3.5.1. Data States and Protection Requirements
💡 First Principle: Every piece of data exists in one of three states at any given moment, and each state presents distinct attack surfaces. Protection architecture must address all three states for any data classified above the lowest sensitivity level — a gap in any state creates an exploitable exposure.
The three data states:
Data at rest — stored on any medium: hard drives, SSDs, cloud storage, tapes, databases, file shares, mobile devices, USB drives.
Threats: Physical theft of media or device, unauthorized access through misconfigured permissions, access by cloud provider staff or government requests, residual data after "deletion."
Controls:
- Full-disk encryption (FDE) — protects if device is stolen; does not protect against authenticated user abuse
- Database encryption — protects database files; transparent to authorized applications
- File-level encryption — selective; protects specific files regardless of where they're stored
- Access controls — who can read/write the stored data
- Backup encryption — protecting backup copies with the same rigor as primary data
Data in transit — moving across any network: internal LAN, WAN, internet, between applications, between data centers, to/from cloud.
Threats: Network interception (man-in-the-middle), eavesdropping on unencrypted protocols (HTTP, FTP, Telnet), traffic analysis even for encrypted flows.
Controls:
- TLS 1.2+ (preferably 1.3) — encrypts application layer data in transit; session-based
- IPsec — encrypts at network layer; can protect all traffic between two network points (VPN tunnel)
- SSH — encrypted remote shell and file transfer
- VPN — encrypted tunnel for all traffic between endpoints
- Certificate validation — prevents MitM attacks impersonating legitimate servers; never disable in production
Data in use — actively being processed in RAM, displayed on screen, printed, or manipulated by applications.
Threats: Memory scraping (RAM capture), screen capture, unauthorized screenshots, printer output left unattended, copy-paste exfiltration, debugging tools extracting values.
Controls:
- Application-level access controls (restrict which users can view/process specific data)
- Memory protection (prevent other processes from reading application memory)
- DRM / IRM — persistent controls that follow the data even when in use
- Screen watermarking — deters screen capture for highly sensitive data
- Secure print release — documents only print when authorized user is physically present at printer
- Clipboard controls — DLP agents can monitor or block paste operations for sensitive data
| Data State | Primary Threat | Primary Control | Secondary Controls |
|---|---|---|---|
| At rest | Physical theft; unauthorized access | Encryption (FDE, file-level, DB) | Access controls; audit logging |
| In transit | Interception; MitM | TLS/IPsec/VPN | Certificate validation; traffic monitoring |
| In use | Memory scraping; exfiltration | IRM/DRM; application access controls | DLP clipboard controls; screen protections |
⚠️ Exam Trap: Full-disk encryption (BitLocker, FileVault) protects data at rest when the device is powered off. When the device is running and the user is logged in, the disk is decrypted — full-disk encryption provides NO protection against an authenticated user who misuses their access, malware running under the user's account, or an attacker who gains remote access to a logged-in session.
Reflection Question: A financial analyst's encrypted laptop is stolen from their car. The laptop was powered off. The same analyst also sends financial model spreadsheets to a personal Gmail account for "convenience." Which incident creates greater data breach risk, and why?
