Post-Breach Remediation: Implementing "Zero Trust" Architecture for a High-Prestige Law Firm

The Mission

The Mission: Secure a prestigious law firm following a major phishing breach targeting a Director.

The Catch: An environment running on the "Honor System," where Partners had unrestricted access to all client data, and "Ghost" external users lurked in file shares.

The Solution: A complete restructure of Information Governance using PnP PowerShell, Power Automate, and Entra ID Conditional Access to enforce a strict "Need-to-Know" model.

The Challenge: The "Honor System" Failure

I was brought in after a Director was phished, resulting in a mass-email event. While an MSP had performed "First Aid" (password resets), the underlying architecture was critically vulnerable.

The Audit revealed three major risks:

• The "Honor System" Security: There was no technical segregation of data. All Partners had access to all client files. The firm relied on Partners simply "agreeing" not to look at cases they weren't working on.
• Ghost Users: I discovered multiple SharePoint subfolders shared with external personal email addresses that current staff could not identify—a massive data leak risk.
• Audit Blindness: Permissions were assigned manually and sporadically. There was no way to prove who had access to what for compliance.

This "Honor System" approach was fundamentally incompatible with modern security requirements and regulatory compliance. The breach exposed the critical vulnerability: when trust is the only security control, a single compromised account can access everything.

The Solution: Code-Based Governance

I implemented a strict policy: "Manual Permissions are Forbidden." Access must be dictated by identity, not human favor.

Pillar 1: Dynamic Client Access (The Technical Win)

The challenge was allowing Partners access only to their specific clients without burdening IT.

Architecture: I broke permission inheritance on the "Clients" document library.

The Automation: I created a SharePoint "Master List" mapping Partners to their specific Client Cases.

The Scripting: I built a Power Automate flow triggered by this list. When a Partner was assigned a case, the flow triggered a PnP PowerShell script to dynamically inject that user's permissions onto the specific folder.

This eliminated human error entirely. No engineer could accidentally grant access to the wrong confidential folder—the system enforced access based solely on the Master List.

Pillar 2: The Fortress (Entra ID Conditional Access)

To prevent future breaches, we locked the front door using Context-Aware Access.

• Geo-Fencing: Implemented strict policies blocking all logins from high-risk nations (Russia/China). Standard users were locked to the UK only.
• The "Travel Protocol": Created a managed group for Partners travelling abroad, enforcing strict session limits and MFA requirements while outside the UK.
• VIP Protection (Azure VPN): For the most sensitive Directors, we configured an Azure VPN Gateway. Conditional Access was configured to only allow their logins if they originated from the specific static IP of the VPN.
• Device Trust: Strictly blocked BYOD. Only managed, compliant devices could access firm data.

This multi-layered approach created defense-in-depth: even if credentials were compromised, location, device, and network context would prevent unauthorized access.

Pillar 3: Email Hardening (Mimecast)

Deployed Mimecast Cloud integrated via Entra Enterprise Apps.

Worked directly with the CEO and Partners to fine-tune the "aggression level" of the filtering, balancing security with the reality of their high-volume workflows.

This collaborative approach ensured that security controls didn't break business operations while still providing robust protection against phishing and malicious emails.

The Results

Data Sovereignty Secured

External "Ghost" users were purged, and external sharing was locked down to specific domains. The firm now had complete visibility and control over who could access sensitive client data.

Regulatory Compliance

The firm moved from non-compliant "Open Access" to a strict, auditable "Least Privilege" model. Every access decision was now traceable, with automated logs proving who had access to what and when.

Human Error Eliminated

By automating permissions via Power Automate and PnP, the risk of an engineer accidentally granting access to the wrong confidential folder was removed entirely. The system enforced access based on identity and role, not manual configuration.

Key Takeaways

Success Factors:

• Code-based governance: eliminating manual permissions removed human error
• Context-aware access: location, device, and network controls created defense-in-depth
• Collaborative security: working with leadership ensured controls didn't break workflows
• Automated compliance: every access decision was traceable and auditable

Technical Innovation:

• Power Automate + PnP PowerShell integration for dynamic permission management
• SharePoint Master List as single source of truth for access control
• Multi-tier Conditional Access policies with VIP protection via Azure VPN
• Mimecast integration for advanced email security without workflow disruption

This case study demonstrates how Zero Trust architecture can be implemented in high-stakes environments where trust-based security models have failed. By moving from "Honor System" to code-based governance, the firm achieved both security and compliance without sacrificing operational efficiency.