0 / 10 flipped
Data at Rest
Tap to reveal
Data stored on a persistent storage device and not actively moving through a network or being processed. Resides on hard drives, SSDs, flash drives, databases, or tape. Primary risk: physical theft or unauthorized access to the storage medium. Primary protections: encryption (full disk, database, or file/folder level) for offline access, plus ACLs and permissions for online unauthorized access. Even unencrypted data on a storage device is "at rest" β it is a state description, not a security rating.
Full Disk Encryption
Tap to reveal
Encrypts every sector of a storage device β all files, directories, OS, unused space. When powered off, the device is entirely ciphertext. Requires pre-boot authentication (PIN, TPM) before the OS loads. Common implementations: BitLocker (Windows), FileVault (macOS), LUKS (Linux). Protects against offline attack β a stolen powered-off laptop cannot be read. Does NOT protect against a logged-in attacker or malware running on the unlocked system β the OS has already decrypted the disk at that point.
Data in Transit / Data in Motion
Tap to reveal
Data actively moving across a network β client to server, branch to headquarters, device to cloud. The data passes through infrastructure it does not control (switches, routers, wireless APs, ISP infrastructure). Primary risk: interception β any observer on the network path can capture unencrypted traffic. Primary protections: TLS for application session encryption, IPsec for network-layer tunnel encryption, firewalls and IPS for traffic filtering and anomaly detection. "Data in transit" and "data in motion" are used interchangeably on the exam.
TLS β Transport Layer Security
Tap to reveal
Protocol that encrypts data in transit for HTTPS, email, and many application protocols. Creates an encrypted session between two endpoints β data encrypted at sender, decrypted only at intended receiver. An observer who intercepts TLS traffic sees only ciphertext. Operates at the session/transport layer; protects one application session or connection. Successor to SSL. Used for: HTTPS (TCP 443), email with TLS (STARTLS), API communications. The exam may say "SSL/TLS" β TLS is the current standard. TLS protects in-transit confidentiality but has no effect on data in use or data at rest.
IPsec β Network Layer Encryption
Tap to reveal
Protocol suite encrypting IP communications at network layer (L3) β foundation of VPN tunnel encryption. In tunnel mode, the original IP packet (header + data) is fully encrypted inside a new outer packet β original source, destination, and content all hidden. Used for site-to-site VPNs (IPsec between two firewalls encrypting all inter-site traffic) and remote access VPNs. Protects all traffic between endpoints at the network layer β not specific to one application, unlike TLS. Key exam distinction: TLS = one application session; IPsec = all network traffic between two endpoints.
Data in Use
Tap to reveal
Data actively being processed by a computer β loaded into RAM, CPU registers, or cache. Key characteristic: almost always decrypted, because the CPU must read plaintext to execute operations. Opening a file decrypts it into RAM; the application works with the plaintext. This is a fundamental computing requirement β the CPU cannot process ciphertext. Data in use is the hardest state to protect and the state most commonly targeted after at-rest and in-transit encryption is in place. The attacker who cannot read the disk or the network pivots to reading RAM.
Why Data in Use Is the Hardest to Protect
Tap to reveal
Encryption is incompatible with active computation β the CPU must work with plaintext, so data in use cannot be practically encrypted in the general case. At rest: disk encryption works perfectly; offline access is blocked. In transit: TLS/IPsec encrypt traffic; interception yields only ciphertext. In use: the application must decrypt data to use it β creating a mandatory plaintext window in RAM. An attacker with OS-level access (via malware or privilege escalation) can read any process's memory. Emerging technologies (confidential computing, hardware-based memory encryption) aim to address this, but protection for data in use is still far less mature than for the other two states.
Target Corp Breach / RAM Scraping
Tap to reveal
November 2013: attackers installed BlackPOS malware on Target's point-of-sale terminals. The malware scraped credit card numbers from POS terminal RAM during the brief processing window when card data is decrypted in memory. Result: 110 million credit cards stolen. Target had data at rest encryption and data in transit (TLS) encryption β both worked as designed. Neither helped because the attack targeted data in use. The card data had to be decrypted in RAM for transaction processing β the malware captured it at that mandatory plaintext moment. Classic data-in-use attack; definitive Security+ exam example.
Data Sovereignty
Tap to reveal
Data stored within a country is subject to that country's laws β regardless of where the organization that owns the data is headquartered. A government can issue court orders, mandate protections, and restrict data transfers for any data stored within its borders. Key implications: (1) organizations must know where their data physically resides; (2) cloud providers may store data in multiple countries β data residency controls needed; (3) compliance laws may prohibit moving data out of the country. GDPR is the most-tested example: data about EU citizens must be handled per GDPR standards and faces restrictions on transfer to non-EU countries with inadequate protections.
Geolocation β Security Applications
Tap to reveal
Using physical location (determined via GPS, 802.11 Wi-Fi positioning, cell towers, or IP geolocation) as an input to access control decisions. Security applications: (1) block logins from foreign countries with no legitimate users; (2) grant enhanced access from inside corporate building, standard access from outside ("permit enhanced access when inside the building" per exam objectives); (3) detect impossible travel β credentials used from two distant locations minutes apart trigger lock/alert; (4) enforce data sovereignty β prevent data replication outside authorized regions. Limitation: VPNs and proxies can change apparent location; treat geolocation as one factor, not the only factor.