Deployment scenarios

Real problems. Proven patterns.

Two of the most common situations ClearStack is deployed into — and exactly how the architecture handles each one.

A Legacy environments

Essential Eight compliance for environments that can't be updated.

Many government agencies run isolated environments — OT networks, labs, clinical systems, or legacy application stacks — where the machines themselves can't be enrolled in a modern identity provider. The operating systems are too old for Intune, the applications rely on legacy auth protocols, and the network perimeter was never designed to carry MFA.

The usual answer is to exempt these environments from Essential Eight requirements and accept residual risk. ClearStack takes a different approach: bring identity enforcement in front of the machine, not inside it.

Using Entra Private Access, staff authenticate with full MFA and Conditional Access before a connection to the target host is ever established. The legacy machine never needs to be touched. It doesn't need to be enrolled, updated, or reconfigured — it simply becomes unreachable without a valid, policy-checked identity assertion from Entra ID.

OT / Industrial systems
IoT endpoints
SCADA networks
Research & lab networks
Clinical / healthcare systems
Also applies to legacy application stacks Applications using NTLM, Kerberos, or basic auth that can't be migrated to modern SSO are fully supported. Entra Private Access proxies the connection; the application stack sees a normal network request.
The problem
  • Machines can't be enrolled in Intune — OS too old or vendor-locked
  • No MFA — legacy auth stack (NTLM / basic) can't support it
  • Network perimeter design predates zero-trust concepts
  • Essential Eight audit exceptions building up year on year
  • No safe remote access — VPN exposes the whole segment
What ClearStack delivers
  • MFA enforced at the identity layer — before the machine is touched
  • Conditional Access gates every connection in real time
  • Legacy machines require zero changes — no agent, no enrollment
  • Privileged access paths documented and auditable in Entra logs
  • VPN eliminated — per-application access replaces network exposure
  • Measurable Essential Eight improvement without a device refresh
How the access path works
Staff device
Any managed
or BYOD
request
Entra ID
MFA + Conditional
Access evaluated
token issued
Private Access
connector
In your network
segment
proxied
Legacy machine
Unmodified — no
agent required
Identity-verified before connection established
Full access log in Entra Sign-in logs
Legacy machine never exposed to internet
Typical environment
  • Mixed Windows Server 2012–2019 and Linux nodes
  • Applications running IIS, legacy Java, or proprietary stacks
  • Flat network with no micro-segmentation
  • Remote access via aging VPN or jump server
  • Periodic manual Essential Eight audits with growing exception lists
What doesn't change
  • The legacy machines — they stay exactly as they are
  • The applications — no code changes, no auth stack migration
  • The internal network topology
  • Existing IT team workflows — no specialist OT training required
B Innovation environments

Stand up a compliant AI environment in days — without creating shadow IT.

A team wants to validate a novel AI use case: test a model against real data, trial a new toolchain, explore a sensitive workload. The standard path — raise a change request, wait for infrastructure provisioning, go through the accreditation gate — takes months. The fast path — spin up something yourself, worry about security later — creates shadow IT and leaves the CISO cleaning up afterwards.

ClearStack gives a third option: an ephemeral environment that is compliant and documented from the moment it's created, not retrofitted after the experiment concludes.

Existing enterprise users access it with their current credentials — no new accounts, no separate directories, no credential sprawl. The enterprise Entra ID remains the sole IdP. Data flow is established deliberately: one-way for read-only analysis, two-way where the enterprise explicitly permits it. When the validation concludes, the environment tears down cleanly with a full audit trail intact.

AI / ML validation
Research projects
Proof of concepts
Cross-agency collaboration
Novel data pipeline testing
No new credentials, no shadow IdP The enterprise Entra ID is the only identity provider. Users authenticate with their existing accounts, existing MFA, and existing conditional access policies. IT retains full visibility and revocation control throughout.
Without ClearStack
  • Months of lead time before first workload can run
  • New accounts created — credential sprawl, no central revocation
  • Compliance documentation written retrospectively (or not at all)
  • Shadow IT: the CISO finds out after go-live
  • Data egress ungoverned — no formal one-way / two-way policy
  • Environment never formally decommissioned — lingers as risk
With ClearStack
  • Operational in days — compliant from first deployment
  • Existing enterprise credentials — zero new accounts
  • ISM controls and Essential Eight baseline documented on day one
  • Enterprise retains sole IdP control — revoke access instantly
  • Data flow explicitly configured: read-only or bidirectional
  • Clean teardown with full audit trail preserved
Identity and data flow
Enterprise users
Existing managed
devices
existing creds
Enterprise
Entra ID
Sole IdP — no
shadow directory
B2B / OIDC trust
ClearStack
environment
Isolated Azure
subscription
governed data flow
Enterprise data
1-way or 2-way
as configured
One-way (read)
Data flows from the enterprise into the AI environment for analysis. Results remain isolated. Nothing can write back without explicit approval.
Two-way (bidirectional)
Outputs from the AI environment feed back into enterprise systems. Approved, documented, and policy-gated — not an ungoverned pipe.
Lifecycle
  • Day 1–7: ClearStack deployed, users federated, data flow configured
  • Validation period: team works in a fully compliant, documented environment
  • Ongoing: compliance dashboard reflects live posture
  • Conclusion: environment decommissioned; SIEM logs and documentation retained
What the enterprise IT team retains
  • Sole control of the identity provider — no delegated admin to the project team
  • Ability to revoke all access instantly from Entra ID
  • Full visibility of sign-in and access logs in their existing SIEM
  • Ownership of data flow policy — project team cannot escalate their own permissions

See how ClearStack maps to your environment.

Bring your architecture to a 30-minute call. We'll show you exactly how ClearStack would be deployed and what it would give you on day one.

Book a demo See the full architecture →