3.3 Protect data
📘CompTIA Security+ (SY0-701)
Data can exist in three main states in any IT environment. Each state has different security concerns and protection methods.
1. Data at Rest
Definition:
Data at rest is data that is stored somewhere and not actively moving. This can include files on a hard drive, databases, backups, cloud storage, or even archived data on tapes.
Security Concerns:
- If an attacker gains physical or remote access to storage, they can steal or copy the data.
- Insider threats can also target this data.
Protection Methods:
- Encryption: Encrypting files or databases ensures that even if data is stolen, it cannot be read without the key.
- Examples: Full Disk Encryption (FDE), BitLocker, database encryption, cloud storage encryption.
- Access Controls: Only authorized users or systems can read or modify the data.
- Examples: File permissions, role-based access control (RBAC).
- Physical Security: Secure servers and storage devices physically to prevent theft.
IT Examples:
- Sensitive company documents stored on a network drive.
- Customer information in a database stored on a cloud server.
2. Data in Transit
Definition:
Data in transit is data moving from one place to another, such as over a network, between devices, or across the internet.
Security Concerns:
- Data can be intercepted (sniffed) by attackers.
- Man-in-the-middle (MITM) attacks can capture or alter data.
Protection Methods:
- Encryption: Secure data while it’s moving.
- Examples: TLS/SSL for websites, VPNs for private network connections, HTTPS for web applications.
- Secure Protocols: Use protocols that include security features.
- Examples: SFTP instead of FTP, HTTPS instead of HTTP.
- Integrity Checks: Ensure data hasn’t been altered during transit.
- Examples: Digital signatures, hashing.
IT Examples:
- Sending an email securely over the internet using TLS.
- A remote worker accessing files via VPN.
- API communication between cloud services secured with HTTPS.
3. Data in Use
Definition:
Data in use is data that is actively being processed by applications, in memory (RAM), or by a CPU.
Security Concerns:
- Even if data at rest and in transit is encrypted, data in use may be exposed in plaintext while being processed.
- Memory scraping, malware, or privileged users can access this data.
Protection Methods:
- Application-Level Encryption: Encrypt sensitive data in memory while still allowing processing.
- Tokenization: Replace sensitive data with tokens during processing to minimize exposure.
- Secure Computing Environments: Use secure enclaves or trusted execution environments (TEEs).
- Access Controls & Monitoring: Limit which applications or users can access sensitive data in use.
IT Examples:
- Processing credit card numbers in a payment application.
- Running analytics on customer data in a database.
- A web server handling login credentials before authenticating users.
Summary Table for Easy Recall (Exam-Friendly)
| Data State | Definition | Security Risks | Protection Methods | IT Example |
|---|---|---|---|---|
| At Rest | Stored and not moving | Theft, insider threats | Encryption, access controls, physical security | Files on a server, cloud database |
| In Transit | Moving over networks | Interception, MITM attacks | TLS/SSL, VPN, secure protocols, integrity checks | Email over TLS, VPN file transfer |
| In Use | Actively processed in memory/CPU | Memory scraping, malware | Tokenization, application-level encryption, secure enclaves | Payment processing, analytics in RAM |
Key Exam Tip:
- The exam often tests your knowledge on which protection method is used for which data state.
- Remember:
- At rest → encryption + access control
- In transit → TLS/HTTPS/VPN + integrity
- In use → tokenization + secure execution + monitoring
