States of data

Probably the most valuable thing you need to protect is data. You may own this data, or you may just be the custodian. It might be sensitive such as PII and credentials or just metadata you collected and organized. No matter its type and content when you think about its security here is what you need to keep in mind.

Data is kind of like water. Water is essential for life just as data is critical to the business. On Earth, water is found in three different forms: ice (solid), water (liquid), vapor (gas). The states of data in business are somewhat similar: stored (at rest), transmitted (in transit), worked on (in processing). Just like water data can freely change between these states and each one requires different handling. After all, you would not put ice in an aqueduct or run a steam locomotive with liquid water.

Effectively working with data requires a good understanding of its states. Let’s take a look.

Data at rest

Data at rest is stored on some medium like a hard drive, SSD or even on a cloud storage service like Amazon S3. The key is that data is passive: it is not accessed, nor written, and it is not moved through the network or between systems (not even copied). Due to its relatively small exposure, it is easier to add extra protection to data in this form. Additional security measures may include access control (physical and/or digital), compartmentalization and encryption.

Examples of data at rest security measures are hard drive encryption (AES-XTS) and access cards to server rooms.

Data in transit

Data in transit is moving between systems or through a network. An excellent example of this is accessing a web page, i.e. downloading information from a remote location. Or sending an email to someone. In this state, data is highly exposed to intermediate parties (like Mail Transfer Agents). As a direct result of such risk, cryptography was invented to protect data in transit. Correctly used encryption provides confidentiality and integrity and may add other useful security properties.

Instances of data in transit safeguards include SSL/TLS, PGP and DNSSEC.

Data in processing

Information in this state is actively worked on; it’s read, written or modified in some way. The application processing the data is responsible for its security. Usually, this means data has to be decrypted and treated as plain text, which lowers its security properties making it very vulnerable. Homomorphic encryption is a highly active research field promising operations on encrypted data without decryption. Something worth keeping an eye on!

Cryptographic side-channel attacks rely on the insecurity of data during processing. They clearly illustrate the following point: data in processing is the hardest to protect. Therefore, this is where you as a developer will spend most of your efforts. Terms, such as authentication, authorization, sanitization play a key role here.

Using strong authentication, authorization, sanitization, and data encoding are good examples of data in processing protections.


When working with data, it is essential to know which state it will be in. Next time you architect a service or application component, take a minute to think about its data security strategy.

Remember, data is like water. It has three states requiring different techniques to ensure their security. Make sure to always pick the right tool for the job.

You do not want to be the one suggesting TLS to store data securely or explaining why you choose AES-CBC for log file integrity protection…