4.3.3. Methods to Secure Data

💡 First Principle: Data protection methods work together across the lifecycle. No single method is sufficient — effective data security layers multiple techniques from creation through destruction.

Geographic restrictions — limiting where data can be stored or processed to comply with sovereignty requirements. Cloud providers offer region-selection for this purpose.

Encryption — the primary technical control for data protection across all three states. Already covered in Phase 2; here it's applied strategically based on classification.

Hashing — verifying data integrity (has the data been modified?). Used for file integrity monitoring, digital signatures, and password storage.

Masking — replacing sensitive data with realistic substitutes for development, testing, or display purposes (showing "****1234" for a credit card number).

Tokenization — replacing sensitive data with non-sensitive tokens, with the mapping stored in a secure vault. Common for payment card data to reduce PCI DSS scope.

Obfuscation — making data difficult to understand without proper context. Code obfuscation makes reverse engineering harder.

Segmentation — separating data environments so that a breach in one doesn't expose all. Network segmentation isolates data stores; database segmentation separates sensitive tables.

Permission restrictions / Access controls — enforcing least privilege at the data level: role-based access, attribute-based access, and mandatory access controls determine who can read, write, or delete data.

Digital Rights Management (DRM) — technology that controls how data can be used after it leaves your systems. DRM can prevent copying, printing, forwarding, or screen-capturing protected documents. Useful for intellectual property and confidential documents shared externally — even if the recipient has the file, DRM restricts what they can do with it.

Data lifecycle management ensures protection from creation through destruction: classify at creation, protect during storage and transit, monitor access throughout use, and securely destroy when no longer needed. Destruction methods include cryptographic erasure (destroying the encryption key), degaussing (magnetic media), and physical destruction (shredding drives).

⚠️ Exam Trap: Tokenization reduces PCI DSS scope because the token has no mathematical relationship to the card number — even if stolen, it's useless. Encryption reduces risk but doesn't reduce scope the same way because the encrypted data is still considered cardholder data.