Macquarie Government Toggle Search

Blog Government Government agencies get SASE on security and flexible working

Government agencies get SASE on security and flexible working

December 2 2024, by Aidan Tudehope | Category: Government
Australian Organisations Take Note: Countering PRC State-Sponsored Cyber Threats | Macquarie Government

When COVID-19 struck, we quickly became grounded and more restricted in how we could move and travel, with the important exception of moving from the office to the home office for roles that could do so.

But the same hasn’t been true for the applications and cloud services we rely on to do our work. Across Canberra, federal departments and the Australian Public Service (APS) switched very rapidly to working remotely and accessing these services from outside the confines and security of the office.

This move and its continued relevance in how APS workers want and expect to work flexibly have created a generational shift in how Federal Government agencies need to approach cyber security. The idea of being able to focus primarily on securing the office has been upended by people moving beyond the office perimeter and the applications they use increasingly being in the cloud. The cyber security attack surface has ballooned.

The challenge is further heightened by the necessity for agencies to comply with stringent security requirements, particularly the Protective Security Policy Framework (PSPF) and Essential Eight Maturity Level 2 controls. These controls are designed to place a minimum baseline to defend against malicious cybercriminals who invest significant time and resources in targeting and optimising their tradecraft tools.

Zero Trust principles.

To meet this challenge and adapt to a more flexible workplace environment, we’ve seen the principles of ‘Zero Trust’ become more prevalent and relevant in Canberra’s approach to technology and cybersecurity deployment.

The main idea of Zero Trust is that no one accessing an organisation’s network should be trusted by default, and that they are validated and constantly revalidated before being able to access resources, applications, or data.

The Zero Trust principles make perfect sense and look straightforward in theory, but implementing and operationalising them can be very challenging for agencies that are trying for the first time. I have seen many agencies invest in the technology and buy licences to support their move to Zero Trust, only to see months or years later that the principles are still allusive. Global research firm Gartner sees a similar bleak outcome with 50 per cent of companies attempting Zero Trust, but only 25 per cent realising the benefits. This is an implementation challenge.  

Even when putting in smaller steps to embrace Zero Trust, success isn’t guaranteed, but we’re seeing much better results when implemented with industry help. This brings to the equation depth of experience and skill – the battle-hardened scars from prior implementations within Government. A crucial cyber security issue that continues to raise its head is balancing security and user experience – if people are constantly forced to manually validate and revalidate their identity, it can become burdensome and ‘login fatigue’ will ultimately lower cyber posture. Imagine needing to enter a one-time password sent to your phone five times when sending out a few emails.

Rise of SASE tech.

SASE (secure access service edge) aims to deliver a technology architecture that sits across the edge of an organisation’s systems, automatically validating and revalidating people accessing applicants, data and networks whether they’re on-site or remote. The idea is that it does this in the background, not actually disrupting people’s workflows until, for example, they try and share data on an unapproved application, or access data beyond their clearance level.

SASE appears to hold the keys for government departments and the APS to embrace flexible working – a critical factor for attracting and retaining top talent – alongside Zero Trust security. It speaks to the Australian Public Service Commission’s (APSC) commitment to creating flexible workplaces that meet the expectations of the Australian community and workforce, and extending that flexibility to all roles.

But the complexities of getting to this nirvana point and operationalising technology like this cannot be underestimated.

By its nature, SASE needs to plug into everything. All of an agency’s applications, data, networks, the complex systems on top of complex systems already in place. It needs an understanding of agency policies, user permission levels and how to treat regular and highly sensitive data differently. For Government and many critical infrastructure providers, it needs to do all of that while maintaining the mandated Essential Eight Level 2 controls.

One report found almost 40 per cent of technology professionals struggled with managing security policies and controls associated with SASE. Given people aren’t typically very forthcoming with admitting challenges in technology deployments, it’s likely the real number is significantly higher.

Taking SASE from what it says on the box to being a valuable, practical solution to implementing Zero Trust requires experts in the technology, the agency’s unique environment, Essential Eight, and cyber security operations.

One major government agency was able to get the balance right by using SASE technology from a multinational leading provider, but operationalising it through a local company with experience in SASE deployments that could fit the technology into their environment and how their staff worked, all while maintaining flexibility, security and compliance.

The example could serve as a blueprint for other departments, even those with the highest level of sensitivity and security requirements like defence and intelligence, looking to apply Zero Trust.

And it’s vital this balancing act is executed perfectly, because no side of it will budge. Government security requirements won’t suddenly – nor should they – relax; we’ll likely see more requirements come into place particularly on the heels of the Government passing its first Cyber Security Act.

APS workers also won’t suddenly be content to return to an all-office working environment, and again nor should they – that flexibility has provided considerable benefits to how people in Canberra work and is key to maintaining top talent where the nation needs it most. Flexibility and security simply must be achieved together.

First published in the Canberra Times on 2 Dec 2024 : Flexible work has its benefits. But one concern remains for APS workers

Aidan Tudehope

About the author.

Aidan is co-founder of Macquarie Technology Group and has been a director since 1992. He is the Managing Director of Macquarie Government & Hosting Group and is invested in leading the contribution from the Australian industry on all matters Cloud & Cyber policy related.

See all articles by this author

Get in touch.

Call us Enquire online
1800 004 943
Open Live Chat

Enquiry Sent.

Thank you for contacting us. Our specialists will get in touch with you shortly.

From the Blogs.

Sovereign Cloud and AI: Where do I want my data stored? | Macquarie Government

Demystifying Zero Trust for Government

In Home Affairs recent publication of the 2023-2030 Australian Cyber Security Strategy, they have stated “We will also draw on internation...

Read More
Visibility cloud icon

PSPF Direction on cyber threat visibilit...

In July, the Home Affairs Secretary issued a Direction under the Protective Security Policy Framework (PSPF), supporting visibility of the c...

Read More
PSPF Direction on Technology Risk Management | Macquarie Government

PSPF Direction on Technology Risk Manage...

In July, Home Affairs issued a Direction under the Protective Security Policy Framework (PSPF) requiring Non-Corporate-Commonwealth Entities...

Read More