Chapter 69 Β· Tricks

States of Data β€” Exam Tricks

The four concepts that trip up test-takers, plus a performance-based scenario practice set.

Trick 1
Data in use = RAM = almost always decrypted. When the exam describes a breach where at-rest AND in-transit encryption were both in place but data was still stolen β€” the answer is data in use.

This is the highest-frequency data states question pattern on the exam. Students who have memorized "encrypt your data" get tripped up by scenarios where encryption was applied β€” correctly β€” but failed to prevent the breach. The answer in those scenarios is always data in use.

The Target breach template β€” recognize it in any variation:

  • Organization encrypts stored data βœ“
  • Organization encrypts network transmissions βœ“
  • Organization is breached β€” data stolen βœ—
  • Question: "Which data state was exploited?" β†’ Data in use

The same pattern applies to any scenario involving: POS terminals and payment card data; medical devices processing patient data; in-memory databases; any processing step where data must be decrypted before computation.

Why the CPU forces this vulnerability:

Encrypted at rest on disk β†’ OS loads file β†’ DECRYPTED IN RAM ← attacker's target
Encrypted in transit β†’ received at server β†’ DECRYPTED IN RAM ← attacker's target
                                           β†‘
Both states decrypt to RAM before any processing occurs

The specific exam facts about the Target breach:

  • Date: November 2013
  • Mechanism: RAM scraping malware (BlackPOS/Kaptoxa) installed on POS terminals
  • Volume: 110 million credit cards
  • Target had: data at rest encryption AND data in transit encryption
  • Attack exploited: data in use β€” card data in POS terminal RAM during transaction processing

What to look for in exam question wording:

  • "The attacker captured data from system memory" β†’ data in use
  • "Malware read another process's RAM" β†’ data in use (RAM scraping)
  • "The application must process the data before encrypting it for storage" β†’ describes the data in use window
  • "Both stored data and network traffic were encrypted, but the breach still occurred" β†’ data in use was the gap
Data in use = RAM = plaintext. At rest + in transit encryption can both be correct, yet a breach still occurs if data in use is the attack vector. The Target breach is the exam's canonical example. When you see "both at-rest and in-transit encryption were in place" in a breach scenario β€” the answer involves data in use.
Trick 2
A screen lock is NOT encryption. Physical removal of the drive bypasses a screen lock entirely β€” only full disk encryption protects against physical access to the storage medium.

This is one of the most practically important distinctions tested on the exam. Many people equate "password-protecting" a computer with protecting the data. They are fundamentally different protections against different attacks.

What a screen lock / login password does:

  • Prevents access through the normal operating system interface
  • Requires an attacker to either crack the password or exploit an OS vulnerability to gain access through the normal boot process
  • Provides zero protection against an attacker who physically removes the storage device

What happens when an attacker removes an unencrypted drive:

Attacker removes hard drive from laptop
    β†“
Connects drive to own system via USB adapter ($10 device)
    β†“
Drive mounts as a regular storage volume
    β†“
All files, database files, documents are immediately accessible
The login screen is COMPLETELY irrelevant β€” it was on the OS, not the data

What full disk encryption does:

  • Encrypts the actual sectors of the drive at the hardware or OS level
  • The drive contains only ciphertext β€” no amount of connecting it to another system helps without the key
  • The encryption key is protected by the pre-boot authentication (TPM + PIN, passphrase, smart card)
  • An attacker who removes the drive gets ciphertext with no corresponding key β€” the drive is a brick

The exam question pattern:

  • "A laptop with only a Windows login password was stolen. The attacker connected the drive to another system and accessed all files. What control would have prevented this?" β†’ Full disk encryption (not "stronger password" β€” the password was on the OS, not the storage)
  • "Which control specifically protects data at rest on a laptop from physical theft?" β†’ Full disk encryption
  • "A BIOS password is set on a laptop. Does this protect the data if the drive is removed?" β†’ No β€” BIOS passwords prevent booting from that device; they do not encrypt the drive. A removed drive is still unprotected.

The BIOS password variant: Students sometimes think a BIOS password protects data. It does not β€” it prevents unauthorized changes to boot settings and may prevent booting from external media, but it has zero effect on the data stored on the drive if the drive is physically removed.

Screen lock, login password, BIOS password = access controls that work through the OS. Physical removal of the drive bypasses all of them. Full disk encryption = the only control that protects against physical storage media access. For any question about stolen devices or removed drives β†’ the answer is full disk encryption, not "stronger password."
Trick 3
TLS protects one application session. IPsec protects all IP traffic at the network layer. They are complementary, not interchangeable β€” and neither protects data at rest or data in use.

Students often confuse TLS and IPsec by treating them as "both network encryption, so either works." The distinction matters for exam questions about what specific protection is needed in which scenario.

TLS β€” the application session protector:

  • Encrypts the data stream for one specific application connection (browser to web server, email client to mail server, API client to API server)
  • The application explicitly uses TLS β€” it is a deliberate choice by the developer
  • Operates from endpoint to endpoint at the session level β€” the web browser encrypts, the web server decrypts
  • Other applications on the same system do NOT automatically get TLS protection β€” only applications that implement TLS
  • The canonical exam examples: HTTPS (TLS over TCP 443), email with TLS (STARTTLS)

IPsec β€” the all-traffic network tunnel:

  • Encrypts all IP packets between two network endpoints, at the network layer
  • The application does not need to be "TLS-aware" β€” all traffic from all applications gets encrypted by the network layer
  • Operates at the network boundary β€” two firewalls, or a VPN client and a concentrator
  • A site-to-site IPsec VPN encrypts an SSH session, a database query, a file transfer, a DNS lookup β€” everything between the two sites, regardless of whether those applications use TLS
  • The canonical exam examples: site-to-site VPN, IPsec remote access VPN

The exam distinction questions:

  • "Encrypt all traffic between two office networks, including legacy applications that do not support TLS" β†’ IPsec (TLS would require each legacy app to be updated to support it)
  • "Secure HTTPS traffic between users and a web application" β†’ TLS (application session encryption)
  • "A branch office WAN connection transmits database queries, file transfers, and web traffic β€” all must be encrypted in transit" β†’ IPsec site-to-site VPN (covers all traffic types at network layer)

Neither protects at rest or in use:

  • TLS encrypts the session while data is moving β€” once data arrives at the server and is written to disk, TLS no longer applies. Disk encryption (separate control) protects the stored copy.
  • IPsec encrypts packets while moving through the tunnel β€” once packets are decrypted at the VPN concentrator and delivered to the application server, IPsec no longer applies. The data is then at rest or in use, requiring other controls.
  • Neither TLS nor IPsec does anything for data loaded into RAM for processing β€” that is the data in use state requiring its own separate consideration.
TLS = one application session encryption. IPsec = all IP traffic at network layer. Both protect data in transit only β€” neither protects data at rest or in use. The "all traffic between two sites" scenario β†’ IPsec. The "secure web application sessions" scenario β†’ TLS. They solve different scopes of the same in-transit problem.
Trick 4
Data sovereignty = "the country's laws follow the data." GDPR is the exam's primary example β€” EU data transferred out of the EU requires legal mechanisms, not just technical controls.

Data sovereignty questions test whether students understand that physical location of data has legal consequences independent of the organization's location. This is a law-meets-technology concept that is frequently tested because cloud computing makes it extremely common and practically important.

The core principle stated simply:

Data stored in Country X β†’ subject to Country X's laws
                                     regardless of where the organization is headquartered
                                     regardless of what country the data subjects are in
                                     regardless of what law you want to apply

The GDPR exam facts:

  • GDPR is an EU regulation that protects personal data of EU residents
  • GDPR applies to any organization worldwide that handles EU resident data β€” not just EU companies
  • GDPR restricts cross-border transfers: EU personal data cannot be freely sent to countries without adequate protections
  • Key GDPR data sovereignty principle: "data collected on EU citizens must be stored in the EU" (or transferred only with proper legal mechanisms)
  • Violations: fines up to 4% of global annual revenue

The cloud sovereignty trap: Students sometimes think "I just use a cloud provider, so data sovereignty doesn't apply to me." The opposite is true β€” cloud providers store data in physical data centers in specific countries. If AWS stores your data in Virginia, that data is in the U.S. and subject to U.S. law. Cloud providers offer data residency options (specific regions, data residency contracts) specifically because data sovereignty is a real requirement their customers must meet.

The exam question patterns:

  • "A U.S. company stores EU customer data on U.S. servers. Which regulation is most at risk of being violated?" β†’ GDPR (data sovereignty β€” EU data in the U.S. without proper legal mechanism)
  • "An organization's compliance team finds that their cloud data may be stored in a country that requires government access to private data. Which concept describes this risk?" β†’ Data sovereignty
  • "A multinational company must ensure that data collected in Germany cannot be moved to servers in other countries. Which principle dictates this restriction?" β†’ Data sovereignty (German/EU law applies because the data subjects are German)
  • "Laws may prohibit where data can be stored" β†’ Data sovereignty (the exam objective exact phrase)

The distinction from geolocation: Geolocation is about WHERE A USER IS when accessing data β€” used for access control. Data sovereignty is about WHERE DATA IS STORED β€” about legal jurisdiction. A question about "which laws govern the data" β†’ sovereignty. A question about "adjusting access based on where the user is" β†’ geolocation.

Data sovereignty = "where is the data stored?" determines which laws apply. GDPR = the exam's primary sovereignty example: EU data transferred outside the EU requires legal mechanisms (not just technical controls). Geolocation β‰  sovereignty: geolocation is about user location for access control; sovereignty is about data location for legal jurisdiction.
Performance Task Practice
Three Scenarios β€” Apply the Concepts

Scenario A: A healthcare company processes patient data through a three-step workflow: (1) patient records are stored in an encrypted database on local servers; (2) records are transmitted from the local server to a cloud-based analytics platform; (3) the analytics platform processes the records and generates reports in memory. A security audit reveals that step 2 uses unencrypted HTTP, and the analytics platform (step 3) was recently found to have malware on it. Identify which data state is most at risk at each step and recommend the specific control for each.

Show Answer

Step 1 β€” Stored in encrypted database (Data at Rest β€” adequately protected):

The database is encrypted β€” data at rest protection is in place. The primary risk here is logical access: who has database credentials and can query the data through the database engine. The encryption protects against someone stealing the raw database files; access controls (RBAC, least privilege for database accounts) protect against authorized-but-excessive access. No immediate control gap noted in the scenario for step 1.

Step 2 β€” Transmitted via unencrypted HTTP (Data in Transit β€” critical gap):

Patient records (PHI) transmitted over HTTP are plaintext on the network. Any observer between the local server and the cloud platform β€” a network tap, a compromised router, an ISP employee β€” can read all transmitted patient data. HTTP is the clearest possible data-in-transit vulnerability: no encryption at all. Required control: replace HTTP with HTTPS (TLS) immediately. Alternatively, if the entire transmission path must be secured at the network layer, implement an IPsec VPN tunnel between the on-premises server and the cloud analytics environment. Either way, the unencrypted transmission of PHI is a HIPAA violation requiring immediate remediation.

Step 3 β€” Malware on the analytics platform processing data in memory (Data in Use β€” critical gap):

When the analytics platform processes patient records, the data is loaded into RAM in plaintext β€” it must be decrypted for the analytics computations to run. Malware on the analytics platform can read the process's memory and extract the plaintext PHI records during processing. This is the same attack mechanism as the Target POS terminal breach β€” RAM scraping on a processing system. The encryption in step 1 and (proposed) TLS in step 2 do not help once the data is delivered to the analytics platform's memory. Required controls: (1) immediate incident response β€” identify and remove the malware; (2) endpoint security on the analytics platform to detect memory-access anomalies; (3) process isolation β€” ensure the analytics process runs with minimum necessary memory access; (4) vendor security assessment if the analytics platform is cloud-hosted; (5) consider encrypted computing techniques for future architecture if very high sensitivity data requires analytics processing.

Scenario B: A global retailer's security team is designing encryption controls for their new e-commerce platform. The platform stores customer orders and payment data in a PostgreSQL database, transmits data between microservices via REST APIs, and a recommendation engine loads customer purchase history into memory to generate real-time product suggestions. A junior security engineer proposes: "We'll encrypt the database files on disk and use TLS for all API calls β€” that covers all three data states." Evaluate whether this proposal is correct.

Show Answer

Evaluation: Partially correct, with an important caveat about data in use.

Database encryption β†’ protects data at rest. βœ“

Encrypting the PostgreSQL database files (using PostgreSQL's encryption options, file system encryption, or full disk encryption on the database server) protects the stored data against unauthorized access to the raw files. If an attacker obtains the database files without the encryption key, they cannot read customer order and payment data. This correctly addresses data at rest.

TLS for all API calls β†’ protects data in transit. βœ“

Using TLS (HTTPS) for all inter-microservice API communications encrypts the data while it moves between services. An observer who intercepts API traffic between microservices sees only ciphertext. This correctly addresses data in transit. Important note: "all API calls" must truly mean all β€” not just external-facing APIs. Internal microservice-to-microservice traffic is also data in transit and requires TLS if it traverses untrusted network segments.

Data in use β€” not addressed. βœ—

The junior engineer's statement "that covers all three data states" is incorrect. The recommendation engine loads customer purchase history into memory for real-time processing β€” this is data in use. When the recommendation algorithm runs, purchase history records are decrypted from the database and loaded into the recommendation engine's RAM as plaintext. If the recommendation engine server is compromised, malware can read this data from RAM. Neither database encryption nor API TLS provides any protection at this point.

What to do about the recommendation engine's data in use:

There is no simple "encrypt RAM" solution for general-purpose computing. The practical mitigations are: (1) minimize the data loaded into memory β€” load only the specific features needed for recommendation, not full purchase records with PII; (2) limit the time data stays in memory β€” don't cache indefinitely; (3) endpoint protection on the recommendation engine servers to detect malware; (4) process isolation and least-privilege memory access; (5) consider whether the data must include PII at all, or whether anonymized/tokenized identifiers can serve the recommendation function without exposing actual customer data.

Corrected statement: "Encrypting the database and using TLS for APIs correctly addresses data at rest and data in transit. Data in use β€” when the recommendation engine loads purchase history into RAM β€” is not addressed by those controls and requires separate mitigations at the application and endpoint level."

Scenario C: A security architect at a multinational company is designing a data management strategy. The company has offices in the U.S., EU, and Singapore. They want to implement geolocation-based access controls for sensitive financial data and must comply with data sovereignty requirements. Design the data storage architecture and access control rules, addressing: (1) where to store data for each region's users, (2) how geolocation controls access, and (3) what data sovereignty issue arises if all data is centralized in the U.S.

Show Answer

1. Data storage architecture for each region:

Data sovereignty requires understanding which laws govern which users' data. The recommended architecture: geographic data partitioning.

EU users: Store in EU-region data centers (e.g., AWS eu-central-1 Frankfurt or eu-west-1 Ireland). GDPR applies to EU resident data. Storing in EU keeps data under EU legal jurisdiction, avoids GDPR cross-border transfer restrictions, and simplifies compliance β€” no international transfer mechanisms needed for standard operations. EU data should not replicate to U.S. or Singapore without appropriate GDPR transfer mechanisms (SCCs or adequacy decision).

Singapore users: Store in Singapore-region data centers. Singapore's Personal Data Protection Act (PDPA) applies. Data localization requirements should be checked β€” Singapore's PDPA generally allows international transfers with adequate protections, but some categories may require in-country storage.

U.S. users: Store in U.S. region data centers. U.S. federal and state privacy laws apply (state laws vary widely). Financial data may be subject to SEC, FINRA, or GLBA requirements.

2. Geolocation-based access controls:

Geolocation adds a location factor to access decisions:

  • Inside regional office (Wi-Fi/802.11 positioning confirms location): Full access to that region's financial data. Enhanced administrative access if the user's role requires it.
  • VPN from home in same country: Standard access β€” read and limited write; no administrative functions.
  • Traveling employee in another company region: Access limited to that employee's home-region data only; foreign-region financial data blocked unless explicitly authorized for cross-region role.
  • Login from non-company country: Blocked or restricted to read-only with additional MFA challenge; SOC alerted.
  • Impossible travel detected: Account locked pending verification; incident ticket created automatically.

3. Data sovereignty issue with U.S. centralization:

If all data is stored in the U.S.: (a) GDPR cross-border transfer violation β€” EU employee and customer data cannot flow to the U.S. without GDPR-compliant mechanisms (SCCs, Data Privacy Framework certification); (b) U.S. government access risk β€” CLOUD Act allows U.S. law enforcement to compel U.S. cloud providers to produce data stored anywhere, including data about EU and Singapore users that may be protected by those regions' laws; (c) Conflicting legal orders β€” if an EU supervisory authority demands deletion of EU data and a U.S. court simultaneously demands preservation of the same data, the company faces irreconcilable legal obligations; (d) Singapore PDPA requirements β€” similar cross-border transfer restrictions may apply. The correct architecture distributes data storage by region to avoid these conflicts, accepting the operational complexity of a distributed data model in exchange for legal compliance with each jurisdiction's sovereignty requirements.