What are the Three States of Data and How to Protect Them?


Most organizations know that they need to protect their data, but data exists in three different states. Each state requires its own cybersecurity strategy and approach to properly protect your data. Before you implement a cybersecurity strategy on your data, the first step is to identify the type of data and where the information is stored, transferred, and processed.

State 1: Data at Rest
Data “at rest” is any information stored and not being processed or transferred. For example, when you save data in a database and it’s not being used, this data is considered at rest. When a user saves a file to a network or cloud drive, the file is considered data at rest. Stored data usually doesn’t stay at rest forever; at some point in time, a user might send a file to a customer or pull data from a database to retrieve information about a customer. When this happens, the data is no longer at rest and changes states.

Most data at rest have a logical structure so that it can be more easily audited and tracked. Any data that isn’t accounted for could be vulnerable to cyber-attacks, and administrators would be unaware of the issues. It’s important to first audit your data, find out where it’s stored, and prioritize it. Sensitive data such as financial information or customer personal data should take priority over simple data that would not impact revenue and privacy if it was stolen.

Encryption is used to protect data at rest. It’s especially necessary on portable devices and laptops. Should a user lose a device, or someone steals the device, the thief would be unable to read the data and access it. If the data is stolen, encryption protects from brute-force dictionary attacks. Other cybersecurity infrastructure is also necessary to protect data at rest. For example, authentication controls block unauthorized access. Firewalls block internet traffic from accessing internal files, and backups secure from permanent data loss after corruption.

State 2: Data in Transit

Data traversing the network including the internet is considered in transit. This state is vulnerable to eavesdropping and man-in-the-middle (MitM) attacks. When you send an email over the internet to a recipient, the data in the message is considered to be in transit. When a web application requests data from a database server, the data must travel to the user requesting it. This data is also considered to be in transit. Any transfer from the storage location to the user requesting the data is considered in transit.

When you audit your data, you must find where it’s stored but also where the data is being used. By auditing where data is used, you can determine the cybersecurity controls that you need to use. Encryption is used for data in transit in addition to data at rest. For example, when you install an SSL/TLS certificate on your website, you implement encryption when data is in transit and protect it from man-in-the-middle attacks. Firewalls can block outgoing data, which protects it from being exfiltrated by malware.

State 3: Data in Use

When data arrives at its destination, it’s then processed. Processing is usually when data is loaded into memory or calculated by the device CPU. You could also consider data in process when it’s being collated and queried on a database, which is common for web applications. Data in this state must also be protected from attacks.

Most applications don’t have ways to protect data during this state, but it’s possible to encrypt data in memory. Only the most high-value systems encrypt data in memory, because it affects performance and requires additional CPU resources. Your web application might not need to encrypt data in process, but a highly secured government application would need extensive cybersecurity protections and might encrypt data while it’s processed in memory.

Auditing Data in All States

Now that you know all data states, you need to audit your data to get started on protecting it. Protecting data in all its states requires the right cybersecurity infrastructure, so after an audit you need to create a plan. This plan will often depend on the data you find in your audit and who needs the data. Remember that data access should only be given to users who absolutely need to use it for daily business operations.

The best way to audit data is to get stakeholders involved. Stakeholders are any manager, executive, and standard user with a need to access data for productivity. This step will give you the information you need to know who uses corporate data, where it’s stored, and what applications use the data. Talking to stakeholders helps find data that you might not know exists on your network, which can lead to data breaches when it does not have access controls applied to it.

As you audit your data to ensure that it’s accurate, you will familiarize yourself with the scope of the environment where data is stored. After you audit data, you might find that it must be reorganized and reclassified so that you can prioritize sensitive data over standard data. When you organize data, keep it consistent. It should be organized in a way that makes it easy to discover new data as the organization grows.

Quality is also important when you audit data. If you have poor data quality, it makes your applications and users less efficient. For example, if you have multiple applications storing the same data in multiple places, it harms data integrity. Normalizing data across the environment keeps data consistent and stops integrity issues.


Knowing the three states of data helps you with data management, data integrity, and the efficiency of your applications. Before you know the state of your data, you first must audit it. Auditing can be a tedious project, but it’s necessary so that you can discover every data storage location and apply the right cybersecurity and classification of your information, as well as perform a risk assessment on it. With the right data management, you can then determine the right way to secure your data and avoid a data breach.

About the author


Rick is a security consultant focusing on design, implementation and adoption of technologies.

By rickbeaupre

Recent Insights