Risky Bulletin Podcast Summary
Episode: Sponsored: The Foundations for Modern Defensible Architecture
Release Date: April 13, 2025
Host: Tom Uren
Guests:
- David Cottingham, CEO and Co-Founder of Airlock Digital
- Peter Borsman, CTO of Airlock Digital
Introduction
In this episode of Risky Bulletin, host Tom Uren engages in a detailed discussion with David Cottingham and Peter Borsman from Airlock Digital. The focus is on the newly released Australian Signals Directorate (ASD) document titled "Foundations for Modern Defensible Architecture." This document represents a significant evolution in cybersecurity guidelines, moving beyond the previously established "Top Four" and "Essential Eight" strategies to a more comprehensive framework aimed at modern architectural defenses.
Overview of the New ASD Document
Tom initiates the conversation by highlighting the emergence of the ASD's latest document, emphasizing its role in shaping modern defensible architectures.
Tom Uren [00:24]: "Today you pointed out this new ASD document which is out for feedback... it's called Foundations for Modern Defensible Architecture."
Peter Borsman provides an initial assessment, noting that the document builds upon Zero Trust principles introduced by ASD:
Peter Borsman [01:04]: "It's a take on ACSC's take on Zero Trust... It has 10 different foundations, three zero trust principles... five pillars that address identity, devices, applications, network, and data."
Comparison with Previous Guides
The discussion then shifts to comparing the new document with ASD's earlier guidance. Tom recalls the simplicity and effectiveness of the "Top Four" strategies, which included patching, allowlisting, and other straightforward measures that could significantly mitigate cybersecurity threats.
Tom Uren [01:59]: "ASD says if we do these, we'll stop 85% of serious intrusions... it was a package that you could easily sell."
Contrastingly, the new document is described as more intricate and technically detailed, making it less of a one-size-fits-all solution.
Peter Borsman [03:02]: "It is a bit more focused on foundational architectural principles... more in depth technical, more engineering focused."
Complexity and Target Audience
Peter elaborates on why the new framework is inherently more complex, attributing it to the multifaceted nature of Zero Trust architectures.
Peter Borsman [03:27]: "Zero Trust is a complex topic... built for technical, security and enterprise architects."
David Cottingham adds that the "Top Four" were easier to implement because they built upon existing technologies with established processes, whereas the new foundations require a ground-up approach.
David Cottingham [04:36]: "When we're talking about something like Zero Trust and system architectures, we're talking about the ground up."
Implementation Challenges and Practicality
Tom raises concerns about the practicality of implementing the 10 foundations, especially compared to the straightforward "Top Four."
Tom Uren [06:38]: "Is this something that, if you're a network manager, do you think that you can bite off one of those foundations?"
Peter acknowledges the challenge but suggests that organizations can adopt key elements to enhance their security posture incrementally.
Peter Borsman [07:06]: "There’s a lot of information in there that can certainly be taken away and used in a certain context."
Importance of Governance
A critical point in the discussion is the role of governance in successfully implementing the new architecture. Tom suggests that governance should be the foundational element.
Tom Uren [10:06]: "Foundation number nine, which is comprehensive assurance and governance, should actually be foundation one."
David concurs, emphasizing that governance is essential for aligning everyone’s efforts and ensuring adherence to the architectural principles.
David Cottingham [10:42]: "Making sure that you decide on where your identities are going to be... it's about governance."
Feedback and Recommendations
The guests provide constructive feedback on the ASD document, recommending that governance be prioritized and that practical implementation guidance be developed to aid organizations in adopting Zero Trust principles effectively.
David Cottingham [13:29]: "I would suggest... start with governance and figure out about, okay, well, how are we going to build, what do we need to build and what are our requirements."
Peter Borsman [13:33]: "Operational guidance is going to be key."
Conclusion
In wrapping up, Tom summarizes the key takeaways: the new ASD document presents a robust and comprehensive framework for modern defensible architectures, but its complexity necessitates a strong governance foundation and practical implementation strategies. Both David and Peter affirm the document's value and the need for actionable guidance to translate these foundational principles into real-world applications.
Tom Uren [11:51]: "Feedback... Foundation 9 should be higher up because you need governance to drive everything else... practical advice that tells people how to actually implement zero trust."
Peter Borsman [12:24]: "Zero Trust is a complex topic and ACSE taking a practical approach, which is something they've historically done very well."
The episode underscores the evolving landscape of cybersecurity frameworks and the critical importance of comprehensive governance and practical guidance in implementing advanced security architectures.
Key Quotes:
-
Peter Borsman [01:04]: "It has 10 different foundations, three zero trust principles... five pillars that address identity, devices, applications, network, and data."
-
Tom Uren [01:59]: "ASD says if we do these, we'll stop 85% of serious intrusions."
-
David Cottingham [04:36]: "We're talking about the ground up."
-
Tom Uren [10:06]: "Foundation number nine... should actually be foundation one."
-
David Cottingham [10:42]: "It's about governance."
-
Tom Uren [11:51]: "Foundation 9 should be higher up because you need governance to drive everything else."
This comprehensive summary encapsulates the essence of the Risky Bulletin episode, providing listeners with a clear understanding of the discussions surrounding the ASD's "Foundations for Modern Defensible Architecture" and its implications for modern cybersecurity practices.
