Encrypting data at rest only

Using antivirus as the only defense

Creating multiple layers of security

Outsourcing security to third-party providers

Physical Control

Mental Control

Technical Control

Administrative Control

Lock on a server room door

Employee awareness training

Two-Factor Authentication (2FA)

Security guard patrolling the premises

Encrypts email communications

Monitors employee productivity

Acts as a buffer zone between external and internal networks

Blocks access to social media

Network Layer

Data Layer

Endpoint Security

Application Layer

Assumes everything inside the network is safe

Allows unrestricted access for trusted devices

Requires continuous verification of all resources

Uses only physical security measures

Encrypt network traffic

Filter data at the physical layer

Protect applications from web-based threats

Monitor VPN traffic