Loading summary
Tom Uren
Hello everyone, this is Tom Uren. I'm here with another risky bulletin sponsor interview. Today I've got with me David Cottingham who is the CEO and co founder of Airlock Digital. G'day David, how are you?
David Cottingham
Hey, good, thanks Tom.
Peter Borsman
How are you?
Tom Uren
I'm well, David. And I also have with me Peter Borsman who is the CTO of Airlock Digital.
Peter Borsman
Hello, Tom.
Tom Uren
Welcome both of you. And today you pointed out this new ASD document which is out for feedback. It's not gospel yet and I'm as interested because ASD has this history of producing evidence backed advice that's clear and easily implemented, or maybe not easily implemented, but it's easy to explain. And so the document you've got here is, it's called Foundations for Modern Defensible Architecture. So I still thought I'd start with you, Peter. Just from your point of view, what's the document? Is it good advice? Do you like it?
Peter Borsman
Yeah, Tom, I do like it. I think really you would consider the foundations of Modern defensible Architecture, the document, a take on acse's take on Zero Trust. So they introduced that last month. Like you said, it's currently in consultation phase. It does have a lot of information in it. It has 10 different foundations, three zero trust principles that they've adopted from the N, has five pillars that address identity, devices, applications, network and data. Also adopted from the US government. But it is a little bit different from other documents that ACSC have released in that it is a bit more focused on foundational architectural principles, which is a little bit of a takeaway or a difference compared to say the essential eight mitigating strategies or the ism, the Information Security Manual that contains a, a whole bunch of security controls.
Tom Uren
Yep. Now one of the things that struck me when I looked at this document is that the evolution, from my point of view at least, was that once upon a time ASD came out with the top four and that was, I think it was patching, allowlisting and two other things that I forget. But there were four really simple things, at least conceptually simple things that you could say to your boss if you're a cybersecurity person. ASD says if we do these, we'll stop 85% of, I think that was the figure, 85% of serious intrusions. It was, and that seemed to me a package that you could easily sell. Whereas this one is quite a lot more complicated. So I guess, does it have to be more complicated? What's the, what's the driving factor for this? Or do you think that there's a way to simplify all this, to make it a nice package, that you could just go to your board or whatever and say, here's this advice, we should.
Peter Borsman
Do it for these reasons, I think firstly, Top four was also included restricting admin privilege and patching operating systems, as well as patching applications and allow listing back in the day. So two out of four, you did pretty well, Tom.
Tom Uren
Well, I guess that goes to how easy it was, right? That 10 years later I can still get a passing grade 100%.
Peter Borsman
Yeah, yeah, yeah, you're absolutely right. And I think this, you're absolutely right in saying that this is a much more lengthy and technical document. I suppose one of the reasons why is that it is a complex topic. Zero Trust is a complex topic. There are a lot of different facets to it. And so it was probably a little bit harder to move it into a position where it would have a top four or an Essential eight. It's also built for a slightly different audience. I think the top four in the Essential eight really was designed for a very broad audience as part of ACSC's whole of economy remit. But in this case they say they are really building for technical, security and enterprise architects. But you could also argue any leaders or architects that are responsible for the design and build of critical systems would be part of that audience, I suppose as well. So it might be that it is a little bit more in depth technical, more engineering focused if you like, but also maybe focused on a different audience that is really trying to design and build new things.
David Cottingham
I think the difference between the previous advice and this is that the top four was very focused on. You're doing something specific which builds upon a huge amount of, of other tech which is already established and existing. There's a lot of assumptions to say you're going to patch operating systems. The OS provides the framework, the patching is just the process. It's over the top. When we're talking about something like Zero Trust and system architectures, we're talking about the ground up. And there's so much that comes through that be that identity, be that the way that you connect systems together, the way that you broker and store information and classify information, it really cuts to the core of everything. And it's not a product, it's not a single strategy. And I think that in order to pivot that, what ASD has tried to do is break that down into 10 different sections or pillars so that you can start to bite off pieces. But it cuts to those foundations. There's a reason the word foundational is used. And part of the interesting thing I've always found about computing and it in general is that it's just a bunch of people's ideas and some of them are good and some of them are terrible, and the good ones tend to win out and we just continue iterating and building on top of those. But this is a sort of showing that there's a foundational reset of how we're approaching the build of systems to how we've traditionally done it. People always take the easiest path to an outcome to build a traditional network, to plug everything in together and stick systems on it. And this is about changing the entire paradigm about how we think about build in order to make systems more secure foundationally going forward.
Tom Uren
Yeah. So the document, it's got foundations that I actually really like, so one of them centrally managed identities. And so what you've both described is that you take these foundations and you build new networks, whereas the top four was kind of band aid that you slapped across the top of an old network.
David Cottingham
That's correct.
Tom Uren
Now, is this something that, if you're a network manager, do you think that you can bite off one of those foundations? Is it practical to do that and then try and implement it on a foundation by foundation basis? Or are you sort of looking across all of the foundations and trying to get them to just pick and choose things that are within that foundation?
Peter Borsman
I think there's some great content inside this document and certainly I think a lot of organizations might be challenged to implement end. To end this particular architecture, but they can take some key foundations, like you said, some elements of it to apply in their own environment to help uplift the security posture of their environment. I think I would be very surprised if I saw any organization that said, yes, we can do all of these 10 foundations, but I think there's a lot of information in there that can certainly be taken away and used in a certain context.
Tom Uren
Yeah. My overall impression was that, yes, if you could do all of these things, you'd be in a fantastic place, but it really is a hell of a lot of work. And even if you are starting a new network, I wasn't. Do you think you could have a greenfield network and implement all these foundations?
Peter Borsman
I think you would have your best shot at achieving them by starting from scratch, not inheriting legacy, but actually starting with a greenfields environment. That's because this document really covers off to Dave's point earlier, covers off such a broad spectrum of different things that it would be, I think it would be fundamentally easier if you actually started from scratch in particular environment. Which then begs the question as to who is going to do that.
David Cottingham
Yeah, and I think one thing that this really needs to consider as part of this is this isn't just a technical thing. This is so much of this is governance. This is about making sure that you decide on where your identities are going to be. It's about making sure that you, you know, understand where your source of truths are, where your information is, how you classify information. Because that, that sort of comes down to the heart of zero trust. Making sure right identities have access to the right things at the right time. And so much of that needs to be sort of pre thought out and planned before build. And then you get the inevitable challenge in it, which is oh, but I need to do this, which is outside of that scope. And you just hope that you're not in a space where it gets pulled or stretched too thin. I really think personally that this is not suited necessarily to a traditional sort of on premise network to base on the technologies. And this fits more nicely with cloud because you tend to have much more granular object access control to each individual system that you can sort of configure that provides you a bit of a plane where there's sort of an access broker that sits across the top of everything that you're doing that gives you a bit of a tool to attack it. Whereas that's quite hard with traditional technologies. Not to say it can't be done. But even organizations starting greenfields, particularly built on SaaS platforms, primarily this, you'd have the best shot.
Tom Uren
Right. So that makes me think that foundation number nine, which is comprehensive assurance and governance, should actually be foundation one. And I guess this like if you don't have governance and you're not trying to figure out what you're doing, then why would you bother doing anything else? And I guess if you're starting in a realistic network where none of these foundations are well implemented, well you've got to, if you've got your governance together, you can at least start to make decisions about which foundation to implement or try and tackle first, or which parts of which foundations.
David Cottingham
Correct. And I think the biggest challenge is just it as a profession, you know, you get people that know how to implement systems is making sure you have that everyone's on the same page with the approach because it only takes a few people to go and build some system over in the corner over there where, hang on, this hasn't actually been implemented because you needed to get something done. You've got to really make sure that you don't get out ahead of yourself in terms of build and that things go through a gated sort of approved process if everything is going to be built upon these foundations because there's limitations building in a certain way. And I hope that what will translate and get people's attention as a derivative of this standard, I think would be to have some sort of design patterns that people could sort of look at and go, okay, if I'm going to build this particular system, here's an example about what that might look like. And I know that's been historically challenging, particularly for government that wants to stay fairly technology impartial. But this is architectural concepts, but inevitably they need to be put down on paper. So I think that's sort of the next evolution.
Tom Uren
Right, right. Okay, so to wrap up this discussion, the feedback I'm hearing, because it's still they're seeking feedback, is Foundation 9 should be higher up because you need governance to drive everything else. You both think it's basically a good idea and there is space for some practical advice that tells people how to actually implement zero trust, which is a term we hear a lot about. But, well, everyone has their own amorphous view of what that is.
Peter Borsman
Yeah, I think it's a complex topic and ACSE taking a practical approach, which is something they've historically done very well.
Tom Uren
And you, David?
David Cottingham
I was just thinking, and then I thought it was a bad idea. It's like, I can't wait for the essential eight for foundations for modern defensible architecture. But they have 10 foundations. So it's going to be, you know, what are the essential foundations? But the thing is it's all important and it's all encompassing. You know, this comes down to build. And so many of the risks that we face today are because of the way that systems have traditionally been designed. You know what I guess I would like to see because many people learn by reading, many people are also a tangible hands on, is to have them start looking at sort of design patterns to say, well, this is maybe what this looks like or here's a place to start. I think that's one thing with the document is just easing people into, okay, if you're going to take this on, here are the first things that you need to do. And I would suggest that that would be to start with governance and figure out about, okay, well, how are we going to build, what do we need to build and what are our requirements.
Peter Borsman
Yeah, I agree with that. Operational guidance is. Is going to be key.
Tom Uren
David and Peter. David Cottingham and Peter Boseman, thank you very much.
David Cottingham
Thanks, Tom. Thank you, Tom.
Risky Bulletin Podcast Summary
Episode: Sponsored: The Foundations for Modern Defensible Architecture
Release Date: April 13, 2025
Host: Tom Uren
Guests:
In this episode of Risky Bulletin, host Tom Uren engages in a detailed discussion with David Cottingham and Peter Borsman from Airlock Digital. The focus is on the newly released Australian Signals Directorate (ASD) document titled "Foundations for Modern Defensible Architecture." This document represents a significant evolution in cybersecurity guidelines, moving beyond the previously established "Top Four" and "Essential Eight" strategies to a more comprehensive framework aimed at modern architectural defenses.
Tom initiates the conversation by highlighting the emergence of the ASD's latest document, emphasizing its role in shaping modern defensible architectures.
Tom Uren [00:24]: "Today you pointed out this new ASD document which is out for feedback... it's called Foundations for Modern Defensible Architecture."
Peter Borsman provides an initial assessment, noting that the document builds upon Zero Trust principles introduced by ASD:
Peter Borsman [01:04]: "It's a take on ACSC's take on Zero Trust... It has 10 different foundations, three zero trust principles... five pillars that address identity, devices, applications, network, and data."
The discussion then shifts to comparing the new document with ASD's earlier guidance. Tom recalls the simplicity and effectiveness of the "Top Four" strategies, which included patching, allowlisting, and other straightforward measures that could significantly mitigate cybersecurity threats.
Tom Uren [01:59]: "ASD says if we do these, we'll stop 85% of serious intrusions... it was a package that you could easily sell."
Contrastingly, the new document is described as more intricate and technically detailed, making it less of a one-size-fits-all solution.
Peter Borsman [03:02]: "It is a bit more focused on foundational architectural principles... more in depth technical, more engineering focused."
Peter elaborates on why the new framework is inherently more complex, attributing it to the multifaceted nature of Zero Trust architectures.
Peter Borsman [03:27]: "Zero Trust is a complex topic... built for technical, security and enterprise architects."
David Cottingham adds that the "Top Four" were easier to implement because they built upon existing technologies with established processes, whereas the new foundations require a ground-up approach.
David Cottingham [04:36]: "When we're talking about something like Zero Trust and system architectures, we're talking about the ground up."
Tom raises concerns about the practicality of implementing the 10 foundations, especially compared to the straightforward "Top Four."
Tom Uren [06:38]: "Is this something that, if you're a network manager, do you think that you can bite off one of those foundations?"
Peter acknowledges the challenge but suggests that organizations can adopt key elements to enhance their security posture incrementally.
Peter Borsman [07:06]: "There’s a lot of information in there that can certainly be taken away and used in a certain context."
A critical point in the discussion is the role of governance in successfully implementing the new architecture. Tom suggests that governance should be the foundational element.
Tom Uren [10:06]: "Foundation number nine, which is comprehensive assurance and governance, should actually be foundation one."
David concurs, emphasizing that governance is essential for aligning everyone’s efforts and ensuring adherence to the architectural principles.
David Cottingham [10:42]: "Making sure that you decide on where your identities are going to be... it's about governance."
The guests provide constructive feedback on the ASD document, recommending that governance be prioritized and that practical implementation guidance be developed to aid organizations in adopting Zero Trust principles effectively.
David Cottingham [13:29]: "I would suggest... start with governance and figure out about, okay, well, how are we going to build, what do we need to build and what are our requirements."
Peter Borsman [13:33]: "Operational guidance is going to be key."
In wrapping up, Tom summarizes the key takeaways: the new ASD document presents a robust and comprehensive framework for modern defensible architectures, but its complexity necessitates a strong governance foundation and practical implementation strategies. Both David and Peter affirm the document's value and the need for actionable guidance to translate these foundational principles into real-world applications.
Tom Uren [11:51]: "Feedback... Foundation 9 should be higher up because you need governance to drive everything else... practical advice that tells people how to actually implement zero trust."
Peter Borsman [12:24]: "Zero Trust is a complex topic and ACSE taking a practical approach, which is something they've historically done very well."
The episode underscores the evolving landscape of cybersecurity frameworks and the critical importance of comprehensive governance and practical guidance in implementing advanced security architectures.
Key Quotes:
Peter Borsman [01:04]: "It has 10 different foundations, three zero trust principles... five pillars that address identity, devices, applications, network, and data."
Tom Uren [01:59]: "ASD says if we do these, we'll stop 85% of serious intrusions."
David Cottingham [04:36]: "We're talking about the ground up."
Tom Uren [10:06]: "Foundation number nine... should actually be foundation one."
David Cottingham [10:42]: "It's about governance."
Tom Uren [11:51]: "Foundation 9 should be higher up because you need governance to drive everything else."
This comprehensive summary encapsulates the essence of the Risky Bulletin episode, providing listeners with a clear understanding of the discussions surrounding the ASD's "Foundations for Modern Defensible Architecture" and its implications for modern cybersecurity practices.