Woodside Energy, NAB and Lendlease have emerged as some of the most high-profile Australian backers of a Zero Trust approach to securing remote access to corporate systems and data.
So-called Zero Trust Network Access (ZTNA) products are a common starting point for organisations, particularly those that had to shift to predominately remote work setups at the start of the Covid-19 pandemic.
Analyst firm Gartner defines ZTNA as “a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications.”
“The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities,” Gartner said.
“The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network.
“This removes application assets from public visibility and significantly reduces the surface area for attack.”
Both NAB and Woodside Energy’s projects appear to be pandemic-related insofar as they hit scale as or after the first lockdowns in Australia occurred.
For the remainder of this piece, iTnews examines the three organisations in turn, and where they are at on their respective Zero Trust journeys.
Liquefied natural gas (LNG) producer Woodside Energy is in the midst of a ZTNA implementation using Zscaler Private Access (ZPA) technology.
The project is running with personnel from Woodside and its technology partners Zetta and Data#3. It isn’t entirely clear when work began, though it may have started as early as late 2019 before being significantly scaled up from around mid-2020.
A Woodside Energy spokesperson would not confirm specific details of the project, but indicated the company is taking a view of Zero Trust that stretches beyond remote access to end-user computing resources - and beyond the specific technology implementation it is currently working on.
“Woodside sees Zero Trust as a way of working and an operating model that involves a cultural shift in how digital products and services are securely designed, delivered and operated,” the company’s spokesperson told iTnews.
“The Zero Trust operating model aims to improve Woodside's cyber resiliency.
“The purpose is to reduce the consequence of a significant incident impacting business operations.
“Woodside’s adoption of Zero Trust is a long-term and ongoing commitment.”
National Australia Bank
Like Woodside, NAB is also deploying ZPA as a specific ZTNA technology.
From the start of that scale-out, NAB indicated its adoption of ZPA would count towards it “embracing Zero Trust.”
Some of that commentary has since disappeared from public view - though remains available in web archives.
“NAB is now well placed to embrace a Zero Trust strategy, which both increases digital security and reduces network complexity for the bank,” its previous commentary read.
“Zero trust has two big benefits for us. Firstly, we no longer need to run a separate corporate network, which delivers significant cost savings. In the new model we only offer public internet access within our corporate offices.
“Secondly, it reduces the surface area that we have to manage and protect from malicious attacks. We have dramatically improved the security of our environment, not by installing more and more expensive security infrastructure but by removing all data and applications from the corporate environment so there is nothing to protect.
“This lowers our exposure to cyber breaches and reduces the complexity of our environment at the same time.”
The bank’s current executive for workplace technology Greg Farmer told iTnews that NAB remains committed to Zero Trust.
“Zero Trust capability enables every one of our colleagues to work remotely and securely with a simple internet connection,” Farmer said.
“It has enabled cost savings across our network as we augment our secure corporate network with non-trusted wi-fi.
“We’ve deployed Zero Trust to all NAB employees including our international sites, with the exception of a very limited number of colleagues with specific roles requiring fixed access (e.g. bank tellers).
“We will absolutely look to expand our use of the Zero Trust model into the future.”
Updated, 20/8: This article originally also contained information on Zero Trust adoption at Lendlease, which was based on publicly available information on the internet. The company has since requested this information be removed.
Stay tuned to iTnews for the next installment in this series on Thursday August 26. Find other iTnews Insights articles here.