Full Report
How Wiz enables Australian government agencies to operationalise MDA with real-time context, zero trust enforcement, and end-to-end cloud visibility.
Analysis Summary
# Best Practices: Modern Defensible Architecture (MDA) & Cloud Security
## Overview
These practices address the operationalization of the Australian Signals Directorate’s (ASD) Modern Defensible Architecture (MDA). They focus on transitioning from perimeter-based security to a layered, "identity-first" model that provides resilience in complex multi-cloud and hybrid environments.
## Key Recommendations
### Immediate Actions
1. **Establish Agentless Visibility:** Deploy API-driven, agentless scanning across all cloud environments (AWS, Azure, Google Cloud, VMware) to gain an immediate, always-current inventory of assets.
2. **Map Identity Sprawl:** Conduct an audit of Cloud IAM roles and permissions to identify "toxic combinations"—where excessive permissions overlap with publicly reachable workloads.
3. **Identify High-Impact Risk:** Prioritize remediation based on "attack paths" (the connection between an exposure and a permission) rather than individual, isolated vulnerabilities.
### Short-term Improvements (1-3 months)
1. **Implement Least-Privilege Governance:** Use automated recommendation tools to trim excessive permissions and eliminate privilege escalation paths within cloud infrastructure.
2. **Enforce Secure-by-Design in Pipelines:** Integrate security scanning into the software supply chain to identify exploitable code or misconfigurations before they reach production.
3. **Audit AI/ML Assets:** Map all AI-enabled resources, models, and data flows to ensure they are governed by the same security standards as traditional IaaS.
### Long-term Strategy (3+ months)
1. **Operationalize Zero Trust:** Shift from static access policies to a dynamic "Policy Information Point" (PIP) model where access decisions are informed by real-time context and risk signals.
2. **Whole-of-System Governance:** Centralize security posture management across multi-cloud and hybrid infrastructures to ensure consistent enforcement of MDA foundations.
3. **Continuous Verification:** Move away from "set and forget" security by implementing continuous monitoring that triggers remediation workflows automatically when architecture drifts from defensible states.
## Implementation Guidance
### For Small Organizations
- Focus on **visibility first**. Use agentless tools to understand what is running without the overhead of managing agents.
- Prioritize fixing "publicly exposed" assets before moving to internal IAM hardening.
### For Medium Organizations
- Implement **automated remediation workflows** to help small security teams manage the volume of cloud alerts.
- Start integrating security checks into CI/CD pipelines to prevent "operational debt" from new deployments.
### For Large Enterprises
- Establish a **unified control plane** for multi-cloud governance (e.g., managing AWS and Azure under one policy framework).
- Focus on **Identity Entitlement Management (CIEM)** to manage the massive sprawl of machine and human identities across disparate business units.
## Configuration Examples
*While the article is high-level, it highlights specific technical categories for configuration:*
- **Cloud IAM Policies:** Configured for least-privilege, specifically removing "Full Access" or "Admin" roles from service accounts that do not require them.
- **Network Controls:** Moving from static IP whitelisting to identity-aware micro-segmentation.
- **AI/ML Security Triggers:** Configuring alerts for when an AI model has access to sensitive data stores or is exposed to the public internet.
## Compliance Alignment
- **ASD/ACSC Modern Defensible Architecture (MDA):** Directly aligns with the 8 foundations of MDA.
- **Zero Trust Architecture:** Specifically the "Policy Information Point" (PIP) and "Policy Decision Point" (PDP) functions.
- **International Frameworks:** Developed in alignment with cybersecurity standards from South Korea, Germany, Canada (CCCS), New Zealand (NCSC), and Japan.
## Common Pitfalls to Avoid
- **Treating Zero Trust as a Philosophy:** Do not treat Zero Trust as a buzzword; it must be implemented as a technical operational model with real-time enforcement.
- **Siloed Risk Assessment:** Avoid looking at vulnerabilities in isolation. A medium-severity vulnerability on a server with "Domain Admin" permissions is a higher risk than a critical vulnerability on an isolated, unprivileged test server.
- **Ignoring AI Supply Chain:** Failing to account for the abstracted control planes and dependencies introduced by rapid AI adoption.
## Resources
- [ASD Modern Defensible Architecture (MDA) Guidance](https://www.cyber.gov.au/business-government/secure-design/secure-by-design/modern-defensible-architecture)
- [Wiz Guide to Cloud Data Governance](https://www.wiz.io/lp/guide-to-data-governance-and-compliance-in-the-cloud)
- [NIST Zero Trust Architecture (SP 800-207)](https://csrc.nist.gov/publications/detail/sp/800-207/final)