Chapter 69 Β· Concepts

States of Data β€” Concept Reference

Three-state comparison, encryption mechanism matrix, Target breach anatomy, data sovereignty framework, and geolocation controls in structured reference form.

Three States of Data β€” Full Comparison

AttributeData at RestData in TransitData in Use
DefinitionStored on a persistent storage device; not moving or being processedActively moving across a network between devices or systemsActively being processed in RAM, CPU registers, or cache
Also calledStored dataData in motionData being processed
Where it livesHard drives, SSDs, flash drives, databases, tape, cloud storageNetwork packets traversing switches, routers, APs, internet infrastructureSystem RAM, CPU registers, CPU cache, swap/virtual memory
Encrypted by default?Only if encryption is explicitly implementedOnly if transport encryption (TLS, IPsec) is explicitly implementedAlmost never β€” CPU must read plaintext to process it
Primary riskPhysical theft; unauthorized access to storage device or databaseInterception/eavesdropping by any observer on the network pathRAM scraping; memory extraction; malware reading another process's memory
Primary encryption controlFull disk encryption; database encryption; file/folder encryptionTLS (application sessions); IPsec (network-layer VPN tunnels)No practical general encryption β€” data must be decrypted to process it
Access controlsACLs, RBAC, file system permissionsFirewall rules, IPS policiesEndpoint security, process isolation, memory protection (OS-enforced)
Hardest to protect?No β€” well-understood encryption + access controlsNo β€” TLS/IPsec are mature, well-deployed solutionsYES β€” encryption is fundamentally incompatible with active processing
Exam exampleLaptop encryption, database TDE, file vaultHTTPS (TLS), site-to-site VPN (IPsec)Target Corp breach β€” RAM scraping of POS terminals (Nov 2013)

Data at Rest β€” Encryption Mechanism Comparison

MechanismScopeWhat It Protects AgainstWhat It Does NOT Protect AgainstCommon Implementations
Full Disk Encryption (FDE)Entire storage device β€” all files, OS, unused spaceTheft of powered-off device; unauthorized offline access to raw diskLive OS-level attack from logged-in user or malware running on unlocked systemBitLocker (Windows), FileVault (macOS), LUKS (Linux), self-encrypting drives
Database Encryption (TDE)Database files on disk; may include individual columnsTheft of database files; unauthorized extraction of database contentAuthorized database users with SELECT access; application-layer attacks against the running databaseSQL Server TDE, Oracle TDE, MySQL encryption; column-level via application
File/Folder EncryptionSpecific files or directories only β€” selectiveUnauthorized access to the designated encrypted files on a shared systemOther files on the same device (not encrypted); live attacks on the running OSWindows EFS (Encrypting File System), encrypted ZIP/7z archives, VeraCrypt containers

Data in Transit β€” Protection Mechanisms

Protection TypeTechnologyWhat It DoesLayerScope
Transport encryptionTLS (Transport Layer Security)Encrypts application sessions β€” web traffic (HTTPS), email, APIs. Data encrypted at sender, decrypted only at intended receiver.Session / Transport (L5–L4)One application session between two endpoints (browser ↔ web server)
Network-layer tunnel encryptionIPsec (Internet Protocol Security)Encrypts entire IP packets at network layer β€” all traffic between endpoints. Foundation of site-to-site VPNs. Original packet hidden inside encrypted outer packet.Network (L3)All traffic between two network endpoints (two firewalls, or user device to VPN concentrator)
Network traffic filteringFirewallEnforces policies on which traffic is permitted β€” blocks unauthorized connections before data is at risk. Does not encrypt; controls what can traverse the network.L3–L7 (depending on type)Traffic entering or leaving a network segment
Malicious traffic detectionIPS (Intrusion Prevention System)Analyzes traffic for attack patterns; automatically blocks suspicious or malicious traffic. Detects data exfiltration attempts, C2 communication, exploitation in transit.L3–L7Traffic on the monitored network segment

Target Corporation Breach β€” Data State Anatomy

CARD SWIPE AT REGISTER
    β†“
POS terminal reads card β†’ card data DECRYPTED IN RAM (data in use)
                                                    β†‘
                                    BlackPOS malware reads this RAM
    β†“                                                β†“
[ENCRYPTED] transmission to payment processor  Captured card #s collected
(data in transit β€” TLS encrypted βœ“)                  by malware
    β†“                                                β†“
[ENCRYPTED] stored on Target servers         Exfiltrated to attacker
(data at rest β€” encrypted βœ“)                        servers via internet

RESULT: 110 million credit cards stolen
Both at-rest AND in-transit encryption were in place.
Neither helped because the attack targeted data IN USE.

The breach exploited the mandatory plaintext window: card data must be decrypted in POS RAM for transaction processing. Malware with OS-level access can read any process's memory, bypassing application-layer encryption entirely.

Data Sovereignty β€” Legal Jurisdiction Framework

AspectPrinciplePractical ImplicationGDPR Example
Jurisdiction ruleData stored in a country is subject to that country's laws β€” regardless of where the organization is headquarteredA U.S. company storing data in Germany must comply with German/EU data protection law for that dataEU data stored on AWS EU servers is subject to GDPR β€” even if the company is U.S.-based
Court ordersLegal proceedings follow the laws of the country where data residesA German court can order disclosure of data stored in Germany; a U.S. court may lack jurisdiction over that same dataConflicting legal orders between U.S. law and GDPR have been a significant legal battleground
Transfer restrictionsSome jurisdictions prohibit moving data to countries that do not provide equivalent protectionsMust verify legal mechanisms (SCCs, adequacy decisions) before transferring EU data to non-EU countriesGDPR requires Standard Contractual Clauses or adequacy decision to transfer EU personal data to the U.S.
Data localizationSome countries require certain data to be stored within their bordersMay require dedicated in-country infrastructure; cannot use a global cloud regionRussia, China, and others have data localization laws for their citizens' data
Cloud complexityCloud providers may distribute data across multiple countries without clear disclosureOrganizations must specify data residency requirements in cloud contracts; verify where data actually livesAWS/Azure/GCP offer region-specific storage with contractual commitments to keep data in specified regions

Geolocation β€” Security Control Applications

ApplicationHow It WorksExample ScenarioLimitation
Country-level access restrictionBlock or allow access based on IP geolocation resolving to specific countriesA U.S.-only business blocks all login attempts from IP addresses resolving to foreign countriesVPNs and proxies change apparent IP country; IP geolocation databases inaccurate for mobile/corporate VPN users
Location-based privilege escalationGrant enhanced access level when device is confirmed on trusted network (corporate Wi-Fi, specific building)Employees inside headquarters can access highly sensitive financial systems; same credentials from home receive read-only access onlyWi-Fi positioning requires access point mapping; can be bypassed if building network is accessible remotely
Impossible travel detectionAlert when credentials are used from two geographically distant locations in a timeframe physically impossible to travelUser logs in from London at 9:00 AM, then same credentials used from Tokyo at 9:05 AM β†’ automatic alert or blockUsers on VPNs may appear to be in a different country legitimately; generates false positives for travelers
Content geo-restrictionAllow or block access to specific content based on user's apparent countryStreaming service shows different content library based on viewer's country; blocks access to content not licensed in that countryEasily bypassed with VPN β€” streaming services attempt to detect and block known VPN IP ranges
Data sovereignty enforcementPrevent data replication or access from outside authorized geographic regionsEU customer data can only be accessed from EU data centers; replication blocked to non-EU regionsRequires integration with cloud provider's region controls; adds operational complexity for global teams