If you’d told me 25 years ago, when I was on the helpdesk resetting passwords, that I’d one day be responsible for protecting a financial company’s most sensitive data from a direct competitor, I might have laughed. Back then, security was antivirus, a firewall, and some polite reminders about not sharing passwords. Today? It’s a chess game, and ringfencing is one of the powerful moves in the real-world landscape of data protection. In this ever-evolving landscape, understanding the powerful implications of data security is crucial
In one of my last projects, we were faced with a sale of a division in another country. On paper, it sounded straightforward, the division was moving to a competitor. In reality, it was a data security nightmare waiting to happen.
Setting the Scene
- Remove all permissions to resources they shouldn’t see
- Keep access to what they needed, whether in M365, SaaS, or on-premises systems
- Maintain network connectivity only where appropriate
- Make sure the business didn’t grind to a halt while we did it
Ringfencing in Action
Create a security boundary around the crown jewels, Ringfencing as it’s called. Keep the right people inside, keep everyone else out, and make sure legitimate workflows still functioned.
Now you’ll find a lot of theoretical advice online about how to handle this. Some will point to frameworks, others to features like Microsoft Information Barriers. And yes, Information Barriers are powerful. But in this case, they weren’t an option. The company hadn’t implemented them and rolling them out in the middle of high stakes divesture would have been likely rebuilding a bridge while the traffic was still driving over it.
So, we went with what I like to call the “Current State Reality Check” method:
- First, map out exactly what the environment looked like, accounts, groups, permissions, VPN access rules, M365 share settings, SaaS integrations, and on-premises resources
- Next, sit down with all parties concerned to agree who needs what, where and why
- Finally, enforce those decisions, using in this case PowerShell and a healthy dose of common sense
Balancing security & Business Needs
One thing I’ve learned is that you can’t treat security in isolation, especially in hybrid environments where Microsoft 365, SaaS, and on-prem resources are all tightly interwoven. on this project, the mandate from the board was clear, security was critical, but disruption to the business had to be minimal.
That’s easier said than done, in a divestiture, timelines are short, and the stakes are high. Lock things down to aggressively, and you risk breaking workflows, blocking VPN access, or preventing employees from using the tools they need to serve customers. Move to slowly or loosely, and sensitive data could leak to a competitor. Ringfencing had to walk that fine line between speed and permission.
We approached it in phases. Instead of pulling the plug or entire sections of access all at once, we tested changes in smaller, controlled steps. VPN rules, SaaS integrations, and Microsoft 365 sharing settings were validated before rolling them out broadly. Each phase came with fallback options so if something went wrong, we could quickly restore service.
Just as important was communication. Users needed to understand why access was changing, and leadership needed confidence that the project wouldn’t derail operations. We avoided drowning executives in technical detail and instead used simple analogies, every restriction was explained as “closing a door in the office building, only the right people keep their keys.” That language helped stakeholders understand why controls were necessary without feeling like IT was putting up walls just for the sake of it.
In the end, this balance came down to collaboration. Security, operations, business owners, and even representatives from the divested division had to be aligned. Each group had different priorities, but the shared goal was clear, protect the business, keep it running, and hand over a cleanly separate environment.
Lessons Learned
If you search for IT infrastructure Ringfencing, you’ll mostly find broad zero-trust articles or generic policy write-ups. The reality is that every environment is unique, every business situation has its quirks, and no amount of textbook theory replaces knowing your infrastructure inside out.
In our case it wasn’t about picking the perfect tool or following textbook framework step by step. It was about clarity, clarity on what we were protecting, clarity on who needed access, and clarity on how each change would ripple across the business.
What stood out the most was the balancing act. if you lock things down to tightly, you risk disrupting operations. If you leave things to open, you risk data leakage. The sweet spot lies in precision, making targeted, well-tested changes that protect critical assets while allowing the business to keep moving forward.
For me, that’s the real lesson of ringfencing, it’s not compromise, it’s control with intent. Every control has to be sharp enough to protect, but flexible enough to let the business breathe. Get that balance right, and you’ve not only secured the environment, you’ve also build trust with the people who rely on it.
Looking Ahead
I think ringfencing will only become more critical in the near future, especially with hybrid and AI-driven infrastructures. But the core principle will remain the same, secure what matters, allow what’s needed, and don’t let complexity become the enemy of security.
The future of ringfencing isn’t about adding more barriers for the sake of it, it’s about applying controls with precision. The environments we protect are only getting more complex, but the lesson holds true, the sharpest security isn’t the one that blocks the most, it’s the one that protects exactly what’s at risk while keeping the business running smoothly.
After all the simplest lock can be the hardest to pick, if it’s on the right door.
Looking for practical ways to balance security and business continuity? Contact us today
