Chapter 69 Β· Glossary

States of Data β€” Term Reference

Key terms for data at rest, data in transit, data in use, encryption mechanisms, data sovereignty, and geolocation access control.

Data at Rest
Data stored on a persistent storage device and not actively moving through a network or being processed. The data is sitting still on a hard drive, SSD, flash drive, tape, database server, or any other storage medium. Primary risk: physical theft or logical unauthorized access to the storage device β€” if stolen and unencrypted, all contents are immediately readable. Primary protections: encryption (full disk, database, or file/folder level) to protect against offline access, and access control lists (ACLs) and permissions to protect against online unauthorized access when the system is running. Even unencrypted data on a storage device qualifies as data at rest β€” it is a state description, not a security assessment.
Full Disk Encryption (FDE) / Whole Disk Encryption
An encryption approach that encrypts every sector of a storage device β€” all files, directories, operating system files, and unused space. When the device is powered off, the entire contents are encrypted ciphertext inaccessible without the authentication credential. When the device powers on, pre-boot authentication (password, PIN, smart card, TPM) unlocks the encryption. Common implementations: BitLocker (Windows), FileVault (macOS), LUKS (Linux). The Trusted Platform Module (TPM) chip can hold encryption keys and enforce hardware-level pre-boot authentication. Protects against offline attacks β€” a stolen powered-off device cannot be read. Does NOT protect a running system from a logged-in attacker or malware operating with OS-level privileges.
Database Encryption
Encryption applied specifically to data within a database management system. Can operate at multiple levels: Transparent Data Encryption (TDE) encrypts the database files on disk, automatically decrypting when queried by the authorized database engine; column-level encryption encrypts specific sensitive columns (SSN, card number) while leaving others plaintext; application-level encryption has the application encrypt data before inserting it, storing ciphertext in the database. Protects regulated data (PII, PHI, payment card data) against someone stealing the raw database files. An attacker who steals the database file without the encryption key cannot read the sensitive fields.
File- and Folder-Level Encryption
Selective encryption that protects specific files or directories on a storage device while leaving other content unencrypted. Only the designated files are encrypted; everything else on the same drive is unprotected. Common implementations: Windows Encrypting File System (EFS), encrypted archive files (ZIP/7z with AES), third-party file encryption tools. Useful for protecting a specific set of sensitive documents (legal files, HR records, financial models) on a shared server where most content is intended to be accessible. More granular than full disk encryption but leaves other files on the same device unprotected.
Data in Transit / Data in Motion
Data actively moving across a network β€” from one device to another, client to server, branch to headquarters, local device to cloud storage. The two terms are used interchangeably. Key characteristic: the data is passing through infrastructure it does not control β€” switches, routers, wireless access points, ISP infrastructure, internet backbone. Primary risk: interception by any device on the network path. Without encryption, any observer who can tap the network β€” a compromised router, a malicious Wi-Fi hotspot, a network tap β€” can read all traffic. Primary protections: transport encryption (TLS for application-layer sessions, IPsec for network-layer tunnel encryption) and network controls (firewalls, IPS) that limit what traffic traverses the network.
TLS β€” Transport Layer Security
The protocol that secures data in transit for web traffic (HTTPS), email, and many other application protocols. TLS creates an encrypted session between two endpoints β€” the data is encrypted at the sender and decrypted only at the intended receiver. An observer who intercepts TLS traffic sees only ciphertext. TLS operates at the session/transport layer and protects a specific application session or connection. The successor to SSL (Secure Sockets Layer); when the exam says "SSL/TLS," TLS is the current version. Used for: HTTPS (TCP 443), email with TLS (SMTP/IMAP/POP3 with STARTTLS), and many API and service communications.
IPsec β€” Internet Protocol Security (for Data in Transit)
A suite of protocols that encrypts and authenticates IP communications at the network layer β€” the foundation of most VPN technologies. In tunnel mode, the original IP packet (header + data) is encrypted entirely and wrapped in a new outer IP packet, hiding the original source/destination and all content from network observers. Used for site-to-site VPNs (IPsec between two perimeter firewalls, encrypting all traffic between two networks) and remote access VPNs. While TLS protects a specific application session, IPsec encrypts all IP traffic between endpoints at the network layer β€” not specific to one application. Key protocols: IKE (UDP 500) for key exchange, ESP (protocol 50) for encryption.
Data in Use
Data actively being processed by a computer β€” loaded into RAM, CPU registers, or processor cache for computation by an application or the operating system. Key characteristic: data in use is almost always decrypted, because the CPU must read plaintext to perform operations. Opening a file decrypts it into RAM; the plaintext must exist in memory for the application to display or modify it. The fundamental tension: data at rest and in transit can be encrypted, but data in use must be decrypted for the computer to process it. This creates an unavoidable window of plaintext exposure during processing β€” the primary attack surface exploited by RAM scraping and memory extraction attacks.
RAM Scraping (Memory Scraping)
A malware technique that reads the memory of other running processes to extract sensitive data that is temporarily stored in plaintext while being processed. Because data in use must be decrypted, RAM contains plaintext copies of data that is encrypted at rest and in transit. RAM scraping malware with sufficient system privilege can access the memory space of other processes β€” such as a point-of-sale application briefly holding decrypted credit card numbers β€” and capture that plaintext data. This was the primary attack technique in the 2013 Target Corporation breach, where custom malware installed on POS terminals scraped 110 million credit card numbers from terminal RAM during transaction processing.
Data Sovereignty
The principle that data stored within a country is subject to that country's laws and legal authority β€” regardless of where the organization that owns the data is headquartered. A government can issue court orders for data stored within its borders, mandate how it must be protected, restrict its transfer to other countries, and penalize non-compliance. Key implication: organizations must know where their data physically resides and understand which legal jurisdictions' laws apply. Cloud computing complicates this because data may be distributed across multiple countries in different data centers. GDPR is the most-tested data sovereignty example: EU personal data must be handled according to GDPR standards and may not be freely transferred to countries without adequate protections.
GDPR β€” General Data Protection Regulation
A European Union regulation governing the collection, storage, processing, and transfer of personal data about EU residents. GDPR applies to any organization worldwide that handles EU resident data β€” not just EU-based organizations. Key data sovereignty provision: restricts international transfers of personal data to countries that do not provide adequate protection equivalent to GDPR standards. Requires organizations to have legal mechanisms (Standard Contractual Clauses, adequacy decisions, Binding Corporate Rules) in place before transferring EU personal data outside the EU. Violations can result in fines up to 4% of global annual revenue. The canonical exam example for data sovereignty: "data collected on EU citizens must be stored in the EU" per GDPR's cross-border transfer restrictions.
Geolocation (Security Application)
Using a user's or device's physical location as an input to access control decisions. Technologies to determine location: GPS (satellite-based, high accuracy), Wi-Fi positioning (802.11 access point mapping, works indoors), mobile provider/cell tower triangulation (wide area coverage), and IP address geolocation (maps IP to city/region via ISP registration). Security applications: (1) country-level access restriction β€” block logins from countries with no legitimate users; (2) location-based privilege escalation β€” grant enhanced access from within a corporate building, standard access from outside; (3) impossible travel detection β€” alert when credentials are used from geographically impossible locations in rapid succession; (4) data sovereignty enforcement β€” prevent data replication to servers in non-compliant countries. Limitation: VPNs and proxies can spoof apparent location; GPS can be spoofed with specialized hardware.