3.1 Summarize data security concepts.
📘CompTIA Server+ (SK0-005)
Definition:
Data at rest is any data that is stored on a device or media, like hard drives, SSDs, USB drives, backup tapes, or cloud storage. This is data that is not actively moving across the network—it is “sitting” somewhere.
Why it matters:
If someone gets unauthorized access to the storage device (for example, stealing a laptop or accessing a cloud storage account), encrypted data will be unreadable without the correct key.
Common IT Examples:
- A server stores customer records in a database. Encrypting the database ensures that if someone hacks the server, the data is unreadable.
- Backups stored on cloud services are encrypted, so even if a storage service is compromised, the data remains secure.
- Full-disk encryption on laptops or servers ensures that all files are encrypted automatically.
Technologies Used:
- AES (Advanced Encryption Standard) – A common symmetric encryption standard for encrypting files, drives, and databases.
- BitLocker (Windows) – Encrypts the entire hard drive so data at rest is secure.
- FileVault (macOS) – Similar to BitLocker for Apple devices.
- Database Encryption – Many databases like Microsoft SQL Server, MySQL, and Oracle support column-level or full-database encryption.
Key Points to Remember for Exam:
- Encrypting data at rest prevents unauthorized reading if the storage medium is stolen or accessed.
- Symmetric encryption is common for data at rest because it is faster for large volumes of data.
- Always protect encryption keys—if keys are lost or stolen, the data cannot be recovered or may be exposed.
2. Data in Transit
Definition:
Data in transit is data that is moving across a network. This could be between servers, from a user’s device to a cloud service, or between two internal systems.
Why it matters:
If data is sent over a network without encryption, attackers can intercept it and read sensitive information like passwords, financial data, or personal information. This is called a man-in-the-middle attack (MITM).
Common IT Examples:
- An employee logs into a corporate email system over HTTPS. The email username and password are encrypted while traveling over the internet.
- Internal servers exchange API requests over TLS/SSL to protect sensitive business data.
- VPN connections encrypt all traffic between a remote worker and the corporate network.
Technologies Used:
- TLS (Transport Layer Security) – Encrypts web traffic (HTTPS) and email connections.
- SSL (Secure Sockets Layer) – Older version of TLS, mostly replaced by TLS.
- IPsec – Encrypts IP packets for secure communication between networks (e.g., site-to-site VPNs).
- SSH (Secure Shell) – Encrypts command-line sessions and file transfers (like SCP or SFTP).
Key Points to Remember for Exam:
- Data in transit must be encrypted to prevent interception.
- Encryption protocols like TLS or SSH ensure confidentiality and integrity.
- Always verify certificates to avoid MITM attacks.
Comparison: Data at Rest vs. Data in Transit
| Feature | Data at Rest | Data in Transit |
|---|---|---|
| Location | Stored on disks, drives, or backups | Moving across a network |
| Purpose | Protects against physical theft or unauthorized storage access | Protects against interception or eavesdropping |
| Common Methods | AES, BitLocker, FileVault, database encryption | TLS, SSL, IPsec, SSH, VPN |
| Key Concern | Encryption key security | Certificate validation and secure channels |
Exam Tips
- Know the difference between data at rest and data in transit. The exam may ask which encryption paradigm applies to a scenario.
- Understand common IT encryption tools: AES for data at rest, TLS/SSL for data in transit.
- Remember real-world IT examples like encrypted databases, HTTPS, VPNs, and SSH for practical understanding.
✅ Summary:
- Data at rest = stored data → use full-disk, database, or file encryption.
- Data in transit = moving data → use TLS, IPsec, VPN, or SSH.
- Both paradigms aim to protect confidentiality and integrity of sensitive data.
