top of page
Search

Data Strategy Breakdown Series - Defence in depth & Zero Trust (1)

  • welka2111
  • Apr 30
  • 5 min read
Data Strategy Breakdown Series - Defence in depth & Zero Trust

Introduction

Let’s be honest - the world of data security has changed drastically. Firewalls and network perimeters aren’t the line of defence they used to be. In today’s cloud-first world, where remote work, bring-your-own-device (BYOD), and AI-powered tools like Microsoft 365 Copilot are the norm, identity is the new perimeter. And yet, many organisations still try to jump straight to advanced data protection without securing the basics.

In this first post of the Data Strategy Breakdown series, I’ll dive into what it really means to build a solid data security foundation using two core strategies: defence in depth and Zero Trust. I'll break it down using real-world examples and practical advice based on what I’ve seen working with clients across industries.


Table of contents


Data strategy with defence in depth and zero trust

When we talk about modern data security, it’s tempting to rush toward tools like Microsoft Purview and sensitivity labels. After all, they’re powerful, and with the rise of Microsoft 365 Copilot, the visibility of data risks has skyrocketed. But here’s the reality I see often:

  • Conditional Access isn’t enforced

  • MFA isn’t mandatory for all users (yes, even the CEO!)

  • Devices are unmanaged or non-compliant

  • SharePoint and Microsoft 365 permissions are wide open

In those cases, going straight to data classification is like putting a high-security lock on a cardboard door.

That’s where the concept of defence in depth and a Zero Trust approach come into play. These aren’t just buzzwords - they’re essential strategies to protect your data from every angle, whether threats come from outside attackers or internal slip-ups.


What is defence in depth?

Think of defence in depth like protecting a castle. You wouldn’t rely on just one wall to keep intruders out. You’d have a moat, outer walls, inner walls, guards, and checkpoints - each layer designed to slow down, stop, or detect an attacker.

In cybersecurity, it’s the same concept. You apply multiple layers of defence across:

  • Identity

  • Devices

  • Applications

  • Network

  • Data

  • Infrastructure

Even if one layer fails, the others are there to reduce risk and buy you time to respond. It’s not about a single solution, but how all the pieces work together.


What is zero trust?

Zero Trust flips the old “trust but verify” model on its head. Instead, the motto is:

“Never trust, always verify.”

In practical terms, that means:

  • Don’t assume internal users are safe

  • Don’t assume devices are secure just because they’re “corporate”

  • Don’t assume access should be granted just because someone’s logged in

It’s about continuous validation and context-based access. Every user, device, and app must prove its trustworthiness before accessing resources – every time.


Principles of defence in depth and zero trust strategy

Here are the core principles you need to keep in mind:

  1. Verify explicitly - Always authenticate and authorise based on all available data points – identity, device health, location, data sensitivity, and more. Don’t take anything at face value.

  2. Use least privilege access - Only give users the minimum access they need to do their job. No more “just in case” access. This limits the blast radius if credentials are compromised.

  3. Assume breach - Build your security strategy as if an attacker is already inside. Monitor behaviour, segment access, and make it hard for them to move laterally or exfiltrate data.

These principles help protect not just from external attacks but also insider threats – intentional or accidental.


Real life examples

Here’s what this looks like on the ground:


One client came to me excited to roll out Microsoft Purview for labelling and protecting sensitive data. Great initiative - except the CEO wasn’t enrolled in MFA, and their contractors were accessing everything from personal, unmanaged devices.

With Copilot now able to search through SharePoint, emails, and files, suddenly everything felt more exposed. But the exposure wasn’t new - Copilot just made it visible. That’s why identity and device security have to come first. Labels help, but if your doors and windows are wide open, the best lock in the world won’t stop a breach.


Another client had perfectly labelled documents, but anyone in the organisation could join a Teams meeting and download sensitive files from overly open SharePoint sites. The weakest link wasn’t the labels - it was the access model.

Attackers look for the easiest way in. If you’ve locked down MFA, they’ll look for misconfigured file shares. If devices are protected, they’ll try phishing one of your users. Defence in depth ensures that no single misstep becomes a full-blown disaster.



Why defenders need to be proactive, not reactive?

Now, let’s get into why this approach is essential. A common mistake I often see is assuming that attackers will only use the same techniques today that worked yesterday – or that they’ll attack based on the defences we think we’ve put in place.

The truth is, attackers are creative. They're constantly adapting and evolving, looking for the easiest path to their goal.

Attackers may be motivated by profit, espionage, or even just chaos, but one thing remains true: they’ll find the quickest way in. This is why it’s crucial to take a holistic, proactive approach to security. Instead of just reacting to the latest threats, you need to ensure that your security measures are strong, well-placed, and constantly evolving.


Key takeaway: prioritising security mitigations

One of the hardest challenges for defenders is knowing where to start. Attackers are smart, and they’re always looking for weak points. This means we have to focus on prioritising our defences based on what’s most important.


Here’s a quick guide on how to do that:

  • Important/valuable assets - focus on protecting your most critical resources – data, intellectual property, and IT admins with access to everything.

  • Easiest/cheapest defences - sometimes, it’s better to implement fast, low-cost measures that can have a big impact, such as enabling multi-factor authentication (MFA) or setting up automatic patch management.

  • Most effective defences - prioritise defences that create the most disruption for attackers. Think about systems that make it harder for them to achieve their objectives, like advanced threat protection and detection.

By aligning your security strategy with these priorities, you can better defend against cyber threats without burning a hole in your budget.


Conclusion

There’s no silver bullet when it comes to data security. Tools like Purview are powerful, but only when built on a strong foundation of identity and device security. That’s why a strategy rooted in defence in depth and Zero Trust is essential.

Your business – your castle – deserves protection from all angles. Assume breach, verify everything, and give access only where absolutely necessary. Labels are one part of the puzzle, but the full picture is much bigger.


Up next - Basic Security Hygiene - the foundational steps that every organisation should take to reduce their attack surface. Stay tuned for more!

Comments

Drop Me a Line, Let Me Know What You Think

Thanks for submitting!

© 2035 by Train of Thoughts. Powered and secured by Wix

bottom of page