4.3.2. Data States and Sovereignty

💡 First Principle: Data exists in three states, and each state requires different protection mechanisms. Data also has a physical location that carries legal implications — where your data resides determines which laws govern it.

Data at rest — stored on disk, database, backup media, or cloud storage. Protection: encryption (AES-256, full-disk encryption, database encryption), access controls, physical security of storage media.

Data in transit — moving across a network. Protection: TLS/HTTPS, VPN tunnels (IPSec), SSH, secure email (S/MIME).

Data in use — actively being processed in memory. The hardest state to protect. Solutions: secure enclaves (Intel SGX, AMD SEV), homomorphic encryption (still largely theoretical for production use), memory encryption.

Data sovereignty — the principle that data is subject to the laws of the country where it physically resides. European data stored in US servers falls under US jurisdiction, potentially conflicting with GDPR requirements. Organizations must understand where their cloud provider stores data and ensure compliance with relevant regulations. Cloud providers offer region selection for this reason — Azure, AWS, and GCP all let you specify which geographic region hosts your data.

Geolocation — tagging data with its physical location for compliance and access control purposes. Some regulations require data to remain within specific geographic boundaries (data residency requirements). For example, some countries require citizen health records to remain within national borders. Geofencing enforces these boundaries automatically, preventing data replication to non-compliant regions.

Geographic restrictions can be implemented at multiple levels: cloud provider region selection, database replication policies, CDN configuration, and backup storage location. The exam may present scenarios where a specific regulation requires geographic control — the answer typically involves selecting the appropriate cloud region and configuring replication constraints.

⚠️ Exam Trap: Data sovereignty isn't just a recommendation — it's a legal requirement in many jurisdictions. If a question mentions GDPR and data stored outside the EU, sovereignty is the compliance issue, regardless of how well the data is encrypted.