3.3 Protect data
📘CompTIA Security+ (SY0-701)
Protection Methods for Data
Protecting data is a core part of cybersecurity. Organizations use different methods depending on the type of data, where it’s stored, and who needs access. Let’s go through each method.
1. Encryption
What it is:
Encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) so that only authorized users with a key can read it.
How it works:
- Data is transformed using an encryption algorithm and a key.
- Only someone with the decryption key can turn it back into readable data.
IT examples:
- Data at rest: Encrypting files stored on a server or in the cloud using AES-256.
- Data in transit: Using TLS/SSL to encrypt data being sent over the internet (like HTTPS websites).
- Full-disk encryption: BitLocker on Windows or FileVault on Mac protects the entire drive.
Exam tip: Encryption is reversible if you have the key; it’s about confidentiality.
2. Hashing
What it is:
Hashing converts data into a fixed-size string (hash value) using a hash function. Unlike encryption, hashing is one-way—you cannot reverse it to get the original data.
How it works:
- Input data → Hash function → Hash value
- Any small change in the input creates a completely different hash.
IT examples:
- Storing passwords securely: Websites store hashes instead of plaintext passwords (e.g., SHA-256).
- File integrity checks: Hashes (MD5, SHA-1) verify that files haven’t been altered.
Exam tip: Hashing ensures integrity, not confidentiality.
3. Masking
What it is:
Masking hides part of the data so it can be used for testing or viewing without exposing sensitive information.
How it works:
- Original data is partially obscured.
- The masked data looks realistic but is not sensitive.
IT examples:
- Displaying credit card numbers as
**** **** **** 1234in an application. - Masking personal information in a database when developers need real-like test data.
Exam tip: Masking is reversible only if it’s dynamic masking, but typically it’s used for safe display.
4. Tokenization
What it is:
Tokenization replaces sensitive data with a unique identifier called a token. Unlike masking, the original data is stored securely elsewhere.
How it works:
- Sensitive data → Token generated → Token used in systems
- The real data is only accessible in a secure token vault.
IT examples:
- Payment processing: Credit card numbers are replaced with tokens. The token can be used for transactions without exposing the real card number.
- Health records: Patient IDs are tokenized in systems for compliance with HIPAA.
Exam tip: Tokenization is irreversible in the systems that use it; you need the secure vault to retrieve the real data.
5. Obfuscation
What it is:
Obfuscation hides the meaning of data or code to make it hard to understand or reverse-engineer.
How it works:
- Data or code is transformed so it still works but isn’t easily readable.
IT examples:
- Software code: Developers obfuscate code in mobile apps to prevent hacking or copying.
- Data obfuscation: Sensitive fields in logs are scrambled before being stored or transmitted.
Exam tip: Obfuscation doesn’t prevent access entirely—it just makes understanding or extracting data harder.
6. Segmentation
What it is:
Segmentation separates data or networks into smaller, isolated sections to reduce risk if something is compromised.
How it works:
- Different data or systems are put into isolated segments.
- Access between segments is controlled by policies or firewalls.
IT examples:
- Network segmentation: Separate HR, finance, and guest Wi-Fi networks to limit access.
- Database segmentation: Sensitive records stored in a secure table separated from general data.
Exam tip: Segmentation limits exposure and reduces attack surface.
7. Permissions
What it is:
Permissions control who can access data and what they can do with it (read, write, execute).
How it works:
- Assign access based on roles or identities (Role-Based Access Control, RBAC).
- Regularly review permissions to enforce least privilege.
IT examples:
- File servers: Only finance staff can access payroll files.
- Cloud storage: Only certain users can download or edit sensitive documents.
Exam tip: Permissions enforce confidentiality and prevent unauthorized access.
Quick Summary Table
| Method | Purpose | Key Point | Example |
|---|---|---|---|
| Encryption | Confidentiality | Reversible with key | HTTPS, BitLocker |
| Hashing | Integrity | One-way, not reversible | Password storage, file checks |
| Masking | Data privacy for display | Partially hides data | ****1234 in apps |
| Tokenization | Replace sensitive data | Tokens replace original data | Payment processing |
| Obfuscation | Hide meaning/complexity | Hard to read but functional | Code obfuscation |
| Segmentation | Limit exposure | Isolates data or networks | HR vs finance network |
| Permissions | Access control | Role-based, least privilege | File server permissions |
Key Exam Tips:
- Encryption is about confidentiality, hashing is about integrity.
- Masking and tokenization are ways to use data safely without exposing sensitive info.
- Obfuscation protects understanding, not access.
- Segmentation and permissions limit who can see or affect the data.
