastily arranged solutions that were created as stopgap measures for a pandemic that was set to only last a few months, not a few years. There are countless stories of organisations that have been impacted by attacks perpetrated by sophisticated criminal syndicates and nation states.

The reasons for aligning to the Essential Eight are simple enough: it represents a solid foundation in cyber security best practices that cover the prevention of malware delivery and execution, limiting the extent of cyber security incidents, recovering data, and assisting with system availability.

While zero trust predates the Essential Eight, its prominence has increased significantly, given the changes to the way we’ve been working over the past two years. According to a 2021 survey by the non-profit Identity-Defined Security Alliance (IDSA), 93% of security and identity professionals now say zero trust is strategic to securing their organization.

Increasingly, resources that require authentication, privileges, and access may reside outside of corporate governance. Zero trust improves security by defaulting to a “never trust, always verify” mindset, which requires continuous authentication, grants time-limited access based on context, enforces least privilege, and layers on continuous monitoring and session management.

Those organisations who are well down the path of zero trust and also looking to align themselves to the Essential Eight will find this alignment made easier because zero trust often exceeds the requirements of the Essential Eight. As new compliance regimes are introduced, zero trust places the organisation on a strong footing to meet any additional requirements.

As noted by Forrester in their report, achieving compliance is not the end state but a step in the journey. By making zero trust the strategy, Forrester emphasizes, organisations can meet compliance requirements as they go.

Privileged Access Management and Zero Trust

Privileged access management is a fundamental, and essential, piece of enabling a zero trust architecture (ZTA) and in meeting the Essential Eight.

PAM solutions enable the elimination of persistent trust, enforce continuous authentication, apply least privilege, enable adaptive access control, implement segmentation / microsegmentation to isolate resources, and monitor every privileged session—whether human, machine, vendor, employee, on-premise, or remote.

For more insights on using zero trust to align with and go beyond the Essential Eight, learn how BeyondTrust solutions support your compliance projects on: