A software development company is launching a new application that will store sensitive user data. The board of directors has expressed concerns about potential unauthorized access to this data. Which strategy would be MOST effective in protecting user data from unauthorized access?