Web Security Contractor Needed

I'm working on a web application at work. Since most of the web apps I've worked on in my career have been internal-facing, my understanding of web security is self-taught and a bit ad hoc. This one is external, and involves a lot of client data that needs some serious attention to security. I told my boss that this was enough outside my skillset that we should get a contractor who knows it better than me, and he agreed. So, here are the parameters:

• The technology is Windows, IIS, ASP.NET, SQL Server, and related web technologies.
  
• The site will require logging in. It will be available to multiple users for multiple clients. Users from different clients must not have access to each other's data.
  
• We need advice on the best way to secure the site. (PhoneFactor, local accounts, domain accounts...?)
  
• We need advice on the best way to set up the external-facing database. (E.g., copying the data from our internal databases into silos on the external machine?)
  
• The third-party software we're using includes DeskSite document management, and a couple legal industry products, IPDAS and CPi. Familiarity with those would be nice, but is not vital.

To be clear, between me and my boss, we have come up with solutions that we believe address all our concerns. We're simply worried that either we've missed obvious holes or, more likely, that we've reinvented the wheel, and needlessly complicated things. We need someone with knowledge of the best practices.

My employer is Wolf Greenfield, a large and respected IP law firm based in Boston.