What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $49 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

What are the three states of data?

Data at rest is stored data (databases, files, backups). Data in transit is moving data (network transfers, emails). Data in use is data being processed (in memory, CPU). Each state requires different protection methods and has unique vulnerabilities.

Why is data in use the hardest to protect?

Data in use must be decrypted to be processed, exposing it in memory. Traditional encryption can't help because the data needs to be in cleartext for computation. Emerging technologies like confidential computing and hardware enclaves are addressing this, but the space is less mature than at-rest and in-transit protection.

What is the difference between TLS and storage encryption?

TLS (Transport Layer Security) protects data in transit by encrypting network communications. Storage encryption (like BitLocker or database TDE) protects data at rest by encrypting stored data. Both are needed for comprehensive protection—TLS alone leaves stored data vulnerable, and storage encryption alone leaves network transfers exposed.

What is a cold boot attack?

A cold boot attack targets data in use by physically accessing a running or recently powered-off computer, cooling the RAM (which slows data decay), and extracting sensitive data like encryption keys from memory. It exploits the fact that RAM doesn't immediately lose data when power is removed.

Objective 3.3High10 min

Data States

Understanding the three states of data: at rest (stored), in transit (moving), and in use (being processed). Security considerations, vulnerabilities, and protection methods for each state.

Understanding Data States

Data exists in three states, each with unique security challenges and protection requirements. Comprehensive data protection requires securing data in ALL three states—a gap in any one creates vulnerability.

The three data states: • At rest — Stored data (databases, files, backups) • In transit — Moving data (network transfers, emails) • In use — Data being processed (in memory, CPU)

The 2019 Capital One breach exploited a misconfigured WAF to access S3 buckets containing data at rest. While the data was encrypted at rest, the attacker obtained credentials that could decrypt it—demonstrating that encryption alone isn't enough if access controls fail.

Each data state requires appropriate controls; neglecting any state creates attack opportunities.

Why This Matters for the Exam

Data states are heavily tested on SY0-701 because different states require different protections. Questions cover appropriate controls for each state and understanding vulnerabilities.

Understanding data states helps with encryption strategy, network security, and compliance requirements. Many regulations specifically require protection at rest and in transit.

The exam tests recognition of data states and appropriate protection methods.

Deep Dive

What Is Data at Rest?

Data at rest is stored data that isn't actively being transferred or processed.

Data at Rest Locations:

Location	Examples
Databases	SQL databases, NoSQL stores
File systems	Network shares, local drives
Backups	Tape, disk, cloud backups
Archives	Long-term storage
Removable media	USB drives, external drives
Cloud storage	S3, Azure Blob, Google Cloud

Data at Rest Threats:

Threat	Description
Physical theft	Device or media stolen
Unauthorized access	Improper permissions
Insider threat	Malicious employee
Backup exposure	Unencrypted backups
Decommissioning	Data on disposed devices

Data at Rest Protection:

Primary: Encryption
- Full disk encryption (FDE)
- File-level encryption
- Database encryption (TDE)
- Backup encryption

Supporting controls:
- Access controls
- Physical security
- Secure disposal
- Key management

What Is Data in Transit?

Data in transit (or in motion) is data being transferred between systems.

Data in Transit Scenarios:

Scenario	Example
Network transfer	File downloads, API calls
Email	Message transmission
Web browsing	HTTPS traffic
Remote access	VPN tunnels
Database queries	Client-server communication
Cloud sync	Data replication

Data in Transit Threats:

Threat	Description
Eavesdropping	Packet capture, sniffing
Man-in-the-middle	Intercepting and modifying
Session hijacking	Taking over connections
Replay attacks	Reusing captured data
DNS spoofing	Redirecting traffic

Data in Transit Protection:

Primary: Encryption
- TLS/SSL for web traffic
- IPSec for VPN tunnels
- SSH for remote access
- S/MIME or PGP for email

Supporting controls:
- Certificate validation
- Perfect forward secrecy
- Strong cipher suites
- Network segmentation

What Is Data in Use?

Data in use is actively being processed in memory or by the CPU.

Data in Use Scenarios:

Scenario	Description
Application processing	Data in application memory
Database queries	Data during query execution
Document editing	Open file in memory
Decryption	Data temporarily unencrypted
Analytics	Data being analyzed

Data in Use Threats:

Threat	Description
Memory scraping	Reading RAM for sensitive data
Cold boot attacks	Freezing RAM to preserve data
Side-channel attacks	Spectre, Meltdown exploits
Process injection	Injecting code into processes
Debug/dump access	Memory dump analysis

Data in Use Protection:

Emerging technologies:
- Confidential computing (encrypted memory)
- Hardware security modules (HSMs)
- Trusted execution environments (TEEs)
- Intel SGX enclaves

Traditional controls:
- Process isolation
- Memory protection
- Secure coding practices
- Endpoint protection

How Do the Three States Compare?

State Comparison:

Aspect	At Rest	In Transit	In Use
Location	Storage	Network	Memory/CPU
Main threat	Theft/access	Interception	Scraping
Primary control	Storage encryption	Transport encryption	Memory protection
Maturity	Well established	Well established	Emerging
Compliance focus	High	High	Growing

Protection Technology by State:

State	Technologies
At rest	AES, BitLocker, LUKS, TDE
In transit	TLS, IPSec, SSH, HTTPS
In use	SGX, SEV, TrustZone, HSM

What Are Common Protection Gaps?

Gap Analysis:

❌ Encrypt in transit, not at rest
   → Data vulnerable when stored

❌ Encrypt at rest, not in transit  
   → Data vulnerable during transfer

❌ Both encrypted, but not in use
   → Data vulnerable during processing

✓ All three states protected
   → Comprehensive data protection

Common Gaps:

Gap	Risk	Example
Unencrypted backups	Backup theft	Tapes stolen during transport
HTTP instead of HTTPS	Eavesdropping	Login credentials captured
Clear text in memory	Memory attacks	Credit cards scraped from RAM
TLS termination	Unencrypted internal	Data exposed after load balancer

How CompTIA Tests This

Example Analysis

Scenario: A company processes credit card payments. They encrypt the database (data at rest) and use TLS for customer connections (data in transit). During a security assessment, point-of-sale malware is discovered that captures card data from memory during transactions.

Analysis - Data State Vulnerability:

Protection Status:

State	Protected?	Method
At rest	✓ Yes	Database encryption
In transit	✓ Yes	TLS encryption
In use	❌ No	No memory protection

The Attack:

Customer swipes card
        ↓
Data encrypted in transit (TLS) ✓
        ↓
Data decrypted for processing ← VULNERABLE
        ↓
Malware scrapes memory → Data stolen
        ↓
Data encrypted at rest (never reached)

Why Traditional Encryption Didn't Help:

•TLS protects network transfer—data reaches server safely
•Database encryption protects stored data—but data never stored
•Processing requires decryption—data exposed in memory
•Malware captures data during processing window

Improved Protection:

Layer	Control
Endpoint security	Anti-malware, EDR
Memory protection	Point-to-point encryption
Application hardening	Secure coding, input validation
Process isolation	Sandboxing, segmentation
Hardware security	HSM for key operations

PCI-DSS Perspective:

PCI requires:
- Encryption in transit (TLS) ✓
- Encryption at rest (storage) ✓
- Point-to-point encryption (P2PE) for reduced scope
- Memory protection increasingly expected

Key insight: Protecting two states doesn't protect the third. RAM-scraping malware targets the data-in-use gap that exists in most environments. Comprehensive protection requires addressing all three states.

Key Terms

data statesdata at restdata in transitdata in useencryptionTLSstorage encryptiondata protection

Common Mistakes

Encrypting only one or two states—attackers target the unprotected state. All three states need protection.

Forgetting TLS termination exposure—data may be decrypted at load balancer and travel unencrypted internally.

Assuming encryption prevents all attacks—encryption protects against interception, not all threats. Access controls matter too.

Ignoring data in use—this is the hardest state to protect but increasingly targeted by sophisticated attackers.

Exam Tips

Data at rest = stored (database, files, backups). Protected by storage encryption like AES, BitLocker, TDE.

Data in transit = moving (network). Protected by transport encryption like TLS, IPSec, SSH.

Data in use = processing (memory, CPU). Hardest to protect. Emerging solutions: SGX, confidential computing.

If a question describes data being "captured during processing," it's a data-in-use attack.

TLS termination at load balancer means data may be unencrypted on internal network—watch for this scenario.

Cold boot attack targets data in use by preserving RAM contents.

Memory Trick

The Three States - "RIM" or "RUN":

•Rest = Sitting in storage (files, databases)
•In motion/transit = Moving through network
•Memory/in use = Being processed

•Alternative:
•Resting = At rest
•Under transfer = In transit
•Now processing = In use

Protection Technology Match: "Store with Storage encryption" (at rest) "Travel with TLS" (in transit) "Memory needs More work" (in use—emerging tech)

State Vulnerability: "Data is like water—it can leak from any container" - Storage container (at rest) - Pipe (in transit) - Cup while drinking (in use)

All three need to be secure!

Cold Boot Attack: "Cold boot = Capture RAM Of Live Data" Freezing RAM to preserve data in use

Common Gap: "Two out of three is still an F" Protecting only at rest + in transit leaves in use vulnerable

Test Your Knowledge

Q1.Point-of-sale malware captures credit card numbers while transactions are being processed. Which data state is being attacked?

Q2.Which encryption technology protects data in transit?

Q3.A company encrypts their database and uses HTTPS for all web traffic. What data state protection might they be missing?

Want more practice with instant AI feedback?

Continue Learning

Data Protection Methods Encryption Levels

Ready for the Exam?

See exactly where you stand on this concept and 182 others.

99% pass rate · Pass guarantee

Data Classification Data Sovereignty and Geolocation