Yes. This will be a brief answer.
I like the concept of Zero Trust. I believe is was a Forrester article a while ago, not sure if that's the sources, but it reflected my sentiments exactly.
We need to assume that any and all devices that have access to our systems are compromised.
Taking that into account, we need to harden our applications, our systems, and the data that resides on them. We do this in several tiers and they work well.
All access and messages to every layer of this model should be authenticated, authorized, filtered, and validated.
1) Access Tier: generally a front-end services layer, web servers, load balancers, firewalls, IPS, application firewalls, etc.
2) Application Tier: this is where all of our business logic sits to correlate, compile, change, filter, etc.
3) Data Access Tier: all data access should be restricted to need to know. this should be a separate layer that performs more than just storage; this is the layer that will enforce access and policies to data. i.e. a user should only access information for one user and no more than 50 users in an hour, etc.
4) Monitoring and Response: everything should be monitored for variance and alerted and responded to. Most of this operation can be automated and reduced so the incident handler only needs to respond to valuable intelligence.
* Authentication and Authorization is in Place at the User Level (No System Level Access to Data or Services)
* Transport Layer Security is in Place