Models of protection 

What else do organisations rely on to protect their assets and information?

Now, you’ll look at what controls your organisation can implement at the network, application, and data levels.

If an organisation wants to protect data being exchanged between two users over an open network, then there are three approaches, or models, that can be used:

1. First, the organisation can implement network level protection, such as a Virtual Private Network or VPN. As the name implies, this is a way of creating a private network across an untrusted network such as the internet. VPNs can be used for a number of reasons, such as:
   • To securely connect isolated local area networks (LANs) across the internet.
   • To allow mobile users remote access to corporate network using the internet.
   • To control access within an intranet environment.
2. The organisation can implement application-level protection, such as Web Service Security or S/MIME to provide end-to-end security at a user level by encryption applications at client workstations and server hosts.
3. The organisation can implement controls at the data level, such as WinZip, for directly encrypting the data being exchanged via their email service.

Typically, organisations implement one of these models of protection. If an organisation has implemented a VPN between different sites, they won’t generally implement secure email. However, depending on their risk appetite, some organisations that handle more sensitive information could implement several layers of controls.

To illustrate, an organisation might have a VPN for inter-site communications, but when two users wish to exchange sensitive information, they’re advised to use WinZip to further protect the information at the data level.