Table of Contents

1. Introduction to Zero Trust Concepts

1.1 The Problem with Traditional Perimeter Security

Traditional network security operates on a "hard crunchy outside, soft chewy inside" model—once an attacker breaches the perimeter, they often have broad access to internal resources. This approach is increasingly inadequate because:

  • Perimeter erosion: Cloud services, remote work, and mobile devices dissolve the traditional network boundary
  • Lateral movement: Attackers who breach the perimeter can move freely within the network
  • Implicit trust: Internal traffic is often trusted by default, enabling privilege escalation
  • VPN limitations: Traditional VPNs provide broad network access rather than resource-specific authorization

1.2 Core Zero Trust Principles

Zero Trust is built on three foundational principles:

  1. Never Trust, Always Verify: No user, device, or application is trusted by default, regardless of location
  2. Assume Breach: Design systems as if an attacker is already present; contain blast radius through segmentation
  3. Verify Explicitly: Authenticate and authorize every access request based on all available data points

1.3 Key Architectural Components

Component Description
Identity Provider (IdP) Centralized authentication and authorization (SSO, MFA)
Device Posture Continuous assessment of device health and compliance
Policy Engine Real-time evaluation of access requests against defined policies
Micro-segmentation Network isolation at the resource level rather than subnet level
Continuous Monitoring Ongoing verification and logging of all access attempts

1.4 Security Challenges Addressed

Zero Trust architectures directly address:

  • Insider threats: Least-privilege access limits damage from compromised credentials
  • Ransomware propagation: Micro-segmentation prevents lateral movement
  • Shadow IT: Identity-aware access controls bring unmanaged resources under governance
  • Third-party access: Granular permissions for contractors and partners without network-level access
  • Remote work security: Consistent security posture regardless of user location

2. Commercial Solutions

2.1 Tailscale

Overview: Tailscale is a mesh VPN built on WireGuard that creates secure, peer-to-peer connections between devices.

Key Features:

  • Mesh architecture: Direct device-to-device connections without central traffic routing
  • Identity-based networking: Integrates with Okta, Google Workspace, Microsoft Entra ID
  • NAT traversal: Uses DERP relays when direct connections aren't possible
  • Access Control Lists (ACLs): Fine-grained, JSON-based policies
  • MagicDNS: Automatic DNS resolution for connected devices
  • Subnet routing: Access entire networks through exit nodes

Architecture:

Devices ←→ Tailscale Client (WireGuard) ←→ Coordination Server
     ↓                                    ↓
   DERP Relays (fallback)              ACLs & Policies

Best for: Remote teams, cross-cloud connectivity, IoT device management

2.2 Twingate

Overview: Twingate provides Zero Trust Network Access (ZTNA) that replaces traditional VPNs with identity-aware, least-privilege access.

Key Features:

  • Split tunneling by default: Only routes traffic to protected resources
  • Resource-level access: Define access per application, not per network
  • Zero trust segmentation: Micro-segmentation without network reconfiguration
  • Device trust: Continuous device posture assessment
  • No open ports: Resources remain invisible to the public internet

Advantages over Traditional VPN:

Aspect Traditional VPN Twingate ZTNA
Network access Full subnet access Resource-specific
Attack surface Public gateway No exposed ports
User experience All traffic routed Split tunneling
Onboarding Complex Automated
Visibility Limited Full audit trails

Best for: Organizations wanting to replace VPNs with modern ZTNA

2.3 Sidebar: IRAP-Assessed Options for Australian Government

For Australian Government entities requiring certified solutions, Zscaler offers the only IRAP-assessed zero trust platform at the PROTECTED level.

Zscaler Zero Trust Exchange™

  • IRAP PROTECTED certified (2024 assessment)
  • First cloud security/zero trust vendor to complete IRAP
  • Comprehensive SASE platform (ZTNA, SWG, CASB, DLP)
  • Australian Points of Presence for data sovereignty

When to Consider Zscaler:

  • Government agencies requiring IRAP certification
  • Organizations needing comprehensive SASE architecture
  • Multi-cloud environments requiring unified policy enforcement

Trade-offs: Higher cost and complexity compared to Tailscale/Twingate; full SASE platform may be overkill for smaller organizations.

3. Open Source Alternatives

3.1 Headscale

Overview: Headscale is an open-source, self-hosted implementation of the Tailscale control server.

Key Features:

  • Full Tailscale compatibility: Works with official Tailscale clients
  • Self-hosted control plane: Complete data sovereignty
  • Namespace-based ACLs: User and group access controls
  • OIDC integration: Support for external identity providers

Architecture:

Tailscale Clients → Headscale Server (Self-hosted)
                           ↓
                    SQLite/PostgreSQL Database
                           ↓
                    DERP Relays (Self-hosted or public)

Best for: Organizations requiring complete control over control plane data

3.2 Pangolin

Overview: Pangolin is an open-source, identity-aware remote access platform built on WireGuard that combines reverse proxy and VPN capabilities.

Key Features:

  • Dual access modes: Browser-based access for web apps, WireGuard VPN for network resources
  • Identity integration: Connects to OIDC and OAuth2 providers
  • Site connectors: Deploy connectors to extend access to any network
  • Self-hosted: Complete control over infrastructure and data

Comparison with Commercial Solutions:

Feature Pangolin Twingate Tailscale
Open Source Partial
Self-hosted Via Headscale
WireGuard-based
Web + VPN access VPN only
Enterprise support Community Commercial Commercial

Best for: Organizations wanting open-source Twingate alternative with web + VPN access

3.3 Netbird

Overview: Netbird is an open-core zero trust networking platform built on WireGuard, offering both self-hosted and managed cloud options.

Key Features:

  • WireGuard-based: Modern cryptography with excellent performance
  • Open core model: Free self-hosted version with paid cloud offering
  • Identity integration: Native OIDC support (Entra ID, Okta, Google)
  • Device posture: Integration with Microsoft Defender and other EDR solutions
  • Mesh networking: Direct peer-to-peer connections with relay fallback

Comparison with Headscale:

Feature Netbird Headscale
Protocol WireGuard WireGuard (via Tailscale)
Client Netbird-specific Tailscale official
Device posture Native EDR integration Via ACLs
Deployment Self-hosted or cloud Self-hosted only

Best for: Teams wanting WireGuard without Tailscale dependency; organizations requiring built-in device trust

4. Integration with Traditional Gateway Environments

4.1 Hybrid Architecture Patterns

Pattern 1: Gateway as Policy Enforcement Point

Internet → Gateway (Firewall/IPS) → Zero Trust Layer → Internal Resources

Pattern 2: Parallel Deployment

Users →┬→ Traditional VPN (Legacy systems)
       └→ Zero Trust Access (Modern applications)

Pattern 3: Zero Trust Behind Gateway

Internet → Gateway → DMZ → Zero Trust Connectors → Internal Networks

4.2 Migration Strategies

  1. Phased rollout: Start with non-critical applications
  2. Dual-running: Operate VPN and ZTNA in parallel during transition
  3. Application-by-application: Migrate based on risk and readiness
  4. User segmentation: Pilot with technical users before broad deployment

5. Australian Government Security Frameworks

5.1 Information Security Manual (ISM)

The ISM provides a comprehensive cyber security framework that aligns with zero trust principles:

Control ID Description Zero Trust Alignment
ISM-1654 Multi-factor authentication Verify explicitly
ISM-1655 Privileged access management Least privilege
ISM-1656 Application control Micro-segmentation

Key ISM Principles for Zero Trust:

  • Network segmentation: Mandatory separation of security domains
  • Access control: Role-based and attribute-based policies
  • Monitoring and logging: Comprehensive audit trails
  • Incident response: Assume breach mentality

5.2 Protective Security Policy Framework (PSPF)

The PSPF Release 2025 mandates a "Zero Trust Culture" for Australian Government entities:

  1. Zero Trust Culture: Strategic commitment to ongoing verification, minimum access, and data-centric protection
  2. Security Domain Segmentation: Clear separation between classification levels
  3. Secure Access Service Edge (SSE): Adoption of cloud-delivered security (CASB, FWaaS, SWG, ZTNA)

PSPF Compliance Mapping:

PSPF Requirement Zero Trust Implementation
Governance Policy-as-code, continuous compliance monitoring
Information Security Encryption in transit/at rest, micro-segmentation
Personnel Security Identity verification, least-privilege access

5.3 Australian Government Gateway Security Standard 2025

The Gateway Security Standard defines requirements for securing connections between security domains:

  1. Zero Trust Network Access (ZTNA): Least-privilege access with dynamic authentication
  2. Secure Web Gateway (SWG): Content filtering and threat protection
  3. Cloud Access Security Broker (CASB): Visibility and control for cloud services
  4. Firewall-as-a-Service (FWaaS): Next-generation firewall capabilities

Compliance Considerations:

  • Data sovereignty: Ensure data remains within Australian jurisdiction
  • Audit logging: Comprehensive logging aligned with ISM requirements
  • Encryption: Strong cryptography for all communications

5.4 Modern Defensible Architecture (MDA)

ASD's Modern Defensible Architecture (published February 2025) provides foundational guidance:

  1. Layered Architecture: Methodical separation of security design into distinct levels
  2. Zero Trust Principles: 'Never trust, always verify', 'assume breach', 'verify explicitly'
  3. Secure-by-Design: Security-first mindset in procurement and development

Alignment with Essential Eight:

Essential Eight Strategy Zero Trust Component
Application control Device trust, application segmentation
Patch applications Continuous compliance monitoring
Restrict admin privileges Just-in-time access, PAM integration
Multi-factor authentication Identity verification

5.5 Vendor Considerations for Government

Requirement Tailscale Twingate Zscaler Headscale Pangolin Netbird
Australian data residency Partial Partial Partial
IRAP certification ✅ PROTECTED Self-assessed Self-assessed Self-assessed
Open source Partial Open core
Self-hosted option Via Headscale
PSPF 2025 alignment Requires assessment Requires assessment Requires assessment

6. Conclusion

Zero Trust Network Architecture represents a necessary evolution in cybersecurity, moving from perimeter-based defense to identity-centric, least-privilege access. For Australian Government entities, the alignment between zero trust principles and the PSPF 2025, ISM, and Gateway Security Standard provides a clear roadmap for implementation.

Organizations should consider:

  1. Commercial mesh VPN solutions (Tailscale, Twingate) for rapid deployment and excellent user experience
  2. IRAP-assessed platforms (Zscaler) for government compliance requirements
  3. Open-source alternatives (Headscale, Pangolin, Netbird) for data sovereignty and customization
  4. Hybrid approaches that integrate with existing gateway infrastructure
  5. Compliance-first implementations that meet Australian Government security requirements

The journey to zero trust is not a destination but a continuous process of verification, segmentation, and improvement.

References

Australian Government Frameworks

  1. Australian Cyber Security Centre. (2025). Foundations for Modern Defensible Architecture. https://www.cyber.gov.au/business-government/secure-design/secure-by-design/modern-defensible-architecture/foundations-for-modern-defensible-architecture

  2. Australian Cyber Security Centre. (2024). Information Security Manual (December 2024). https://www.cyber.gov.au/sites/default/files/2024-12/Information%20Security%20Manual%20(December%202024).pdf

  3. Department of Home Affairs. (2025). Protective Security Policy Framework (Release 2025). https://www.protectivesecurity.gov.au/

  4. Department of Home Affairs. (2025). Australian Government Gateway Security Standard 2025. https://www.protectivesecurity.gov.au/publications-library/australian-government-gateway-security-standard-2025

Commercial Solutions

  1. Tailscale. (2025). The State of Zero Trust Report 2025. https://tailscale.com/resources/report/zero-trust-report-2025

  2. Twingate. (2024). What is Zero Trust Network Access? https://www.twingate.com/blog/ztna

  3. Zscaler. (2024). Zscaler Completes 2024 IRAP Assessment. https://www.zscaler.com/press/zscaler-completes-2024-irap-assessment-demonstrates-enhanced-security-and-governance-maturity

Open Source Solutions

  1. Font, J. et al. (2025). Headscale [GitHub]. https://github.com/juanfont/headscale

  2. FOSRL. (2025). Pangolin [GitHub]. https://github.com/fosrl/pangolin

  3. Netbird. (2025). Open Source Zero Trust Networking. https://netbird.io/