Data States: How to Secure Data In Use, In Transit, and At Rest

  •   min.
  • Updated on: February 3, 2025

    • Expert review
    • Home
    • /
    • Resources
    • /
    • Data States: How to Secure Data In Use, In Transit, and At Rest

    Protecting sensitive information requires understanding how data exists and moves through an organization's ecosystem. Every piece of data your organization handles exists in one of three states, and each state needs its own security approach.

    Smart cybersecurity professionals know that applying the right protection methods for each data state is crucial for maintaining effective security. For CISSP candidates, mastering these concepts isn't just about passing the exam—it's about building a foundation for robust data protection strategies.

    Ready to explore how to protect your organization's data, no matter what state it's in?

    Understanding Data States

    Data protection isn't one-size-fits-all. Each state of data requires unique security approaches because the threats and vulnerabilities differ significantly. Think of data states like the different phases of water—just as water needs different containment methods when it's frozen, liquid, or steam, data needs different protection methods in each state.

    Here's what you need to know about the three states of data:

    Data at Rest

    • This is your stored data, sitting inactive in storage devices.
    • Examples: Files on hard drives, records in databases, emails in your inbox
    • Primary concern: Preventing unauthorized access and ensuring data availability

    Data in Transit

    • Data moving across any network, internal or external.
    • Examples: Sending emails, browsing websites, transferring files
    • Primary concern: Protecting data from interception and manipulation

    Data in Use

    • Active data being processed, read, or modified.
    • Examples: Data in RAM, CPU cache, or currently open files
    • Primary concern: Protecting data during active processing and computation

    Understanding these states is crucial because security controls that work perfectly for one state might be completely ineffective for another. For example, the encryption that protects your data during network transfer won't help when that same data is being processed in memory.

    Protecting Data at Rest

    Data at rest refers to data that is stored somewhere. This includes files on a hard drive, databases, and similar states. The security community recognizes three core methods to protect data at rest:

    Encryption

    Access Control

    Backup and Restoration

    • Primary method for protecting confidentiality
    • Particularly crucial for cloud migration
    • Encrypt data locally before migrating to cloud environments
    • Controls who can view, modify, or delete stored data
    • Implements the principle of least privilege
    • Essential for maintaining data integrity
    • Ensures data availability
    • Protects against data loss scenarios
    • Critical for business continuity

    Additionally, as organizations increasingly migrate to cloud services, data should first be encrypted locally and then migrated. This approach best ensures the security and confidentiality of the information being migrated.

    Looking for some CISSP exam prep guidance and mentoring?


    Learn about our CISSP personal mentoring

    Image of Lou Hablas mentor - Destination Certification

    Protecting Data in Transit

    Data in transit, also sometimes referred to as data in motion, refers to data that is moving across networks, like an organization's internal network or the internet. Like data at rest, methods used to protect data in motion include access controls, encryption, and redundancy. However, with regards specifically to encryption, three primary options exist:

    End-to-End Encryption

    End-to-end encryption means the data portion of a packet is encrypted immediately upon transmission from the source node, and the data remains encrypted through every node—every switch, router, firewall—through which it passes while traveling to the destination node. Only upon reaching the destination is the packet decrypted.

    It's a safe way for data to travel among many different nodes without becoming compromised.

    Though the data is never in plaintext while traversing nodes, routing information is visible—potentially allowing for inferences to be made about the nature of the data. So, the source and destination IP addresses, for example, are in plaintext and visible to anyone, and thus end-to-end encryption does not offer anonymity. This method is particularly useful in the context of virtual private networks (VPNs).

    Link Encryption

    Link encryption means the packet header and data are encrypted between each node. Encrypting the packet header hides the routing information of packets traversing a network. However, unlike with end-to-end encryption, the header and data are decrypted at each node, so header information and plaintext content are also available at each node. As a result, every node becomes a potential attack or disclosure point.

    Link encryption is performed by service providers, such as a data communications provider. It encrypts all the data along a communications path (e.g., a satellite link, telephone circuit, T3 line).

    Onion Network

    Compared to end-to-end and link encryption, an onion network describes a very effective method of protecting data in transit, as it essentially provides complete confidentiality and anonymity using multiple layers of encryption. Like the layers of an onion, multiple layers of encryption are wrapped around the data at the first node. As the encrypted data traverses each node, the outermost layer of encryption is removed, which reveals the address of the next node.

    By providing confidentiality of data as well as anonymity, an onion network makes it very difficult to determine the sender and receiver while data is in transit. A perfect example is The Onion Router (TOR). The big downside is performance, as it slows transmission speeds and requires higher-performance technology to be present to allow decryption to take place efficiently.

    Want to try our amazing CISSP MasterClass for Free and learn about Cryptography?

    Take our free

    Mini MasterClass Cryptography Decoded

    Protecting Data in Use

    Data in use refers to data that is being used in computational activities. This state of data presents unique security challenges, as it requires protection during active processing. Here are the key methods for protecting data in use:

    Homomorphic Encryption

    Role-Based Access Control (RBAC)

    Digital Rights Protection (DRP) and Data Loss Prevention (DLP)

    • Allows calculations to be performed on data while it remains encrypted
    • Groundbreaking technology that doesn't require access to a secret key
    • Enables processing of encrypted information without decryption
    • Controls access to specific data based on roles and work groups
    • Ensures only appropriate entities can access and process data
    • Implements principle of least privilege during data processing
    • Limits specific actions users can take when accessing information
    • Provides additional layer of control during data processing
    • Helps prevent unauthorized data manipulation

    These protection methods work together to ensure data security during computational activities while maintaining functionality and access for authorized users.

    FAQs

    What is the best way to protect data being migrated to the cloud?

    Data should first be encrypted locally and then migrated to the cloud. This approach best ensures the security and confidentiality of the information being migrated.

    Why can't we use the same protection method for all data states?

    Security controls that protect data may be completely different depending on which state the data is in. For example, HTTPS encryption works well for data in transit between a client and server, but won't be relevant for data in use. Each state requires specific protection methods designed for its unique vulnerabilities.

    What are the key differences between end-to-end encryption and link encryption?

    In end-to-end encryption, data remains encrypted throughout its journey, though routing information stays visible. Link encryption encrypts both data and routing information between nodes, but requires decryption at each node. While link encryption hides routing information, every node becomes a potential attack point since data must be decrypted for routing.

    Strengthen Your Data Protection Strategy

    Data protection across different states demands a comprehensive understanding of various security controls and their appropriate application. From encryption standards to access controls, each method serves a specific purpose in safeguarding your organization's information assets.

    Understanding how data exists in different states—at rest, in transit, and in use—provides a solid foundation for implementing effective security controls. The right protection strategy ensures your data remains secure throughout its lifecycle.

    Ready to deepen your expertise in data protection? Our CISSP MasterClass at Destination Certification offers expert guidance on mastering these crucial security concepts. Join us and build the skills you need to protect data across all states effectively.

    Image of John Berti - Destination Certification

    John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.

    John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.

    Certification in 1 Week 


    Study everything you need to know for the CISSP exam in a 1-week bootcamp!

    >