This Is How I Explain Data States to a Beginner: Why Encrypting Your Files Is Not Enough to Keep It Safe
While people compete over who know the best encryption algorithm, the real cybersecurity professional need to see the whole picture. This is everything you need to know about Data Security.
Warning: CC, CISSP - Domain 2, and Security+ essential topic
Data is often the most valuable possession we have. Businesses have their trade secrets, and families have their photos from that vacation that everyone enjoyed.
You can buy a new computer or a new phone, but you won’t buy those pictures again.
In other words, it doesn’t matter who you are, we all have data that we don’t want to lose because they have value for us, financial or emotional - it is an asset for us.
And modern cybersecurity is dedicated to protecting assets.
What can you expect from this article?
In this post, I will:
Explain the three states of data and what each one actually means
Show you what attackers target in each state
Give you the right controls for each state
Show you why a layered approach is the only one that actually works
But before we move any further, I would like to provide you with more resources on Data Security.
Knowing how to protect data means nothing if you do not know what data you actually have.
Before security controls come data classification (knowing what is sensitive and what is not) and the data lifecycle (understanding how data moves through your organization from creation to destruction).
If you have not read those yet, start there:
This article picks up where those leave off. Now that you know what data you have and where it lives, let’s talk about how to protect it at every stage of its existence.
Do you find this article helpful? Give it a like and help me share it to more people!
The Three States of Data
Lesson to remember: Protecting data at only one state is like putting your cash in a safe, then carrying the safe through a bad neighborhood with the combination written on the side.
There are three states that data can be in. In the following section, I will describe each state and tell you the typical security controls associated with it.
Data at Rest
Data at rest is data that is stored and not currently being processed or moved.
Meaning? Those are all the data that you have saved on your hard drive, your documents in cloud storage, or backups on a tape.
This is the state most people think about first, and for good reason. It is the easiest to picture. Data sitting still, waiting to be used.
What attackers target here: Physical theft of devices, unauthorized access to storage systems, misconfigured cloud buckets, or weak access controls.
How to protect it:
Full-disk encryption (FDE) using AES
Database encryption for sensitive records
File-level encryption for individual documents
Tokenization for sensitive data fields (credit card numbers, SSNs)
Access controls that limit who can reach the data in the first place
Data Loss Prevention (DLP) tools
The goal is simple: even if someone gets physical or logical access to the storage, they cannot read the data without the key.
However, sooner or later, we will need to either use the data or move it somewhere else.
If you find this article helpful, give it a like and help me get this to more people who are interested in cybersecurity!
Data in Transit
Data in transit is data moving from one location to another, typically across a network.
It can be an email traveling across servers, it can be a file being downloaded from a website, or an API call carrying user records.
The sky is the limit. If you’re moving data from one place to another - this is it!
This is where people get caught off guard.
Note: You need to decrypt the data to send it to someone else as you should be the only one who has the keys from the data on YOUR system.
The moment data leaves one system and heads to another, it is exposed to the network. Without the right controls, anyone with access to that network path can intercept it.
What attackers target here: Man-in-the-middle attacks, packet sniffing on unsecured networks, DNS hijacking, rogue Wi-Fi access points.
How to protect it:
TLS/SSL for web traffic (HTTPS)
IPsec for network-level encryption
SSH for secure remote access and file transfer
SFTP instead of plain FTP
Firewalls and intrusion detection systems (IDS) at the network layer
The goal: Ensure confidentiality and integrity while the data is moving. No one in the middle should be able to read or tamper with it.
Still reading? Excellent. Decoded Security share all the study resources for free. Give this article a like and help us get it to more people who are serious about cybersecurity!
Data in Use
Data in use is data being actively processed, accessed, or manipulated by a system or application.
It can be anything from data entered into a web form to a file open in a word processor, to calculations running in a spreadsheet, to a query result loaded into an application.
This is the most overlooked state. And it is the hardest to protect.
For data to be processed, it usually has to be decrypted first. That means it exists in a readable state in memory. If an attacker gets access to that memory, the encryption you applied at rest means nothing.
What attackers target here: memory scraping (used in many point-of-sale breaches), process injection, screen-capture malware, and insider threats with legitimate application access.
How to protect it:
Memory encryption
Secure enclaves, also called Trusted Execution Environments (TEEs): isolated areas of a processor where sensitive data can be processed without being exposed to the rest of the system
User access controls that limit what each person can do within an application
Application security controls and secure coding practices
Data classification so the system knows how to handle sensitive data differently
Endpoint Detection and Response (EDR) tools
The goal: minimize the window during which data is exposed and detect any attempt to access it during that window.
Why This Matters Beyond any Exam
Security controls chosen without context are just expensive guesses.
Understanding data states gives you a framework for asking the right question: Where is this data right now, and what is threatening it in that state?
That question changes how you design systems, evaluate vendors, write security policies, and respond to incidents.
It also changes how you communicate risk to non-technical stakeholders. Telling a business leader “we encrypted the database” sounds like a great idea, but as you now know, it is only a third of the whole.
Telling them “we encrypted the database, secured transmission with TLS, and deployed endpoint protection to cover data in use” tells a much more accurate story.
Key Takeaways
Data exists in three states: at rest, in transit, and in use
Each state has a different threat profile and requires different controls
Encrypting storage only protects one state
A layered, state-aware approach is the only way to cover all three
For CISSP and Security+: Always identify the data state before selecting a control
Note: This is what you need to remember for the CC, CISSP and Security+ exam!
Conclusion
While this isn’t the most complex topic that you’ll ever see, I find it absolutely crucial for data security.
In a world where everyone uses buzzwords and competes over who knows the “best” encryption algorithm, we need people who see the whole picture.
People who know that the weakest link in the chain determines how well the data is protected.
And there is one more thing. Reading about something is one thing, but actually understanding it and making the right decisions is completely another.
And because helping you understand cybersecurity concepts is Decoded Security's top priority, I prepared a free quiz based on this article, with detailed explanations.
Take it HERE and drop your score below! Don’t be shy, we all started somewhere!
Good luck!
Thank you for reading Decoded Security!
Best,
Erich
Let’s Connect
If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:
Email: erich.winkler@decodedsecurity.com
LinkedIn: Erich Winkler
Gumroad community: Decoded Security
Start Here: Decoded Security Roadmap
Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!
Let’s learn and grow together!