The biggest gap in your Zero Trust plans is sitting in your EDRMS

Written By Karl Maftoum

A record that moves into M365 inherits, on arrival, every dollar the agency has already spent on its security stack.

I’ve had a version of the same conversation with several agencies over the past year. We see what the security teams have built, conditional access everywhere, proper MFA rolled out, Essential Eight uplift tracking well, Purview stood up properly with sensitivity labels mapped to PSPF markings.

Then I ask how their corporate records work, and the room goes a bit quiet.

Because the answer, in most cases, is that at least twenty years, and in most cases many more, of the agency’s most sensitive material is still sitting in Content Manager (or TRIM, depending on how long you’ve been around).

And even worse, many agencies continue to use Content Manager as the “official” records management system. Some have migrated to the cloud, but often their instances sit on Windows Server infrastructure that nobody enjoys patching, are reachable through service accounts and NTLM, and sit outside the reach of every one of those shiny new controls the agency spent so much money and time on.

The DLP policies don’t apply to the documents in it, conditional access never sees a read against it. If someone exfiltrated half of the repository tomorrow, the tooling that’s supposed to notice would have nothing to notice with.

PSPF Release 2025 made Zero Trust the Commonwealth’s stated direction, and agencies have responded by investing heavily in the identity and device pillars.

Fair enough, that’s where the guidance and the products were pointing. But Zero Trust is supposed to extend to the data itself, and you cannot apply data-centric security to data your platform can’t reach. An agency can be at Maturity Level 2 across the Essential Eight and still have its deepest archive sitting outside the entire control plane.

This isn’t a hypothetical risk, we have already seen this go wrong in the private sector.

When Latitude Financial was breached in 2023, around 14 million records went out the door, and the figure that stuck with me was that an estimated 5.7 million of them dated from before 2013, and they weren’t alone in this regard.

The age of the data was no consolation to those who had been affected. What’s more, Government can’t simply delete its way out of the equivalent problem, since agencies are obliged to keep records, in many cases for decades.

Which means the only real question is whether those records live somewhere the security architecture covers, or somewhere it doesn’t.

ASD knows all this. The Commonwealth Cyber Security Posture report for 2025 found 59% of entities saying legacy technology was getting in the way of their Essential Eight implementation, and the reasons entities gave for hanging onto legacy systems were predictable - no dedicated funding, no viable replacement.

ASD’s Managing the Risks of Legacy IT guidance is pretty candid that compensating controls are a way of buying time, and the Modern Defensible Architecture material, expanded in October 2025, frames secure-by-design as including a plan to retire legacy systems, not fencing them off forever.

Meanwhile, the Blueprint for Secure Cloud maps PSPF and ISM controls onto Microsoft 365 in considerable detail. You don’t need to squint to see where the Commonwealth’s data security architecture is heading.

So why hasn’t the migration happened?

In my experience the problem is rarely technical. It’s that moving records out of an EDRMS gets framed as a records management project, and records management projects lose funding contests to almost everything.

I say this with affection for records managers, who have been pointing at this problem for a decade. Though many also show some inflexibility when it comes to records management process, holding to the mistaken belief that simply having Content Manager means being compliant.

The business case gets written as compliance hygiene, the benefits accrue to a team with no budget authority, and the whole thing slips to next financial year, every year. The posture report finding about “lack of dedicated funding” is really a finding about framing.

The framing that works is the one that happens to be true: this is attack surface reduction. A record that moves into M365 inherits, on arrival, every dollar the agency has already spent on its security stack.

A record that stays behind keeps an application tier, a database and an OS estate alive indefinitely, defended by a security team on behalf of a business that stopped using the system for real work years ago. Put that way, it competes for cyber budget rather than records budget, and in my experience that’s when the conversations finally begin to take place.

One thing I’d caution against, though, because I’ve seen the damage first-hand. Don’t respond to all this by bulk-dumping the repository into SharePoint as files. The metadata in that EDRMS, the classifications, retention schedules and audit history, is precisely what data-centric security runs on. Purview can’t enforce a classification that got stripped in transit. A blind lift-and-shift takes governed records and turns them into a very large, very sensitive, completely unlabelled file share, which arguably leaves you worse off than where you started. The migration only counts as a security uplift if the records arrive classified, labelled and inside the audit perimeter from day one.

This is the gap my team built Provenance to close. It carries Content Manager holdings into Microsoft 365 with their classifications, retention schedules and audit history intact, so the records arrive governed rather than as a naked file share. The tooling matters less than the principle, though. However you do it, the metadata has to survive the move.

In my opinion, most agencies’ legacy holdings will end up in governed M365 sooner or later, because every signal from ASD and the PSPF points that way, and the users are demanding it. The agencies that do it deliberately will get to design the outcome. The ones that wait will be doing it as remediation, on a timeline set by an incident review.

If your Zero Trust roadmap doesn’t mention the records estate, it’s worth asking why.

Karl Maftoum is the Principal Consultant at Tarrion Consulting and works with Australian Government agencies on information governance. His team built Provenance, a tool which moves Content Manager holdings into Microsoft 365 with classifications, retention and metadata intact. If you’re wrestling with an ageing EDRMS, get in touch.

Karl Maftoum