Three States of Data β Full Comparison
| Attribute | Data at Rest | Data in Transit | Data in Use |
|---|---|---|---|
| Definition | Stored on a persistent storage device; not moving or being processed | Actively moving across a network between devices or systems | Actively being processed in RAM, CPU registers, or cache |
| Also called | Stored data | Data in motion | Data being processed |
| Where it lives | Hard drives, SSDs, flash drives, databases, tape, cloud storage | Network packets traversing switches, routers, APs, internet infrastructure | System RAM, CPU registers, CPU cache, swap/virtual memory |
| Encrypted by default? | Only if encryption is explicitly implemented | Only if transport encryption (TLS, IPsec) is explicitly implemented | Almost never β CPU must read plaintext to process it |
| Primary risk | Physical theft; unauthorized access to storage device or database | Interception/eavesdropping by any observer on the network path | RAM scraping; memory extraction; malware reading another process's memory |
| Primary encryption control | Full disk encryption; database encryption; file/folder encryption | TLS (application sessions); IPsec (network-layer VPN tunnels) | No practical general encryption β data must be decrypted to process it |
| Access controls | ACLs, RBAC, file system permissions | Firewall rules, IPS policies | Endpoint security, process isolation, memory protection (OS-enforced) |
| Hardest to protect? | No β well-understood encryption + access controls | No β TLS/IPsec are mature, well-deployed solutions | YES β encryption is fundamentally incompatible with active processing |
| Exam example | Laptop encryption, database TDE, file vault | HTTPS (TLS), site-to-site VPN (IPsec) | Target Corp breach β RAM scraping of POS terminals (Nov 2013) |
Data at Rest β Encryption Mechanism Comparison
| Mechanism | Scope | What It Protects Against | What It Does NOT Protect Against | Common Implementations |
|---|---|---|---|---|
| Full Disk Encryption (FDE) | Entire storage device β all files, OS, unused space | Theft of powered-off device; unauthorized offline access to raw disk | Live OS-level attack from logged-in user or malware running on unlocked system | BitLocker (Windows), FileVault (macOS), LUKS (Linux), self-encrypting drives |
| Database Encryption (TDE) | Database files on disk; may include individual columns | Theft of database files; unauthorized extraction of database content | Authorized database users with SELECT access; application-layer attacks against the running database | SQL Server TDE, Oracle TDE, MySQL encryption; column-level via application |
| File/Folder Encryption | Specific files or directories only β selective | Unauthorized access to the designated encrypted files on a shared system | Other files on the same device (not encrypted); live attacks on the running OS | Windows EFS (Encrypting File System), encrypted ZIP/7z archives, VeraCrypt containers |
Data in Transit β Protection Mechanisms
| Protection Type | Technology | What It Does | Layer | Scope |
|---|---|---|---|---|
| Transport encryption | TLS (Transport Layer Security) | Encrypts application sessions β web traffic (HTTPS), email, APIs. Data encrypted at sender, decrypted only at intended receiver. | Session / Transport (L5βL4) | One application session between two endpoints (browser β web server) |
| Network-layer tunnel encryption | IPsec (Internet Protocol Security) | Encrypts entire IP packets at network layer β all traffic between endpoints. Foundation of site-to-site VPNs. Original packet hidden inside encrypted outer packet. | Network (L3) | All traffic between two network endpoints (two firewalls, or user device to VPN concentrator) |
| Network traffic filtering | Firewall | Enforces policies on which traffic is permitted β blocks unauthorized connections before data is at risk. Does not encrypt; controls what can traverse the network. | L3βL7 (depending on type) | Traffic entering or leaving a network segment |
| Malicious traffic detection | IPS (Intrusion Prevention System) | Analyzes traffic for attack patterns; automatically blocks suspicious or malicious traffic. Detects data exfiltration attempts, C2 communication, exploitation in transit. | L3βL7 | Traffic on the monitored network segment |
Target Corporation Breach β Data State Anatomy
CARD SWIPE AT REGISTER
β
POS terminal reads card β card data DECRYPTED IN RAM (data in use)
β
BlackPOS malware reads this RAM
β β
[ENCRYPTED] transmission to payment processor Captured card #s collected
(data in transit β TLS encrypted β) by malware
β β
[ENCRYPTED] stored on Target servers Exfiltrated to attacker
(data at rest β encrypted β) servers via internet
RESULT: 110 million credit cards stolen
Both at-rest AND in-transit encryption were in place.
Neither helped because the attack targeted data IN USE.
The breach exploited the mandatory plaintext window: card data must be decrypted in POS RAM for transaction processing. Malware with OS-level access can read any process's memory, bypassing application-layer encryption entirely.
Data Sovereignty β Legal Jurisdiction Framework
| Aspect | Principle | Practical Implication | GDPR Example |
|---|---|---|---|
| Jurisdiction rule | Data stored in a country is subject to that country's laws β regardless of where the organization is headquartered | A U.S. company storing data in Germany must comply with German/EU data protection law for that data | EU data stored on AWS EU servers is subject to GDPR β even if the company is U.S.-based |
| Court orders | Legal proceedings follow the laws of the country where data resides | A German court can order disclosure of data stored in Germany; a U.S. court may lack jurisdiction over that same data | Conflicting legal orders between U.S. law and GDPR have been a significant legal battleground |
| Transfer restrictions | Some jurisdictions prohibit moving data to countries that do not provide equivalent protections | Must verify legal mechanisms (SCCs, adequacy decisions) before transferring EU data to non-EU countries | GDPR requires Standard Contractual Clauses or adequacy decision to transfer EU personal data to the U.S. |
| Data localization | Some countries require certain data to be stored within their borders | May require dedicated in-country infrastructure; cannot use a global cloud region | Russia, China, and others have data localization laws for their citizens' data |
| Cloud complexity | Cloud providers may distribute data across multiple countries without clear disclosure | Organizations must specify data residency requirements in cloud contracts; verify where data actually lives | AWS/Azure/GCP offer region-specific storage with contractual commitments to keep data in specified regions |
Geolocation β Security Control Applications
| Application | How It Works | Example Scenario | Limitation |
|---|---|---|---|
| Country-level access restriction | Block or allow access based on IP geolocation resolving to specific countries | A U.S.-only business blocks all login attempts from IP addresses resolving to foreign countries | VPNs and proxies change apparent IP country; IP geolocation databases inaccurate for mobile/corporate VPN users |
| Location-based privilege escalation | Grant enhanced access level when device is confirmed on trusted network (corporate Wi-Fi, specific building) | Employees inside headquarters can access highly sensitive financial systems; same credentials from home receive read-only access only | Wi-Fi positioning requires access point mapping; can be bypassed if building network is accessible remotely |
| Impossible travel detection | Alert when credentials are used from two geographically distant locations in a timeframe physically impossible to travel | User logs in from London at 9:00 AM, then same credentials used from Tokyo at 9:05 AM β automatic alert or block | Users on VPNs may appear to be in a different country legitimately; generates false positives for travelers |
| Content geo-restriction | Allow or block access to specific content based on user's apparent country | Streaming service shows different content library based on viewer's country; blocks access to content not licensed in that country | Easily bypassed with VPN β streaming services attempt to detect and block known VPN IP ranges |
| Data sovereignty enforcement | Prevent data replication or access from outside authorized geographic regions | EU customer data can only be accessed from EU data centers; replication blocked to non-EU regions | Requires integration with cloud provider's region controls; adds operational complexity for global teams |