← Concepts
Security ArchitectureSY0-701 · Task 3.3

Data states — SY0-701

Learn the three data states (at rest, in transit, in use) for CompTIA Security+ SY0-701: which controls apply and why no single control covers all three.

WHAT IT IS

Data exists in one of three states at any moment, and the appropriate security control depends entirely on which state the data is in. The NIST CSRC glossary recognizes Data-at-Rest (DAR) and Data in Transit (DIT) as distinct terms, both traceable to CNSSI 4009-2015. The DLP definition in the same glossary (CNSSI 4009-2015) names all three states explicitly: data in use (endpoint actions), data in motion (network actions), and data at rest (data storage).

Mental model

Think of data as a document moving through an office:

  • At rest — the document is locked in a filing cabinet. The threat is physical access or storage-layer compromise.
  • In transit — the document is being carried down the hallway or sent via courier. The threat is interception along the path.
  • In use — the document is open on a desk, being read or edited. The threat is someone looking over the shoulder — or at the process's memory.

The filing cabinet lock does not protect the courier. The courier seal does not protect the open desk. Each state needs its own control.

When to use it

StateWhere the data isPrimary threatRepresentative control
At restStored on disk, database, backup, removable mediaUnauthorized storage access, stolen mediaEncryption at the storage layer (e.g., AES); separate key storage
In transitTraversing a networkInterception, eavesdropping, replayTLS — provides confidentiality, integrity, and server authentication
In useLoaded into memory, actively processedMemory scraping, process inspection, side-channelMinimize memory exposure window; zeroing memory after use; confidential computing

OWASP TLS Cheat Sheet states: "TLS provides protection of data while it is in transit, it does not provide any protection for data once it has reached the requesting system." This sentence precisely delimits the boundary between transit and at-rest (or in-use) protections.

OWASP Cryptographic Storage Cheat Sheet focuses on the at-rest state: AES with at least 128 bits (ideally 256 bits), authenticated modes (e.g., GCM) that protect integrity as well as confidentiality, and separation of Data Encryption Keys (DEK) from Key Encryption Keys (KEK).

NISTIR 8320 defines Confidential Computing as "hardware-enabled features that isolate and process encrypted data in memory so that the data is at less risk of exposure and compromise from concurrent workloads or the underlying system and platform" — this is the principal control for the in-use state.

COMMON MISCONCEPTION

Encrypting data at rest does not protect it while it is being processed. A common trap is assuming that because a database uses transparent encryption, the data is protected everywhere. It is not. When the database engine decrypts and loads records into memory to answer a query, those values exist in plaintext within the process. Storage encryption ends at the storage boundary. Similarly, TLS ends at the receiving endpoint — OWASP explicitly notes that TLS "does not provide any protection for data once it has reached the requesting system." The three states are mutually exclusive coverage zones, not overlapping layers.

A second trap: data in motion and data in transit are used interchangeably in standards documents. The CNSSI 4009-2015 DLP definition uses "data in motion" where SY0-701 objectives use "data in transit." Do not treat these as separate, distinct states — they refer to the same condition.

How it shows up on the exam

The cognitive target is application: given a scenario describing where data physically is (sitting on a drive, crossing a network, being processed by an application), candidates must identify the correct state and the appropriate control family.

Signal phrases to watch for:

  • "stored on a laptop that was stolen" — at rest; the question tests whether disk encryption would have helped
  • "captured by a packet sniffer on the corporate network" — in transit; the question tests whether TLS or a VPN was in place
  • "reading values from RAM using a memory scraping tool" — in use; the question may test confidential computing or the importance of zeroing sensitive values from memory

A common misconception candidates carry is that a single encryption solution (for example, a VPN or a storage encryption product) covers all three states. Exam scenarios are designed to surface this gap by describing a scenario where one control is present but a breach occurs through a different state boundary.

Related concepts

  • Data classification — the sensitivity tier of data determines how strictly each state must be protected.
  • Data sovereignty — legal jurisdiction constraints on where data at rest may physically reside.
  • Data protection methods — the full range of technical and administrative controls applied across all three states.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.