ClearStack — How it works

The four layers

Each layer solves a different security problem.

Most breaches come from the same places: someone using a compromised login, a staff member connecting over an insecure network, a misconfigured cloud resource, or a threat that wasn't noticed until it was too late. ClearStack addresses all four — before your first workload runs.

Layer 01

Identities & Access Control

Stops: unauthorised logins, account takeovers, excessive privileges

Verified logins with strong MFA

Rules for who can access what

Time-limited admin access

Automatic staff onboarding/offboarding

Layer 02

Secure Remote Access

Stops: insecure connections, unmanaged device access, network intrusion

VPN replaced with modern access

Device health checked every session

Every connection logged

Risky sessions ended automatically

Layer 03

Cloud Environment

Stops: misconfigured cloud settings, policy drift, compliance gaps

Correctly structured Azure account

Security policies enforced automatically

Live compliance dashboard

ISM currency tracking built in

Layer 04

Advanced Monitoring

Stops: undetected threats, isolated workloads mixing, delayed incident response

Security event monitoring (SIEM)

Workloads isolated from each other

All internet traffic firewalled

Multi-environment governance

Layer 01 — Foundation

Identities & Access Control

The first question in any security review is: who is allowed in, and how do you know it's really them? This layer answers it — before a single workload runs.

Every staff member gets a verified, government-grade login with strong multi-factor authentication. The system enforces rules about who can access which systems, revokes access automatically when staff leave, and limits admin privileges so no one has standing access they don't need. Technically, this is built on Microsoft Entra ID and configured to ACSC ISM and Essential Eight requirements.

Included in

✓ Essentials ✓ Professional ✓ Enterprise

Stack position

Layer 1 — Identities & Access Control ← you are here

Layer 2 — Secure Remote Access

Layer 3 — Cloud Environment

Layer 4 — Advanced Monitoring

identity / policy enforcement

Conditional Access policies ✓ enforced

MFA — phishing-resistant ✓ required

Privileged Identity Mgmt ✓ active

Guest access restrictions ✓ locked

User lifecycle automation ✓ configured

Entra ID federation Tenant configured for government-appropriate directory settings. External identity federation locked down. Guest access policies enforced.

Phishing-resistant MFA FIDO2 and Windows Hello for Business configured as primary methods. SMS and voice disabled per ISM guidance. Per-user MFA replaced by Conditional Access.

Conditional Access baseline Pre-built policy set covers: require MFA for all users, block legacy auth, compliant device requirement, sign-in risk policy, and named location restrictions.

Privileged Identity Management All privileged roles assigned just-in-time via PIM. Standing admin access eliminated. Approval workflows and activation alerts configured.

User lifecycle automation Joiner/mover/leaver workflows configured. Automatic licence assignment, group membership, and access removal on offboarding. Audit log retention set to ISM minimums.

Identity secure score baseline Entra Identity Secure Score tracked against target. Recommended actions pre-implemented. Score documentation included in handover package.

ISM controls addressed

Control ID	Control name	E8 mapping	Status
ISM-0974	Multi-factor authentication for all users	E8 ML3 — MFA	Enforced
ISM-1173	Phishing-resistant MFA for privileged users	E8 ML3 — MFA	Enforced
ISM-1401	Privileged access workstations	E8 — Admin mgmt	Configured
ISM-1507	Just-in-time privileged access	E8 — Admin mgmt	Enforced via PIM
ISM-0428	Audit logging of privileged access	E8 — Logging	Configured

Layer 1 is included in every plan.

Verified identities and access control are the foundation — every ClearStack environment starts here.

View pricing →

Layer 02 — Remote access

Secure Remote Access

VPNs were designed for a world where your staff, systems, and data all lived inside a building. That world doesn't exist anymore — and neither should VPNs.

This layer replaces your VPN with an approach that checks who a person is and whether their device is healthy every time they connect — not just once at login. If something changes (a device becomes compromised, a user's account is flagged) access is cut within minutes. Every connection is logged. Technically, this uses Microsoft Global Secure Access and Entra Private Access — zero-trust network access aligned to the ISM.

Included in

✓ Essentials ✓ Professional ✓ Enterprise

Stack position

Layer 1 — Identities & Access Control

Layer 2 — Secure Remote Access ← you are here

Layer 3 — Cloud Environment

Layer 4 — Advanced Monitoring

access / zero-trust enforcement

Global Secure Access ✓ deployed

Entra Private Access ✓ configured

Continuous access eval. ✓ active

Traffic log forwarding ✓ to Log Analytics

Legacy VPN × replaced

Global Secure Access Microsoft's SSE fabric deployed and configured. M365 traffic tunnelled through GSA for visibility and policy enforcement. Internet Access profile configured per ISM guidance.

Entra Private Access (VPN replacement) Zero-trust replacement for traditional VPN. Users access on-premises or private cloud resources via identity-verified, per-app tunnels. No network-level trust granted.

Continuous Access Evaluation Token validity checked continuously — not just at sign-in. Session revoked within minutes of policy change or risk signal. Prevents credential replay attacks.

Access log forwarding All network traffic logs forwarded to the centralised logging workspace (Layer 3 — Cloud Environment). Full audit trail of who accessed what, from where, and when — retained to ISM minimums.

Device compliance gate Access conditional on device compliance state. Non-compliant or unmanaged devices blocked at the access layer, not the application layer. Works with Intune MDM.

Internet Access policy Web category filtering and FQDN-based allow/block lists configured. Malicious site protection enabled. Web traffic tunnelled through GSA for full visibility.

ISM controls addressed

Control ID	Control name	E8 mapping	Status
ISM-0521	Network access controls	—	Enforced
ISM-1260	Zero-trust architecture	—	Implemented
ISM-0585	Logging of network access events	E8 — Logging	Configured
ISM-1055	Blocking access from untrusted devices	E8 ML2	Enforced
ISM-1231	Web content filtering	—	Configured

Secure remote access is included in every plan.

Your VPN is replaced on day one. Layers 1 and 2 are designed together — they only work properly in combination.

View pricing →

Layer 03 — Cloud environment

Cloud Environment & Compliance Dashboard

Moving to cloud doesn't automatically make you secure — it just moves where the security problems live. Without the right configuration, your cloud environment is a blank canvas for misconfiguration, policy drift, and compliance gaps.

This layer is a correctly structured Azure environment with security policies applied automatically, centralised logging from day one, and a live compliance dashboard that maps your current settings against Australian government security requirements. If something drifts out of policy, you see it. If a new ISM update is available, you see that too. Technically, it's an Azure Managed Application deployed via Marketplace, built on Bicep infrastructure-as-code.

Included in

— Essentials ✓ Professional ✓ Enterprise

Stack position

Layer 1 — Identities & Access Control

Layer 2 — Secure Remote Access

Layer 3 — Cloud Environment ← you are here

Layer 4 — Advanced Monitoring

landing zone / governance layer

Management groups ✓ structured

ISM PROTECTED policies ✓ assigned

Defender for Cloud ✓ enabled

Log Analytics workspace ✓ centralised

Compliance Workbook ✓ deployed

Management group hierarchy Structured management group hierarchy aligned to ACSC architecture: Root → Platform → Landing Zones → Workloads. Policy inheritance flows correctly from the top.

ISM PROTECTED Azure Policy set Custom policy initiative covering ISM PROTECTED controls deployed at management group scope. Policies are deny-mode where ISM requires it — no opt-out for accreditation-critical controls.

Compliance dashboard (Azure Workbook) Azure Workbook deployed into your resource group. Maps live Defender for Cloud findings to ISM control IDs. Surfaces drift, policy exceptions, and ISM version currency status in real time.

Centralised Log Analytics workspace Single workspace receives logs from Identity, Access, and workload layers. Retention configured to ISM minimums. Diagnostic settings deployed across all platform resources.

Defender for Cloud — CSPM Defender CSPM enabled across all subscriptions. Secure Score tracked against ISM-aligned recommendations. Alerts routed to central workspace. Regulatory compliance view mapped to ISM.

Version manifest CDN endpoint Public CDN endpoint hosts version-manifest.json. Compliance Workbook reads it to surface update-available banners — no publisher access to your subscription required.

ISM controls addressed

Control ID	Control name	E8 mapping	Status
ISM-1053	System monitoring — cloud resources	E8 — Logging	Configured
ISM-0109	Centralised logging	E8 ML2 — Logging	Enforced
ISM-1146	Azure Policy for configuration compliance	—	Deployed
ISM-0988	Configuration drift detection	E8 — Patching	Active
ISM-1407	ISM update currency tracking	—	Via version manifest

ISM currency model

ACSC publishes ISM updates approximately every six months. ClearStack targets delivery of updated policy sets within 45 business days of each ACSC publish date. The version manifest surfaces update availability in your compliance dashboard without requiring any publisher access to your environment. Version EOL policy: MINOR versions — 180 days. MAJOR versions — 365 days.

The Cloud Environment is included in Professional and Enterprise.

This is where production workloads run. It includes the live compliance dashboard and automatic ISM update tracking.

View pricing →

Layer 04 — Advanced monitoring

Advanced Monitoring & Threat Detection

For agencies with multiple workloads or a formal security operations requirement, Layer 3 alone isn't enough. You need to know not just whether your configuration is correct — but whether someone is actively trying to exploit it.

This layer adds a security operations capability: event monitoring across your entire environment, network isolation between workloads so a breach in one can't spread to others, and full internet traffic filtering. It's the right addition when you're running multiple separate systems, when your agency has a CISO with an active monitoring mandate, or when you're approaching IRAP assessment for PROTECTED. Most small agencies don't need this at launch — Layers 1–3 cover the vast majority of ISM requirements — and we'll tell you that directly.

Included in

— Essentials — Professional ✓ Enterprise

Stack position

Layer 1 — Identities & Access Control

Layer 2 — Secure Remote Access

Layer 3 — Cloud Environment

Layer 4 — Advanced Monitoring ← you are here

cloud / workload layer

Multi-subscription governance ✓ configured

Hub-spoke networking ✓ deployed

Microsoft Sentinel ✓ enabled

Workload segmentation ✓ enforced

Private endpoints ✓ required

Multi-subscription governance Multiple workload subscriptions managed under a unified management group structure. Policy inheritance, cost management, and security posture tracked centrally.

Hub-spoke network topology Hub VNet hosts shared services (firewall, DNS, private DNS zones). Spoke VNets peered for workload isolation. All egress via Azure Firewall — no direct internet from workload subnets.

Microsoft Sentinel — SIEM/SOAR Sentinel workspace deployed and connected. Key data connectors enabled: Entra ID, Azure Activity, Defender for Cloud, GSA. Analytics rules mapped to ACSC threat intelligence.

Private endpoint enforcement Azure Policy denies public endpoint creation for supported PaaS services. All service connectivity routed via private endpoints within the VNet. Public internet exposure eliminated for data services.

Workload segmentation Network Security Groups and Azure Firewall rules enforce workload isolation. Production, non-production, and shared services segmented with explicit allow-list traffic rules.

Azure Firewall — centralised egress Azure Firewall deployed in hub VNet. All workload egress routed via firewall with application and network rules. IDPS enabled in Alert mode with ISM-appropriate signatures active.

ISM controls addressed

Control ID	Control name	E8 mapping	Status
ISM-0573	Network segmentation	—	Enforced
ISM-1082	Firewall rule management	—	Configured
ISM-0109	SIEM — security event monitoring	E8 ML3 — Logging	Via Sentinel
ISM-1425	Private endpoint for PaaS services	—	Policy enforced
ISM-1586	Multi-subscription security governance	—	Configured

Do you need Layer 4?

Most small agencies don't need Layer 4 at launch. Layers 1–3 (Professional) cover the vast majority of ACSC ISM PROTECTED requirements and are the right starting point. Layer 4 becomes relevant when you have multiple separate workloads that need isolation from each other, a security team with a formal monitoring mandate, or an active IRAP assessment for PROTECTED classification. We'll tell you directly during scoping whether you need it — we're not here to oversell.

Advanced monitoring is included in Enterprise.

For agencies with multiple workloads, a security operations mandate, or an IRAP assessment in scope.

View pricing → Talk to us about scope

Four layers of protection. Delivered as one.

Each layer solves a different security problem.

Identities & Access Control

ISM controls addressed

Layer 1 is included in every plan.

Secure Remote Access

ISM controls addressed

Secure remote access is included in every plan.

Cloud Environment & Compliance Dashboard

ISM controls addressed

ISM currency model

The Cloud Environment is included in Professional and Enterprise.

Advanced Monitoring & Threat Detection

ISM controls addressed

Do you need Layer 4?

Advanced monitoring is included in Enterprise.