Beyond the Perimeter: A Practical Guide to Zero Trust Networking Source

March 29, 2026 Markdown source

1---
2title: "Beyond the Perimeter: A Practical Guide to Zero Trust Networking"
3date: "2026-03-29"
4tags: ["zero-trust", "network-security", "ztna", "tailscale", "twingate", "zscaler", "headscale", "pangolin", "netbird", "ism", "pspf", "australian-government"]
5author: "Gavin Jackson"
6excerpt: "A practical guide to Zero Trust Network Architecture covering commercial solutions (Tailscale, Twingate), IRAP-assessed options for government (Zscaler), and open-source alternatives (Headscale, Pangolin, Netbird). Includes alignment with Australian Government security frameworks."
7---
8
9# Beyond the Perimeter: A Practical Guide to Zero Trust Networking
10
11**Table of Contents**
12- [1. Introduction to Zero Trust Concepts](#1-introduction-to-zero-trust-concepts)
13- [2. Commercial Solutions](#2-commercial-solutions)
14  - [Tailscale](#21-tailscale)
15  - [Twingate](#22-twingate)
16  - [IRAP-Assessed Options](#23-irap-assessed-options-for-australian-government)
17- [3. Open Source Alternatives](#3-open-source-alternatives)
18  - [Headscale](#31-headscale)
19  - [Pangolin](#32-pangolin)
20  - [Netbird](#33-netbird)
21- [4. Gateway Integration](#4-integration-with-traditional-gateway-environments)
22- [5. Australian Government Frameworks](#5-australian-government-security-frameworks)
23- [6. Conclusion](#6-conclusion)
24- [References](#references)
25
26---
27
28## 1. Introduction to Zero Trust Concepts
29
30### 1.1 The Problem with Traditional Perimeter Security
31
32Traditional network security operates on a "hard crunchy outside, soft chewy inside" model—once an attacker breaches the perimeter, they often have broad access to internal resources. This approach is increasingly inadequate because:
33
34- **Perimeter erosion**: Cloud services, remote work, and mobile devices dissolve the traditional network boundary
35- **Lateral movement**: Attackers who breach the perimeter can move freely within the network
36- **Implicit trust**: Internal traffic is often trusted by default, enabling privilege escalation
37- **VPN limitations**: Traditional VPNs provide broad network access rather than resource-specific authorization
38
39### 1.2 Core Zero Trust Principles
40
41Zero Trust is built on three foundational principles:
42
431. **Never Trust, Always Verify**: No user, device, or application is trusted by default, regardless of location
442. **Assume Breach**: Design systems as if an attacker is already present; contain blast radius through segmentation
453. **Verify Explicitly**: Authenticate and authorize every access request based on all available data points
46
47### 1.3 Key Architectural Components
48
49| Component | Description |
50|-----------|-------------|
51| **Identity Provider (IdP)** | Centralized authentication and authorization (SSO, MFA) |
52| **Device Posture** | Continuous assessment of device health and compliance |
53| **Policy Engine** | Real-time evaluation of access requests against defined policies |
54| **Micro-segmentation** | Network isolation at the resource level rather than subnet level |
55| **Continuous Monitoring** | Ongoing verification and logging of all access attempts |
56
57### 1.4 Security Challenges Addressed
58
59Zero Trust architectures directly address:
60
61- **Insider threats**: Least-privilege access limits damage from compromised credentials
62- **Ransomware propagation**: Micro-segmentation prevents lateral movement
63- **Shadow IT**: Identity-aware access controls bring unmanaged resources under governance
64- **Third-party access**: Granular permissions for contractors and partners without network-level access
65- **Remote work security**: Consistent security posture regardless of user location
66
67---
68
69## 2. Commercial Solutions
70
71### 2.1 Tailscale
72
73**Overview**: Tailscale is a mesh VPN built on WireGuard that creates secure, peer-to-peer connections between devices.
74
75**Key Features**:
76- **Mesh architecture**: Direct device-to-device connections without central traffic routing
77- **Identity-based networking**: Integrates with Okta, Google Workspace, Microsoft Entra ID
78- **NAT traversal**: Uses DERP relays when direct connections aren't possible
79- **Access Control Lists (ACLs)**: Fine-grained, JSON-based policies
80- **MagicDNS**: Automatic DNS resolution for connected devices
81- **Subnet routing**: Access entire networks through exit nodes
82
83**Architecture**:
84```
85Devices ←→ Tailscale Client (WireGuard) ←→ Coordination Server
86     ↓                                    ↓
87   DERP Relays (fallback)              ACLs & Policies
88```
89
90**Best for**: Remote teams, cross-cloud connectivity, IoT device management
91
92---
93
94### 2.2 Twingate
95
96**Overview**: Twingate provides Zero Trust Network Access (ZTNA) that replaces traditional VPNs with identity-aware, least-privilege access.
97
98**Key Features**:
99- **Split tunneling by default**: Only routes traffic to protected resources
100- **Resource-level access**: Define access per application, not per network
101- **Zero trust segmentation**: Micro-segmentation without network reconfiguration
102- **Device trust**: Continuous device posture assessment
103- **No open ports**: Resources remain invisible to the public internet
104
105**Advantages over Traditional VPN**:
106
107| Aspect | Traditional VPN | Twingate ZTNA |
108|--------|-----------------|---------------|
109| Network access | Full subnet access | Resource-specific |
110| Attack surface | Public gateway | No exposed ports |
111| User experience | All traffic routed | Split tunneling |
112| Onboarding | Complex | Automated |
113| Visibility | Limited | Full audit trails |
114
115**Best for**: Organizations wanting to replace VPNs with modern ZTNA
116
117---
118
119### 2.3 Sidebar: IRAP-Assessed Options for Australian Government
120
121For Australian Government entities requiring certified solutions, **Zscaler** offers the only IRAP-assessed zero trust platform at the PROTECTED level.
122
123**Zscaler Zero Trust Exchange™**
124
125- **IRAP PROTECTED** certified (2024 assessment)
126- First cloud security/zero trust vendor to complete IRAP
127- Comprehensive SASE platform (ZTNA, SWG, CASB, DLP)
128- Australian Points of Presence for data sovereignty
129
130**When to Consider Zscaler**:
131- Government agencies requiring IRAP certification
132- Organizations needing comprehensive SASE architecture
133- Multi-cloud environments requiring unified policy enforcement
134
135**Trade-offs**: Higher cost and complexity compared to Tailscale/Twingate; full SASE platform may be overkill for smaller organizations.
136
137---
138
139## 3. Open Source Alternatives
140
141### 3.1 Headscale
142
143**Overview**: Headscale is an open-source, self-hosted implementation of the Tailscale control server.
144
145**Key Features**:
146- **Full Tailscale compatibility**: Works with official Tailscale clients
147- **Self-hosted control plane**: Complete data sovereignty
148- **Namespace-based ACLs**: User and group access controls
149- **OIDC integration**: Support for external identity providers
150
151**Architecture**:
152```
153Tailscale Clients → Headscale Server (Self-hosted)
154                           ↓
155                    SQLite/PostgreSQL Database
156                           ↓
157                    DERP Relays (Self-hosted or public)
158```
159
160**Best for**: Organizations requiring complete control over control plane data
161
162---
163
164### 3.2 Pangolin
165
166**Overview**: Pangolin is an open-source, identity-aware remote access platform built on WireGuard that combines reverse proxy and VPN capabilities.
167
168**Key Features**:
169- **Dual access modes**: Browser-based access for web apps, WireGuard VPN for network resources
170- **Identity integration**: Connects to OIDC and OAuth2 providers
171- **Site connectors**: Deploy connectors to extend access to any network
172- **Self-hosted**: Complete control over infrastructure and data
173
174**Comparison with Commercial Solutions**:
175
176| Feature | Pangolin | Twingate | Tailscale |
177|---------|----------|----------|-----------|
178| Open Source | ✅ | ❌ | Partial |
179| Self-hosted | ✅ | ❌ | Via Headscale |
180| WireGuard-based | ✅ | ✅ | ✅ |
181| Web + VPN access | ✅ | ✅ | VPN only |
182| Enterprise support | Community | Commercial | Commercial |
183
184**Best for**: Organizations wanting open-source Twingate alternative with web + VPN access
185
186---
187
188### 3.3 Netbird
189
190**Overview**: Netbird is an open-core zero trust networking platform built on WireGuard, offering both self-hosted and managed cloud options.
191
192**Key Features**:
193- **WireGuard-based**: Modern cryptography with excellent performance
194- **Open core model**: Free self-hosted version with paid cloud offering
195- **Identity integration**: Native OIDC support (Entra ID, Okta, Google)
196- **Device posture**: Integration with Microsoft Defender and other EDR solutions
197- **Mesh networking**: Direct peer-to-peer connections with relay fallback
198
199**Comparison with Headscale**:
200
201| Feature | Netbird | Headscale |
202|---------|---------|-----------|
203| Protocol | WireGuard | WireGuard (via Tailscale) |
204| Client | Netbird-specific | Tailscale official |
205| Device posture | Native EDR integration | Via ACLs |
206| Deployment | Self-hosted or cloud | Self-hosted only |
207
208**Best for**: Teams wanting WireGuard without Tailscale dependency; organizations requiring built-in device trust
209
210---
211
212## 4. Integration with Traditional Gateway Environments
213
214### 4.1 Hybrid Architecture Patterns
215
216**Pattern 1: Gateway as Policy Enforcement Point**
217```
218Internet → Gateway (Firewall/IPS) → Zero Trust Layer → Internal Resources
219```
220
221**Pattern 2: Parallel Deployment**
222```
223Users →┬→ Traditional VPN (Legacy systems)
224       └→ Zero Trust Access (Modern applications)
225```
226
227**Pattern 3: Zero Trust Behind Gateway**
228```
229Internet → Gateway → DMZ → Zero Trust Connectors → Internal Networks
230```
231
232### 4.2 Migration Strategies
233
2341. **Phased rollout**: Start with non-critical applications
2352. **Dual-running**: Operate VPN and ZTNA in parallel during transition
2363. **Application-by-application**: Migrate based on risk and readiness
2374. **User segmentation**: Pilot with technical users before broad deployment
238
239---
240
241## 5. Australian Government Security Frameworks
242
243### 5.1 Information Security Manual (ISM)
244
245The ISM provides a comprehensive cyber security framework that aligns with zero trust principles:
246
247| Control ID | Description | Zero Trust Alignment |
248|------------|-------------|---------------------|
249| ISM-1654 | Multi-factor authentication | Verify explicitly |
250| ISM-1655 | Privileged access management | Least privilege |
251| ISM-1656 | Application control | Micro-segmentation |
252
253**Key ISM Principles for Zero Trust**:
254- Network segmentation: Mandatory separation of security domains
255- Access control: Role-based and attribute-based policies
256- Monitoring and logging: Comprehensive audit trails
257- Incident response: Assume breach mentality
258
259---
260
261### 5.2 Protective Security Policy Framework (PSPF)
262
263The PSPF Release 2025 mandates a "Zero Trust Culture" for Australian Government entities:
264
2651. **Zero Trust Culture**: Strategic commitment to ongoing verification, minimum access, and data-centric protection
2662. **Security Domain Segmentation**: Clear separation between classification levels
2673. **Secure Access Service Edge (SSE)**: Adoption of cloud-delivered security (CASB, FWaaS, SWG, ZTNA)
268
269**PSPF Compliance Mapping**:
270
271| PSPF Requirement | Zero Trust Implementation |
272|------------------|---------------------------|
273| Governance | Policy-as-code, continuous compliance monitoring |
274| Information Security | Encryption in transit/at rest, micro-segmentation |
275| Personnel Security | Identity verification, least-privilege access |
276
277---
278
279### 5.3 Australian Government Gateway Security Standard 2025
280
281The Gateway Security Standard defines requirements for securing connections between security domains:
282
2831. **Zero Trust Network Access (ZTNA)**: Least-privilege access with dynamic authentication
2842. **Secure Web Gateway (SWG)**: Content filtering and threat protection
2853. **Cloud Access Security Broker (CASB)**: Visibility and control for cloud services
2864. **Firewall-as-a-Service (FWaaS)**: Next-generation firewall capabilities
287
288**Compliance Considerations**:
289- **Data sovereignty**: Ensure data remains within Australian jurisdiction
290- **Audit logging**: Comprehensive logging aligned with ISM requirements
291- **Encryption**: Strong cryptography for all communications
292
293---
294
295### 5.4 Modern Defensible Architecture (MDA)
296
297ASD's Modern Defensible Architecture (published February 2025) provides foundational guidance:
298
2991. **Layered Architecture**: Methodical separation of security design into distinct levels
3002. **Zero Trust Principles**: 'Never trust, always verify', 'assume breach', 'verify explicitly'
3013. **Secure-by-Design**: Security-first mindset in procurement and development
302
303**Alignment with Essential Eight**:
304
305| Essential Eight Strategy | Zero Trust Component |
306|--------------------------|---------------------|
307| Application control | Device trust, application segmentation |
308| Patch applications | Continuous compliance monitoring |
309| Restrict admin privileges | Just-in-time access, PAM integration |
310| Multi-factor authentication | Identity verification |
311
312---
313
314### 5.5 Vendor Considerations for Government
315
316| Requirement | Tailscale | Twingate | Zscaler | Headscale | Pangolin | Netbird |
317|-------------|-----------|----------|---------|-----------|----------|---------|
318| Australian data residency | Partial | Partial | ✅ | ✅ | ✅ | Partial |
319| IRAP certification | ❌ | ❌ | ✅ PROTECTED | Self-assessed | Self-assessed | Self-assessed |
320| Open source | Partial | ❌ | ❌ | ✅ | ✅ | Open core |
321| Self-hosted option | Via Headscale | ❌ | ❌ | ✅ | ✅ | ✅ |
322| PSPF 2025 alignment | ✅ | ✅ | ✅ | Requires assessment | Requires assessment | Requires assessment |
323
324---
325
326## 6. Conclusion
327
328Zero Trust Network Architecture represents a necessary evolution in cybersecurity, moving from perimeter-based defense to identity-centric, least-privilege access. For Australian Government entities, the alignment between zero trust principles and the PSPF 2025, ISM, and Gateway Security Standard provides a clear roadmap for implementation.
329
330Organizations should consider:
331
3321. **Commercial mesh VPN solutions** (Tailscale, Twingate) for rapid deployment and excellent user experience
3332. **IRAP-assessed platforms** (Zscaler) for government compliance requirements
3343. **Open-source alternatives** (Headscale, Pangolin, Netbird) for data sovereignty and customization
3354. **Hybrid approaches** that integrate with existing gateway infrastructure
3365. **Compliance-first** implementations that meet Australian Government security requirements
337
338The journey to zero trust is not a destination but a continuous process of verification, segmentation, and improvement.
339
340---
341
342## References
343
344### Australian Government Frameworks
345
3461. Australian Cyber Security Centre. (2025). *Foundations for Modern Defensible Architecture*. https://www.cyber.gov.au/business-government/secure-design/secure-by-design/modern-defensible-architecture/foundations-for-modern-defensible-architecture
347
3482. Australian Cyber Security Centre. (2024). *Information Security Manual* (December 2024). https://www.cyber.gov.au/sites/default/files/2024-12/Information%20Security%20Manual%20(December%202024).pdf
349
3503. Department of Home Affairs. (2025). *Protective Security Policy Framework* (Release 2025). https://www.protectivesecurity.gov.au/
351
3524. Department of Home Affairs. (2025). *Australian Government Gateway Security Standard 2025*. https://www.protectivesecurity.gov.au/publications-library/australian-government-gateway-security-standard-2025
353
354### Commercial Solutions
355
3565. Tailscale. (2025). *The State of Zero Trust Report 2025*. https://tailscale.com/resources/report/zero-trust-report-2025
357
3586. Twingate. (2024). *What is Zero Trust Network Access?* https://www.twingate.com/blog/ztna
359
3607. Zscaler. (2024). *Zscaler Completes 2024 IRAP Assessment*. https://www.zscaler.com/press/zscaler-completes-2024-irap-assessment-demonstrates-enhanced-security-and-governance-maturity
361
362### Open Source Solutions
363
3648. Font, J. et al. (2025). *Headscale* [GitHub]. https://github.com/juanfont/headscale
365
3669. FOSRL. (2025). *Pangolin* [GitHub]. https://github.com/fosrl/pangolin
367
36810. Netbird. (2025). *Open Source Zero Trust Networking*. https://netbird.io/
369

---
title: "Beyond the Perimeter: A Practical Guide to Zero Trust Networking"
date: "2026-03-29"
tags: ["zero-trust", "network-security", "ztna", "tailscale", "twingate", "zscaler", "headscale", "pangolin", "netbird", "ism", "pspf", "australian-government"]
author: "Gavin Jackson"
excerpt: "A practical guide to Zero Trust Network Architecture covering commercial solutions (Tailscale, Twingate), IRAP-assessed options for government (Zscaler), and open-source alternatives (Headscale, Pangolin, Netbird). Includes alignment with Australian Government security frameworks."
---

# Beyond the Perimeter: A Practical Guide to Zero Trust Networking

**Table of Contents**
- [1. Introduction to Zero Trust Concepts](#1-introduction-to-zero-trust-concepts)
- [2. Commercial Solutions](#2-commercial-solutions)
  - [Tailscale](#21-tailscale)
  - [Twingate](#22-twingate)
  - [IRAP-Assessed Options](#23-irap-assessed-options-for-australian-government)
- [3. Open Source Alternatives](#3-open-source-alternatives)
  - [Headscale](#31-headscale)
  - [Pangolin](#32-pangolin)
  - [Netbird](#33-netbird)
- [4. Gateway Integration](#4-integration-with-traditional-gateway-environments)
- [5. Australian Government Frameworks](#5-australian-government-security-frameworks)
- [6. Conclusion](#6-conclusion)
- [References](#references)

---

## 1. Introduction to Zero Trust Concepts

### 1.1 The Problem with Traditional Perimeter Security

Traditional network security operates on a "hard crunchy outside, soft chewy inside" model—once an attacker breaches the perimeter, they often have broad access to internal resources. This approach is increasingly inadequate because:

- **Perimeter erosion**: Cloud services, remote work, and mobile devices dissolve the traditional network boundary
- **Lateral movement**: Attackers who breach the perimeter can move freely within the network
- **Implicit trust**: Internal traffic is often trusted by default, enabling privilege escalation
- **VPN limitations**: Traditional VPNs provide broad network access rather than resource-specific authorization

### 1.2 Core Zero Trust Principles

Zero Trust is built on three foundational principles:

1. **Never Trust, Always Verify**: No user, device, or application is trusted by default, regardless of location
2. **Assume Breach**: Design systems as if an attacker is already present; contain blast radius through segmentation
3. **Verify Explicitly**: Authenticate and authorize every access request based on all available data points

### 1.3 Key Architectural Components

| Component | Description |
|-----------|-------------|
| **Identity Provider (IdP)** | Centralized authentication and authorization (SSO, MFA) |
| **Device Posture** | Continuous assessment of device health and compliance |
| **Policy Engine** | Real-time evaluation of access requests against defined policies |
| **Micro-segmentation** | Network isolation at the resource level rather than subnet level |
| **Continuous Monitoring** | Ongoing verification and logging of all access attempts |

### 1.4 Security Challenges Addressed

Zero Trust architectures directly address:

- **Insider threats**: Least-privilege access limits damage from compromised credentials
- **Ransomware propagation**: Micro-segmentation prevents lateral movement
- **Shadow IT**: Identity-aware access controls bring unmanaged resources under governance
- **Third-party access**: Granular permissions for contractors and partners without network-level access
- **Remote work security**: Consistent security posture regardless of user location

---

## 2. Commercial Solutions

### 2.1 Tailscale

**Overview**: Tailscale is a mesh VPN built on WireGuard that creates secure, peer-to-peer connections between devices.

**Key Features**:
- **Mesh architecture**: Direct device-to-device connections without central traffic routing
- **Identity-based networking**: Integrates with Okta, Google Workspace, Microsoft Entra ID
- **NAT traversal**: Uses DERP relays when direct connections aren't possible
- **Access Control Lists (ACLs)**: Fine-grained, JSON-based policies
- **MagicDNS**: Automatic DNS resolution for connected devices
- **Subnet routing**: Access entire networks through exit nodes

**Architecture**:
```
Devices ←→ Tailscale Client (WireGuard) ←→ Coordination Server
     ↓                                    ↓
   DERP Relays (fallback)              ACLs & Policies
```

**Best for**: Remote teams, cross-cloud connectivity, IoT device management

---

### 2.2 Twingate

**Overview**: Twingate provides Zero Trust Network Access (ZTNA) that replaces traditional VPNs with identity-aware, least-privilege access.

**Key Features**:
- **Split tunneling by default**: Only routes traffic to protected resources
- **Resource-level access**: Define access per application, not per network
- **Zero trust segmentation**: Micro-segmentation without network reconfiguration
- **Device trust**: Continuous device posture assessment
- **No open ports**: Resources remain invisible to the public internet

**Advantages over Traditional VPN**:

| Aspect | Traditional VPN | Twingate ZTNA |
|--------|-----------------|---------------|
| Network access | Full subnet access | Resource-specific |
| Attack surface | Public gateway | No exposed ports |
| User experience | All traffic routed | Split tunneling |
| Onboarding | Complex | Automated |
| Visibility | Limited | Full audit trails |

**Best for**: Organizations wanting to replace VPNs with modern ZTNA

---

### 2.3 Sidebar: IRAP-Assessed Options for Australian Government

For Australian Government entities requiring certified solutions, **Zscaler** offers the only IRAP-assessed zero trust platform at the PROTECTED level.

**Zscaler Zero Trust Exchange™**

- **IRAP PROTECTED** certified (2024 assessment)
- First cloud security/zero trust vendor to complete IRAP
- Comprehensive SASE platform (ZTNA, SWG, CASB, DLP)
- Australian Points of Presence for data sovereignty

**When to Consider Zscaler**:
- Government agencies requiring IRAP certification
- Organizations needing comprehensive SASE architecture
- Multi-cloud environments requiring unified policy enforcement

**Trade-offs**: Higher cost and complexity compared to Tailscale/Twingate; full SASE platform may be overkill for smaller organizations.

---

## 3. Open Source Alternatives

### 3.1 Headscale

**Overview**: Headscale is an open-source, self-hosted implementation of the Tailscale control server.

**Key Features**:
- **Full Tailscale compatibility**: Works with official Tailscale clients
- **Self-hosted control plane**: Complete data sovereignty
- **Namespace-based ACLs**: User and group access controls
- **OIDC integration**: Support for external identity providers

**Architecture**:
```
Tailscale Clients → Headscale Server (Self-hosted)
                           ↓
                    SQLite/PostgreSQL Database
                           ↓
                    DERP Relays (Self-hosted or public)
```

**Best for**: Organizations requiring complete control over control plane data

---

### 3.2 Pangolin

**Overview**: Pangolin is an open-source, identity-aware remote access platform built on WireGuard that combines reverse proxy and VPN capabilities.

**Key Features**:
- **Dual access modes**: Browser-based access for web apps, WireGuard VPN for network resources
- **Identity integration**: Connects to OIDC and OAuth2 providers
- **Site connectors**: Deploy connectors to extend access to any network
- **Self-hosted**: Complete control over infrastructure and data

**Comparison with Commercial Solutions**:

| Feature | Pangolin | Twingate | Tailscale |
|---------|----------|----------|-----------|
| Open Source | ✅ | ❌ | Partial |
| Self-hosted | ✅ | ❌ | Via Headscale |
| WireGuard-based | ✅ | ✅ | ✅ |
| Web + VPN access | ✅ | ✅ | VPN only |
| Enterprise support | Community | Commercial | Commercial |

**Best for**: Organizations wanting open-source Twingate alternative with web + VPN access

---

### 3.3 Netbird

**Overview**: Netbird is an open-core zero trust networking platform built on WireGuard, offering both self-hosted and managed cloud options.

**Key Features**:
- **WireGuard-based**: Modern cryptography with excellent performance
- **Open core model**: Free self-hosted version with paid cloud offering
- **Identity integration**: Native OIDC support (Entra ID, Okta, Google)
- **Device posture**: Integration with Microsoft Defender and other EDR solutions
- **Mesh networking**: Direct peer-to-peer connections with relay fallback

**Comparison with Headscale**:

| Feature | Netbird | Headscale |
|---------|---------|-----------|
| Protocol | WireGuard | WireGuard (via Tailscale) |
| Client | Netbird-specific | Tailscale official |
| Device posture | Native EDR integration | Via ACLs |
| Deployment | Self-hosted or cloud | Self-hosted only |

**Best for**: Teams wanting WireGuard without Tailscale dependency; organizations requiring built-in device trust

---

## 4. Integration with Traditional Gateway Environments

### 4.1 Hybrid Architecture Patterns

**Pattern 1: Gateway as Policy Enforcement Point**
```
Internet → Gateway (Firewall/IPS) → Zero Trust Layer → Internal Resources
```

**Pattern 2: Parallel Deployment**
```
Users →┬→ Traditional VPN (Legacy systems)
       └→ Zero Trust Access (Modern applications)
```

**Pattern 3: Zero Trust Behind Gateway**
```
Internet → Gateway → DMZ → Zero Trust Connectors → Internal Networks
```

### 4.2 Migration Strategies

1. **Phased rollout**: Start with non-critical applications
2. **Dual-running**: Operate VPN and ZTNA in parallel during transition
3. **Application-by-application**: Migrate based on risk and readiness
4. **User segmentation**: Pilot with technical users before broad deployment

---

## 5. Australian Government Security Frameworks

### 5.1 Information Security Manual (ISM)

The ISM provides a comprehensive cyber security framework that aligns with zero trust principles:

| Control ID | Description | Zero Trust Alignment |
|------------|-------------|---------------------|
| ISM-1654 | Multi-factor authentication | Verify explicitly |
| ISM-1655 | Privileged access management | Least privilege |
| ISM-1656 | Application control | Micro-segmentation |

**Key ISM Principles for Zero Trust**:
- Network segmentation: Mandatory separation of security domains
- Access control: Role-based and attribute-based policies
- Monitoring and logging: Comprehensive audit trails
- Incident response: Assume breach mentality

---

### 5.2 Protective Security Policy Framework (PSPF)

The PSPF Release 2025 mandates a "Zero Trust Culture" for Australian Government entities:

1. **Zero Trust Culture**: Strategic commitment to ongoing verification, minimum access, and data-centric protection
2. **Security Domain Segmentation**: Clear separation between classification levels
3. **Secure Access Service Edge (SSE)**: Adoption of cloud-delivered security (CASB, FWaaS, SWG, ZTNA)

**PSPF Compliance Mapping**:

| PSPF Requirement | Zero Trust Implementation |
|------------------|---------------------------|
| Governance | Policy-as-code, continuous compliance monitoring |
| Information Security | Encryption in transit/at rest, micro-segmentation |
| Personnel Security | Identity verification, least-privilege access |

---

### 5.3 Australian Government Gateway Security Standard 2025

The Gateway Security Standard defines requirements for securing connections between security domains:

1. **Zero Trust Network Access (ZTNA)**: Least-privilege access with dynamic authentication
2. **Secure Web Gateway (SWG)**: Content filtering and threat protection
3. **Cloud Access Security Broker (CASB)**: Visibility and control for cloud services
4. **Firewall-as-a-Service (FWaaS)**: Next-generation firewall capabilities

**Compliance Considerations**:
- **Data sovereignty**: Ensure data remains within Australian jurisdiction
- **Audit logging**: Comprehensive logging aligned with ISM requirements
- **Encryption**: Strong cryptography for all communications

---

### 5.4 Modern Defensible Architecture (MDA)

ASD's Modern Defensible Architecture (published February 2025) provides foundational guidance:

1. **Layered Architecture**: Methodical separation of security design into distinct levels
2. **Zero Trust Principles**: 'Never trust, always verify', 'assume breach', 'verify explicitly'
3. **Secure-by-Design**: Security-first mindset in procurement and development

**Alignment with Essential Eight**:

| Essential Eight Strategy | Zero Trust Component |
|--------------------------|---------------------|
| Application control | Device trust, application segmentation |
| Patch applications | Continuous compliance monitoring |
| Restrict admin privileges | Just-in-time access, PAM integration |
| Multi-factor authentication | Identity verification |

---

### 5.5 Vendor Considerations for Government

| Requirement | Tailscale | Twingate | Zscaler | Headscale | Pangolin | Netbird |
|-------------|-----------|----------|---------|-----------|----------|---------|
| Australian data residency | Partial | Partial | ✅ | ✅ | ✅ | Partial |
| IRAP certification | ❌ | ❌ | ✅ PROTECTED | Self-assessed | Self-assessed | Self-assessed |
| Open source | Partial | ❌ | ❌ | ✅ | ✅ | Open core |
| Self-hosted option | Via Headscale | ❌ | ❌ | ✅ | ✅ | ✅ |
| PSPF 2025 alignment | ✅ | ✅ | ✅ | Requires assessment | Requires assessment | Requires assessment |

---

## 6. Conclusion

Zero Trust Network Architecture represents a necessary evolution in cybersecurity, moving from perimeter-based defense to identity-centric, least-privilege access. For Australian Government entities, the alignment between zero trust principles and the PSPF 2025, ISM, and Gateway Security Standard provides a clear roadmap for implementation.

Organizations should consider:

1. **Commercial mesh VPN solutions** (Tailscale, Twingate) for rapid deployment and excellent user experience
2. **IRAP-assessed platforms** (Zscaler) for government compliance requirements
3. **Open-source alternatives** (Headscale, Pangolin, Netbird) for data sovereignty and customization
4. **Hybrid approaches** that integrate with existing gateway infrastructure
5. **Compliance-first** implementations that meet Australian Government security requirements

The journey to zero trust is not a destination but a continuous process of verification, segmentation, and improvement.

---

## References

### Australian Government Frameworks

1. Australian Cyber Security Centre. (2025). *Foundations for Modern Defensible Architecture*. https://www.cyber.gov.au/business-government/secure-design/secure-by-design/modern-defensible-architecture/foundations-for-modern-defensible-architecture

2. Australian Cyber Security Centre. (2024). *Information Security Manual* (December 2024). https://www.cyber.gov.au/sites/default/files/2024-12/Information%20Security%20Manual%20(December%202024).pdf

3. Department of Home Affairs. (2025). *Protective Security Policy Framework* (Release 2025). https://www.protectivesecurity.gov.au/

4. Department of Home Affairs. (2025). *Australian Government Gateway Security Standard 2025*. https://www.protectivesecurity.gov.au/publications-library/australian-government-gateway-security-standard-2025

### Commercial Solutions

5. Tailscale. (2025). *The State of Zero Trust Report 2025*. https://tailscale.com/resources/report/zero-trust-report-2025

6. Twingate. (2024). *What is Zero Trust Network Access?* https://www.twingate.com/blog/ztna

7. Zscaler. (2024). *Zscaler Completes 2024 IRAP Assessment*. https://www.zscaler.com/press/zscaler-completes-2024-irap-assessment-demonstrates-enhanced-security-and-governance-maturity

### Open Source Solutions

8. Font, J. et al. (2025). *Headscale* [GitHub]. https://github.com/juanfont/headscale

9. FOSRL. (2025). *Pangolin* [GitHub]. https://github.com/fosrl/pangolin

10. Netbird. (2025). *Open Source Zero Trust Networking*. https://netbird.io/