Compare and contrast concepts and strategies to protect data
Data is what attackers are ultimately after. This objective covers how to classify it, protect it in every state, and ensure it’s properly handled throughout its lifecycle.
Data States
Data at Rest
Stored data — databases, file systems, backups, archives.
- Protection: Full-disk encryption (BitLocker, LUKS, FileVault), database encryption (TDE), file-level encryption
- Key management: Encryption is only as strong as key protection. Keys stored separately from encrypted data.
Data in Transit
Data moving across networks — between client and server, between services, between sites.
- Protection: TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit 1.3 for web traffic, IPSecInternet Protocol Security — Network-layer VPN protocol suite for VPNVirtual Private Network — Encrypted tunnel over public networks, SSHSecure Shell — Port 22. Encrypted remote administration protocol for admin access, SFTPSSH File Transfer Protocol — Port 22. Secure file transfer over SSH for file transfer
- Risk: Man-in-the-middle interception, protocol downgrade attacks, unencrypted protocols (HTTPHypertext Transfer Protocol — Port 80. Web protocol (unencrypted), FTPFile Transfer Protocol — Port 20/21. Unencrypted file transfer (insecure), Telnet)
Data in Use
Data being actively processed in memory/CPUCentral Processing Unit — Main processor in a computer.
- Hardest state to protect — data must be decrypted to be processed
- Emerging solutions: Hardware enclaves (Intel SGX, AMD SEV), homomorphic encryption (still largely theoretical for production use)
- Practical protection: Access controls on the system processing data, memory protection features (ASLRAddress Space Layout Randomization — Memory protection against buffer overflow exploitation, DEPData Execution Prevention — Prevents code execution from data memory regions)
Data Classification
Levels (from least to most sensitive)
- Public: No impact if disclosed. Marketing materials, published reports.
- Internal/Private: Not for public consumption but limited impact if exposed. Internal memos, org charts.
- Confidential: Significant impact if disclosed. Financial data, customer PIIPersonally Identifiable Information — Data that can identify an individual, trade secrets.
- Restricted/Critical: Severe impact. Regulated data (PHIProtected Health Information — Health-related PII under HIPAA, credit cards), classified information, encryption keys.
Why it Matters
Classification drives every other data protection decision — encryption requirements, access controls, retention policies, disposal methods. You can’t protect data appropriately if you don’t know how sensitive it is.
Data Protection Methods
Encryption
Rendering data unreadable without the key. Covered in depth in objective 1.4.
Tokenization
Replacing sensitive data with non-sensitive tokens that map back to the original through a secure token vault.
- Credit card numbers → random tokens. The token has no mathematical relationship to the original.
- Key difference from encryption: Tokenized data can’t be reversed without the token vault. There’s no “key” to steal.
- Common in payment processing (PCI-DSSPayment Card Industry Data Security Standard — Credit card data protection standard compliance)
Masking
Obscuring portions of data while keeping the format.
- Example:
***-**-1234for SSN,****-****-****-5678for credit card - Used for display purposes — allows limited verification without full exposure
- Static masking: Permanent replacement in non-production environments (test data)
- Dynamic masking: Real-time masking based on user role/permissions
Hashing
One-way transformation for integrity verification. Not encryption — cannot be reversed.
- Used for password storage (with salt), file integrity verification, digital signatures
Obfuscation
Making data harder to understand without a formal encryption process.
- Steganography (hiding data in images/audio)
- Data scrambling in non-production environments
- Not a security control on its own — security through obscurity is not security
Segmentation
Isolating sensitive data in separate network segments, databases, or environments.
- PCI cardholder data in a dedicated, segmented environment
- Limits blast radius if one segment is compromised
Data Loss Prevention (DLP)
Systems that detect and prevent unauthorized data exfiltration.
Deployment Points
- Endpoint DLPData Loss Prevention — Prevents unauthorized data exfiltration: Monitors data on user devices (USBUniversal Serial Bus — Standard connector for peripherals copies, clipboard, print, uploads)
- Network DLPData Loss Prevention — Prevents unauthorized data exfiltration: Monitors data in transit across the network (email attachments, web uploads, file transfers)
- Cloud DLPData Loss Prevention — Prevents unauthorized data exfiltration: Monitors data in cloud storage and SaaSSoftware as a Service — Cloud: provider manages everything, you configure applications
Detection Methods
- Content inspection: Pattern matching for sensitive data (SSN regex, credit card numbers, keywords)
- Context-based: Who’s sending, where, when, how much data
- Label-based: Enforcing policies based on data classification labels
Actions
- Alert, block, quarantine, encrypt, or log depending on policy and severity
Data Protection Method Decision Logic
CompTIA asks “which method BEST protects data in this scenario?” Use this framework:
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Protect stored data from unauthorized access” | Encryption | Reversible protection with authorized key access |
| ”Process credit card payments without storing card numbers” | Tokenization | Replaces sensitive data, no mathematical relationship to original |
| ”Display partial SSN for verification” | Masking | Shows enough to verify, hides enough to protect |
| ”Verify file hasn’t been tampered with” | Hashing | Integrity check — any change produces different hash |
| ”Store passwords securely” | Hashing (salted + stretched) | One-way, can’t be reversed even by the system |
| ”Protect test/dev data from exposure” | Masking (static) | Permanent replacement — realistic format, no real data |
| ”Hide data within an image” | Steganography | Concealment, not encryption — different purpose |
| ”Destroy data on encrypted drives quickly” | Crypto-shredding | Delete the key, data is irrecoverable |
Protection Method Comparison
| Method | Reversible? | Preserves Format? | Use Case | Key Required? |
|---|---|---|---|---|
| Encryption | Yes (with key) | No (ciphertext) | Data at rest, in transit | Yes |
| Tokenization | Yes (with vault) | Yes (token same format) | Payment processing, PCI scope reduction | No (vault lookup) |
| Masking | No (irreversible) | Yes | Display, test data | No |
| Hashing | No (one-way) | No (fixed-length digest) | Passwords, integrity | No |
| Obfuscation | Varies | Varies | Code protection, non-production | Varies |
Rights Management
Digital Rights Management (DRM)
Controls what users can do with content — prevent copying, printing, forwarding, screen capture.
- Applied to documents, media, email
- IRMInformation Rights Management — Enterprise DRM for documents and email (Information Rights Management): Enterprise-focused DRMDigital Rights Management — Controls on content usage (copy, print, forward) for documents and email (Azure Information Protection, etc.)
Access Controls
- Who can read, write, modify, delete, share
- Tied to data classification — higher classification = tighter controls
Data Lifecycle
Creation/Collection
- Classify data at the point of creation
- Apply appropriate controls from the start
Storage
- Encrypt at rest, enforce access controls
- Geographic considerations — data sovereignty laws may require storage in specific jurisdictions
Usage
- Monitor access, enforce least privilege, log activity
- DLPData Loss Prevention — Prevents unauthorized data exfiltration prevents unauthorized use
Sharing/Distribution
- Encrypt in transit, enforce rights management
- Verify recipient authorization before sharing
Retention
- Keep data only as long as required by business need or regulation
- Defined retention policies by data classification
- Legal hold: Preserve data that may be relevant to litigation — overrides normal retention/deletion
Disposal/Destruction
- Crypto-shredding: Destroy the encryption key, making data unrecoverable. Fastest method for encrypted data.
- Secure wipe: Overwriting data with random patterns. For unencrypted media.
- Physical destruction: Degaussing (magnetic media), shredding, incineration. Required for highest classification levels.
- Certificate of destruction: Documentation proving data was properly destroyed. Required for compliance audits.
Offensive Context
Data protection strategies look different when you think about them from the exfiltration side. An attacker who can’t read encrypted data at rest will target data in use (memory scraping, process injection). DLPData Loss Prevention — Prevents unauthorized data exfiltration that only monitors network traffic misses USBUniversal Serial Bus — Standard connector for peripherals exfiltration. Tokenization that stores the vault on the same network as the tokens defeats the purpose. The strength of your data protection is measured by how hard it makes the attacker’s job at every stage — access, copy, exfiltrate, and use.