Security architecture and design
SECURE BY DESIGN
Littlefish Group applies a Secure by Design approach across every digital solutions engagement we deliver, embedding security into the architecture of every cloud migration, Microsoft 365 deployment, Dynamics 365 ERP implementation and Power Platform solution from the point of scoping through to handover.
Our Secure by Design approach
-
Threat modelling before architecture decisions are made
Before we finalise any architecture, we analyse the threat landscape specific to your sector, your environment and the solution being built. NHS trusts, financial services firms, utilities and central government organisations each carry distinct compliance obligations and threat profiles, including DSPT, FCA operational resilience requirements and NIS Regulations, and we account for these in our design decisions before they are locked in.
-
Least privilege access configured correctly from the start
We scope every user account, service principal and application integration to the minimum permissions its function requires, configuring this before any settings are written rather than correcting it once a solution is in use. We apply Microsoft Entra ID conditional access policies and role-based access control as standard, with Privileged Identity Management (PIM) implemented where standing administrative access carries unacceptable risk.
-
Data governance built into every solution
We treat data classification, GDPR obligations and retention requirements as design inputs rather than post-deployment findings, which means they shape the solution itself rather than being layered over it once it is live. For organisations in the Microsoft ecosystem, we implement Microsoft Purview as part of the deployment, covering information protection labels, data loss prevention policies and retention configurations from go-live.
-
Security control validation before every handover
Before any solution moves into live operation, we validate security controls against the original design intent, covering access configuration, data governance settings, network controls, audit and logging coverage and integration boundaries. This confirms that what we designed is what we built, that configurations have not drifted during delivery and that your team inherits a known, tested environment from go-live.
-
“Littlefish Group helped us understand where we could drive efficiencies as we scaled. It genuinely felt like they were in it with us – they wanted us to win. The team members on the service desk are second to none. Our NPS scores show that. I couldn’t ask for more supportive people than the team at Littlefish Group.”
Karen Copley
Head of IT Service Delivery -
Operationally, Littlefish Group have been an excellent partner. From a collaboration perspective, we share the same goals. There’s never a time when they’re not contactable. Littlefish Group collaboratively work with our other providers, they’re always happy to take on other responsibilities, enhancing user experience via first time fixes and shift left responsibilities; their activities have been second to none.
Huw Stephens
CIO and Head of Treasury Business Solutions, HM Treasury -
Through a highly integrated approach, Littlefish Group has brought together the core service pillars that underpin NHS Supply Chain’s digital operations. These include Service Integration and Management, Modern Workplace solutions, a 24/7 Service Desk, and a dedicated Service Management Office. Together, these services enable us to deliver meaningful improvements that boost operational efficiency, enhance end-user experience, and ensure consistent, high-quality service delivery.
Matt Wynn
Data and Technology Executive Director, NHS Supply Chain -
“Littlefish Group provide a dependable and professional out‑of‑hours and weekend service desk service, which is critical to maintaining continuity of our NHS services. Their team understands the demands of a 24/7 healthcare environment and responds promptly and effectively to support clinical and operational staff when it matters most. The service they deliver is reliable, well‑managed, and aligned with the high standards required to support patient care and frontline services.”
Kev Fisher
Assistant Director of Digital Technical Services, University Hospital of Derby and Burton Trust -
“Since the rollout of the solution, Muiríosa continues to transform what once was a static repository of information into a dynamic tool for communication and learning. Key documents, data and systems are now consolidated across Muiriosa’s 200 locations, ensuring information is accessible to everyone and maintaining transparency across the organisation.”
Deborah Gleeson
Information Officer, Muiriosa -
We are now a couple of months into our independent operation, and we’ve already begun to see a big difference; the speed of our support tickets has improved. We’re able to leverage and use a lot more of the Microsoft ecosystem.
Jasper Hegarty-Ditton
Delivery Director, Data and Digital Transformation, LUU -
“This is why we partnered with Littlefish, a managed IT and cyber services provider that is nimble and understands that our diverse structure means diverse solutions. We look forward to building this partnership over the coming months and years.”
Richard Murphy
Chief Information Officer, National Gas -
“Since Littlefish have been appointed, they have been consistently delivering really excellent service to our staff. We have really tough expectations and have a sliding scale approach to customer satisfaction, so as the years go on, it gets harder. I’m really pleased to report that Littlefish have consistently met this scale.”
Rob Langley
Chief Information Officer, Cafcass -
“It made sense to us to go to an organisation that could offer us a range of security services… we chose Littlefish because they could provide everything we needed. In an ever-evolving landscape, there’s always more to learn and new threats emerging, so I’m confident that Littlefish can help us with that.”
Amanda Hodge
ICT Manager -
“We don’t see Littlefish as an ‘at arm’s length’ organisation, but as a partnership that works closely with us and that’s really important. We’ve really had great engagement in how they wish to understand our unique business and the way we operate and we’re starting to really reap the rewards of that engagement now.”
Nigel Hall
Director of IT and Analytics
Why organisations embed security by design
Post-deployment security issues consume IT capacity
Security issues discovered after deployment create a remediation workload that grows in complexity the longer it remains unresolved. Misconfigured access, absent data classification and uninspected integration boundaries all require rework against a live system that already has workflows and dependencies built around it, consuming IT capacity that could be directed elsewhere.
Regulators assess the system, not just the processes around it
Regulatory frameworks across healthcare, financial services, utilities and central government assess the system itself as well as the processes surrounding it. Data protection controls and access governance built into a solution at the design stage are considerably more straightforward to evidence to the ICO, FCA and sector-specific regulators than controls applied retrospectively.
Handover quality determines your security starting point
A security operations team that inherits a project without a validated baseline has to establish the environment’s posture through post-go-live monitoring rather than starting from a known position. What is designed and handed over directly determines how quickly and effectively your security function can protect and respond from day one.
