Cloud Ctrl
Overview
Getting Setup
Using
Recommendations
Overview
Getting Setup
Using
Recommendations
  • Quick Start
  • Getting Started
  • Concepts and Terminology
    • Overview
    • Tag Hierarchy
    • Shared Data
    • Custom Data
    • Actions
    • System Tags
    • Forecast Methodology
  • Getting data into Cloud Ctrl

    • Overview
    • Microsoft Azure
      • Azure Overview
      • Azure App Registration
      • Cost Management Exports Overview
      • Standard Export Setup (EA, MCA, PAYG)
      • CSP Export Setup (CME recommended, CDR fallback)
      • Enhanced Azure Access
      • Troubleshooting
    • Amazon Web Services
    • Google Cloud
    • Oracle Cloud
    • Alibaba Cloud
    • Tag Mapping
    • Custom Usage
    • Settings
  • Using Cloud Ctrl
    • Costs and Usage
    • Emissions and Energy
    • Tracking
    • Budgets
    • Reporting
    • Dimensions
    • Governance & Compliance
      • Overview
      • Watchdog
      • Essential Eight
      • Essential Eight: Azure Setup
    • Customer Management
  • Recommendations
    • Azure
    • Amazon
  • Kubernetes Cost Insights
  • Platform Integration and Security

    • API Overview
    • Platform Security & Data Protection
    • Access Management

Essential Eight Compliance

🔐 Optional Feature — This feature is available for organizations with governance and compliance requirements. Essential Eight is not enabled by default; your organization must grant the necessary Azure permissions to activate it.

Overview

Cloud Ctrl's Essential Eight Compliance feature automatically audits your Azure environment against the Australian Essential Eight Mitigations — the security controls mandated for Australian Government agencies and increasingly required for government suppliers.

The Essential Eight are 8 security controls defined by the Australian Cyber Security Centre (ACSC):

  1. Application Control — Restrict which applications can execute
  2. Application Patching — Keep applications up to date
  3. Macro Hardening — Harden Microsoft Office macro security
  4. User Application Hardening — Harden browsers and application settings
  5. Restrict Administrative Privileges — Limit admin access to what's necessary
  6. Patch Operating Systems — Keep operating systems up to date
  7. Multi-Factor Authentication — Enforce MFA for all users
  8. Daily Backups — Maintain regular, protected backups

How Cloud Ctrl Scores Your Compliance

Cloud Ctrl collects signals directly from your Azure environment and scores each control against the ACSC Maturity Model:

LevelMeaning
ML0Not Implemented
ML1Partially Implemented
ML2Largely Implemented
ML3Fully Implemented

Each control also shows a Confidence Score (0–100%) indicating how much of the assessment is based on automatically observable signals vs. manual attestation.

Automatically Audited Controls

Cloud Ctrl automatically collects and scores the following controls from your Azure environment:

ControlWhat Cloud Ctrl Checks
Restrict Admin PrivilegesStanding Global Admins, PIM-eligible assignments
Patch Operating SystemsOS patch compliance rate, end-of-life system detection
Multi-Factor AuthenticationConditional Access policy coverage, MFA registration rate, legacy auth blocking
Daily BackupsRecovery Services vault coverage, backup immutability

Controls Requiring Attestation

The remaining controls (Application Control, Application Patching, Macro Hardening, User Application Hardening) cannot be fully observed from the cloud API and require a manual attestation from your team. See Attestations below.

Getting Started

Prerequisites

You must be an Azure Tenant Administrator with permission to grant API permissions.

Step 1: Grant Azure Permissions

Cloud Ctrl needs read-only access to compliance signals in your Azure environment. Follow Step 7 of the Azure App Registration guide for step-by-step instructions.

Permissions required:

  • Microsoft Graph: Policy.Read.All, UserAuthenticationMethod.Read.All, AuditLog.Read.All, RoleManagement.Read.Directory, Directory.Read.All
  • Azure Subscriptions: Reader role on each subscription you want to assess

Step 2: Trigger Your First Assessment

  1. In Cloud Ctrl, go to Compliance → Standards
  2. Select Essential Eight
  3. Click Recalculate to run an immediate assessment
  4. Results appear within 1–2 minutes

Viewing Your Results

The Essential Eight dashboard shows:

  • Maturity Level (ML0–ML3) for each control — colour-coded for quick status
  • Confidence Score — how much of the assessment is based on observable signals
  • Signals — individual compliance checks with remediation guidance
  • Audit Trail — full history of assessments with timestamps

Example

Control: Multi-Factor Authentication
├─ Maturity Level: ML2 (Largely Implemented)
├─ Confidence Score: 92%
└─ Signals:
   ✅ MFA enforced for all users (CA policy covers 100%)
   ✅ 87% of users registered for MFA
   ✅ Legacy authentication blocked
   ⚠️  Phish-resistant MFA not detected — manual attestation needed
      Recommendation: Enable Windows Hello or FIDO2 devices

Generating Compliance Statements for RFPs

Cloud Ctrl produces auditable compliance statements for government tenders and RFPs:

  1. Go to Compliance → Essential Eight
  2. Click Export Statement
  3. The statement includes:
    • Compliance maturity per control
    • Evidence snapshot (signals at the time of assessment)
    • Audit trail (assessor, timestamp, prior versions)
    • Disclaimer noting manual attestations and assessment date

Use this when responding to government RFPs, tenders, compliance audits, or regulatory submissions.

Attestations

For controls that cannot be automatically assessed, you can record a manual attestation:

  1. Go to Compliance → Essential Eight → select the control
  2. Click Attest
  3. Enter:
    • Statement — e.g. "Our organisation enforces macro security via GPO and Microsoft 365 threat policies"
    • Authorised by — your name and role
    • Effective date — when this attestation came into effect
  4. Click Save

Attestations are:

  • Immutable — preserved in the audit trail once saved
  • Time-bound — can be set to expire so your team reviews them periodically
  • Named — authorised by a specific individual for audit accountability

Scheduled Assessments

Cloud Ctrl automatically re-runs Essential Eight assessments on a regular schedule, keeping your compliance posture current without manual effort. Click Recalculate at any time to trigger an immediate assessment.

Troubleshooting

Dashboard shows "Unknown" for all signals

Cause: Cloud Ctrl doesn't have permission to read your Azure environment.

Fix:

  1. Verify Azure permissions were granted — see Azure Setup Guide
  2. Wait 5–10 minutes for permissions to propagate in Azure
  3. Click Recalculate

401 Unauthorized errors

See the Azure Setup Troubleshooting section.

Maturity level shows ML0 for all controls

If signals are being collected but scores are still ML0, check whether the relevant Azure resources are actually configured in your environment (e.g. Conditional Access policies for MFA, Recovery Services vaults for backups). Cloud Ctrl scores based on what is observable — if a control has not been implemented, ML0 is the correct result.

What Cloud Ctrl Cannot Access

All access is read-only. Cloud Ctrl has no access to:

  • User data or workload contents
  • Application code or databases
  • Passwords, secrets, or credentials
  • Any write or delete operations

All read access is logged in your Azure Activity Log and auditable at any time.

Resources

  • Azure App Registration Guide — Step-by-step permission configuration
  • ACSC Essential Eight Maturity Model — Official ACSC documentation

Support

If you encounter issues:

  1. Check the Troubleshooting section above
  2. Review the Azure Setup Guide
  3. Contact support with your Tenant ID, Subscription IDs, and a screenshot of the compliance dashboard
Prev
Watchdog
Next
Essential Eight: Azure Setup