Observations
Released on February 10, 2025, the Foundations presents a framework of ten foundational pillars that serve as technology-agnostic organisational goals, establishing an architectural framework that bridges the tactical controls of the Essential Eight with the comprehensive guidance of the Information Security Manual (ISM). The Foundations focus on two key principles: Zero Trust, which adopts the never trust, always verify approach while assuming breach has already occurred, and Secure by Design, which prioritises security from the beginning of procurement or development lifecycles. Zero Trust dictates how an operational environment should function, constantly verifying access and assuming compromise, while Secure by Design focuses on improving the inherent security of the components within that environment.
It should also be noted that this guidance has been released in parallel with the Department of Home Affairs’ consultation publication, Guiding Principles to Embed a Zero Trust Culture2, which seeks comments on proposed policy principles to inform government adoption of zero trust principles and technologies. These parallel releases highlight a growing risk of excessive government guidance, where it is difficult to discern what is truly necessary and for what purpose the guidance can be used.
The Ten Foundational Pillars
The Ten Foundational Pillars provide the following advice that will serve to guide your investment, technology, and most importantly, your design principles, in establishing a sustainable defence-in-depth:
- Centrally Managed Enterprise Identities: reduce and centralise the number of authoritative sources for all user and non-user identity management to ensure visibility, secure access, and integration with enterprise systems and assist in making risk-based decisions on user access requests and permissions.
- High Assurance Authentication: implement strong, phishing-resistant, cryptographically secure multi-factor authentication (MFA) for users and devices. Authentication should adapt dynamically to context and integrate securely with enterprise applications and networks.
- Contextual Authorisation: continuously evaluate access requests based on dynamic session context (e. g., location, endpoint health, user roles) and enforce least-privilege access via policies that adjust to real-time indicators of confidence and evolving threats.
- Reliable Asset Inventory: maintain a comprehensive, continuously updated inventory of all organisational assets, including devices, applications, and networks. Also, extend the inventory to services and environments not directly managed by the organisation. Automate asset discovery, lifecycle tracking, and integration with security tools for monitoring and control.
- Secure Endpoints: harden and monitor endpoints with real-time security baseline checks and automated remediation. Prioritise managed devices for sensitive activities and ensure that bring-your-own-device (BYOD) systems are restricted due to lower trust levels. Following the release of the Foundations, the ASD has published additional guidance on securing endpoints through its ‘Guidelines for System Hardening’.
- Reduced Attack Surface: minimise exposure by restricting unnecessary services, isolating vulnerable systems, and securing applications and networks. Utilise vulnerability management tools to proactively address risks and reduce exploitable pathways.
- Resilient Networks: design networks with high availability, segmentation, secure protocols, and dynamic trust-based communication. Regularly test and adapt network architecture to protect against failures, tampering, and cyber threats.
- Secure-by-Design Software: procure and develop software with a security-first approach, ensuring compatibility with organisational identity and access systems. Embed secure practices like threat modelling and supply chain risk management into software lifecycles.
- Comprehensive Assurance and Governance: conduct regular assurance activities to inform decision makers, including vulnerability assessments and policy reviews, to ensure systems meet security standards. Repeat, automate, and protect assurance processes to maintain organisational resilience.
- Continuous and Actionable Monitoring: deploy monitoring systems that leverage high-integrity data and automated response actions to detect and mitigate incidents swiftly. Integrate threat intelligence and endpoint telemetry to enhance response and recovery capabilities.
It is crucial to understand that these ten pillars embody the desired architectural states or capabilities that serve as the essential building blocks for Zero Trust and Secure by Design architectures, rather than serving as specific, discrete controls. In contrast to control frameworks like the ISM, Essential 8, CIS-18, and NIST, these foundational principles are less prescriptive and prioritise long-term security architectural decision-making. As such, they should be viewed as a guide for shaping an effective security strategy.
A Strategic Approach
A key element of the Foundations for Modern Defensible Architecture is its clear role in integrating and enhancing the effectiveness of the existing ISM and Essential 8 frameworks. To understand how these three components work together, envision a three-tiered hierarchy:
- Top Tier – Strategic Direction: the Foundations provide a strategic architectural overlay that defines high-level goals and capabilities. This tier establishes the framework for a cohesive defensive posture, ensuring that security measures are implemented in a unified strategy rather than in isolation.
- Middle Tier – Comprehensive Guidance: the ISM provides comprehensive, risk-based guidance to support the implementation of security controls. It serves as a bridge between strategic objectives and tactical actions, ensuring that organisations can effectively manage risks while aligning with the overarching architectural goals.
- Bottom Tier – Tactical Controls: the Essential 8 framework provides tactical baseline controls that organisations can implement to enhance their cyber security posture.
Cyber security professionals and industry bodies broadly agree on the necessity of shifting toward Zero Trust and Secure by Design architectures, with the Australian Information Industry Association (AIIA) expressing guarded support for a government context3. Nonetheless, this change cannot occur overnight. Most organisations continue to support legacy applications, which often lack the integration capabilities and security features necessary for zero trust principles, making enforcement difficult. Retrofitting zero trust into fragile legacy environments can disrupt operations, forcing organisations to adopt long-term incremental, risk-based approaches within their limitations.
Australian organisations must carefully balance the additional complexity and cost this guidance introduces against available resources and their risk appetite. It is critical that the Foundations are seen as a strategic guide and do not prevent organisations from maintaining their treatment velocities at a tactical and operational level through the implementation of their existing control frameworks. This additional architectural guidance, while valuable for long-term security posture, may increase short-term compliance costs and complexity for Australian organisations, particularly those in the early stages of their cyber security maturity journey. While implementation of the Foundations demands a more strategic and resource-intensive initial effort than previous guidance, organisations that successfully adopt this approach will develop security postures capable of adapting to the dynamic threat landscape.
Next Steps
- Use the Foundations to Define Your Cyber Security North Star: clearly articulate the foundational principles that will guide your cyber security strategy to key stakeholders such as your Audit Risk committees and Cyber Security and Architecture Governance groups, ensuring they reflect long-term organisational goals. This will help align security initiatives with your overarching vision rather than reacting to immediate pressures.
- Leverage the Foundations to Communicate Your Vision Effectively: regularly communicate the defined principles and their importance to all stakeholders, ensuring that they understand how these principles guide security initiatives and contribute to overall business success.
- Review and Adapt Regularly: establish a regular review process to assess the relevance of the guiding principles and their alignment with evolving business needs and technological advancements, allowing for necessary adjustments to maintain effectiveness.
Footnotes
- ‘Foundations for Modern Defensible Architecture’, Australian Cyber Security Centre, 2025.
- ‘Guiding Principles to Embed a Zero Trust Culture’, Department of Home Affairs, 2024.
- ‘Australian Information Industry Association Submission on Guiding Principles to Embed Zero Trust Culture’, Australian Industry Information Association, 2025.