Protecting sensitive information requires understanding how data exists and moves through an organization's ecosystem. Every piece of data your organization handles exists in one of three states, and each state needs its own security approach.
Smart cybersecurity professionals know that applying the right protection methods for each data state is crucial for maintaining effective security. For CISSP candidates, mastering these concepts isn't just about passing the exam—it's about building a foundation for robust data protection strategies.
Ready to explore how to protect your organization's data, no matter what state it's in?
Understanding Data States
Data protection isn't one-size-fits-all. Each state of data requires unique security approaches because the threats and vulnerabilities differ significantly. Think of data states like the different phases of water—just as water needs different containment methods when it's frozen, liquid, or steam, data needs different protection methods in each state.
Here's what you need to know about the three states of data:
Data at Rest
- This is your stored data, sitting inactive in storage devices.
- Examples: Files on hard drives, records in databases, emails in your inbox
- Primary concern: Preventing unauthorized access and ensuring data availability
Data in Transit
- Data moving across any network, internal or external.
- Examples: Sending emails, browsing websites, transferring files
- Primary concern: Protecting data from interception and manipulation
Data in Use
- Active data being processed, read, or modified.
- Examples: Data in RAM, CPU cache, or currently open files
- Primary concern: Protecting data during active processing and computation
Understanding these states is crucial because security controls that work perfectly for one state might be completely ineffective for another. For example, the encryption that protects your data during network transfer won't help when that same data is being processed in memory.
Protecting Data at Rest
Data at rest refers to data that is stored somewhere. This includes files on a hard drive, databases, and similar states. The security community recognizes three core methods to protect data at rest:
Encryption | Access Control | Backup and Restoration |
---|---|---|
|
|
|
Additionally, as organizations increasingly migrate to cloud services, data should first be encrypted locally and then migrated. This approach best ensures the security and confidentiality of the information being migrated.
Looking for some CISSP exam prep guidance and mentoring?
Learn about our CISSP personal mentoring

Protecting Data in Transit
Data in transit, also sometimes referred to as data in motion, refers to data that is moving across networks, like an organization's internal network or the internet. Like data at rest, methods used to protect data in motion include access controls, encryption, and redundancy. However, with regards specifically to encryption, three primary options exist:
End-to-End Encryption
End-to-end encryption means the data portion of a packet is encrypted immediately upon transmission from the source node, and the data remains encrypted through every node—every switch, router, firewall—through which it passes while traveling to the destination node. Only upon reaching the destination is the packet decrypted.
It's a safe way for data to travel among many different nodes without becoming compromised.
Though the data is never in plaintext while traversing nodes, routing information is visible—potentially allowing for inferences to be made about the nature of the data. So, the source and destination IP addresses, for example, are in plaintext and visible to anyone, and thus end-to-end encryption does not offer anonymity. This method is particularly useful in the context of virtual private networks (VPNs).
Link Encryption
Link encryption means the packet header and data are encrypted between each node. Encrypting the packet header hides the routing information of packets traversing a network. However, unlike with end-to-end encryption, the header and data are decrypted at each node, so header information and plaintext content are also available at each node. As a result, every node becomes a potential attack or disclosure point.
Link encryption is performed by service providers, such as a data communications provider. It encrypts all the data along a communications path (e.g., a satellite link, telephone circuit, T3 line).
Onion Network
Compared to end-to-end and link encryption, an onion network describes a very effective method of protecting data in transit, as it essentially provides complete confidentiality and anonymity using multiple layers of encryption. Like the layers of an onion, multiple layers of encryption are wrapped around the data at the first node. As the encrypted data traverses each node, the outermost layer of encryption is removed, which reveals the address of the next node.
By providing confidentiality of data as well as anonymity, an onion network makes it very difficult to determine the sender and receiver while data is in transit. A perfect example is The Onion Router (TOR). The big downside is performance, as it slows transmission speeds and requires higher-performance technology to be present to allow decryption to take place efficiently.
Protecting Data in Use
Data in use refers to data that is being used in computational activities. This state of data presents unique security challenges, as it requires protection during active processing. Here are the key methods for protecting data in use:
Homomorphic Encryption | Role-Based Access Control (RBAC) | Digital Rights Protection (DRP) and Data Loss Prevention (DLP) |
---|---|---|
|
|
|
These protection methods work together to ensure data security during computational activities while maintaining functionality and access for authorized users.
FAQs
Data should first be encrypted locally and then migrated to the cloud. This approach best ensures the security and confidentiality of the information being migrated.
Security controls that protect data may be completely different depending on which state the data is in. For example, HTTPS encryption works well for data in transit between a client and server, but won't be relevant for data in use. Each state requires specific protection methods designed for its unique vulnerabilities.
In end-to-end encryption, data remains encrypted throughout its journey, though routing information stays visible. Link encryption encrypts both data and routing information between nodes, but requires decryption at each node. While link encryption hides routing information, every node becomes a potential attack point since data must be decrypted for routing.
Strengthen Your Data Protection Strategy
Data protection across different states demands a comprehensive understanding of various security controls and their appropriate application. From encryption standards to access controls, each method serves a specific purpose in safeguarding your organization's information assets.
Understanding how data exists in different states—at rest, in transit, and in use—provides a solid foundation for implementing effective security controls. The right protection strategy ensures your data remains secure throughout its lifecycle.
Ready to deepen your expertise in data protection? Our CISSP MasterClass at Destination Certification offers expert guidance on mastering these crucial security concepts. Join us and build the skills you need to protect data across all states effectively.
John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.
John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.
Certification in 1 Week
Study everything you need to know for the CISSP exam in a 1-week bootcamp!