Domain 3 · 3.3 Protecting Data

3.3.2 Data States

At rest, in transit, in use.

14 min

Data states categorize information based on its current activity and location to determine which specific security controls and encryption methods are required for protection.

Data at Rest This refers to inactive data stored physically on a digital appliance, such as a hard drive, solid-state drive (SSD), or backup tape. Because this data is stationary, it is often a primary target for data exfiltration if physical security is bypassed. - Full Disk Encryption (FDE): Encrypts the entire storage media, protecting data if a device is lost or stolen. - Partition/File Encryption: Targets specific sensitive directories or databases rather than the whole drive. - Physical Controls: Includes locks, safes, and secure data centers to prevent unauthorized physical access to the media. - Permissions: Using Access Control Lists (ACLs) to ensure only authorized users can mount or read the stored files.

Data in Transit (Data in Motion) Data in transit describes information moving across a network, whether over the public internet or a private local area network (LAN). This state is highly vulnerable to sniffing, man-in-the-middle (MITM) attacks, and interception. - Transport Layer Security (TLS): The standard protocol for securing data moving over HTTPS, FTPS, or protected email. - IPsec/VPNs: Creates encrypted tunnels for data traveling between remote sites or from a remote worker to an office. - WPA3: Protects data moving over wireless networks via robust encryption. - Digital Signatures: Ensures that the data moving between points has not been altered during the journey.

Data in Use Data in use is information currently residing in non-persistent memory, such as System RAM, CPU caches, or registers, while being processed by an application. - Memory Protection: Using address space layout randomization (ASLR) to prevent exploits like buffer overflows from accessing data in RAM. - Hardware-based Security: Leveraging Trusted Execution Environments (TEEs) or secure enclaves to process sensitive data in isolation. - Physical Vulnerabilities: Targets include shoulder surfing (viewing a screen) or using a USB keycatcher to record keystrokes as a user inputs data. - Clearing Buffers: Ensuring applications wipe sensitive data from RAM once a process is finished to prevent memory dumping attacks.

Quick Recall - At Rest: Use AES and FDE; focus on storage and physical security. - In Transit: Use TLS and VPNs; focus on network sniffers and MITM. - In Use: Focus on RAM, CPU, and endpoint security like screen filters. - Data Controller: The GDPR role responsible for defining how and why PII is processed. - Data Processor: The entity that handles data on behalf of the controller. - Data Custodian: The technical role responsible for maintaining data integrity and backups.