If you have studied any Security+ material, you already know two of the three data states cold. Data at rest is data sitting on a disk, a database, a backup tape, or a phone left in a coffee shop. Data in transit is data moving across a network, like a file upload or an API call. You protect the first with full disk encryption and database encryption. You protect the second with TLS, a VPN, or IPsec. Easy points on the exam.
Then a question adds a third state, and the miss rate jumps.
The state people forget
Data in use is data loaded into memory and actively being processed by an application or CPU. A spreadsheet open in RAM. Card numbers being validated during checkout. A decryption key sitting in memory so the app can actually read the file it just decrypted.
Here is the part that catches people. Encryption at rest and encryption in transit do nothing for data in use. The whole point of processing data is that the CPU needs it in cleartext. Your database can be encrypted on disk, your connection can be wrapped in TLS, and the moment the server pulls a record into memory to work on it, that record is decrypted and exposed. Malware with the right access, a memory-scraping attack, or a compromised process can read it straight out of RAM. Point of sale RAM scrapers built entire breaches on exactly this gap.
So when a question describes data being actively processed and asks how to protect it, "encrypt it at rest" is the trap answer. It is not wrong in general. It is wrong for that state.
What actually protects data in use
This is where the newer objectives want you to know a few terms:
- A Trusted Execution Environment (TEE), or secure enclave, carves out an isolated, hardware-protected region of the processor. Code and data inside the enclave stay protected even from the operating system and anyone with admin on the box.
- Homomorphic encryption lets you run computations on data while it stays encrypted, so the result comes out encrypted and the cleartext is never exposed during processing. It is slow and niche, but it is the textbook answer for "compute without decrypting."
- Supporting controls matter too: tight access control on the processes that touch the data, memory protections, and tokenization so the sensitive value is never sitting in memory in the first place.
You do not need to implement any of this. You need to recognize that "in use" is a distinct problem with its own set of answers.
How to stop losing these points
The exam rarely says "which state is this." It hides the state inside the scenario and expects you to classify it first, then pick the control. Train the reflex with three questions:
- Is the data sitting still? That is at rest. Think encryption on the disk or in the database.
- Is the data moving between two points? That is in transit. Think TLS, VPN, IPsec.
- Is the data being read, calculated on, or displayed right now? That is in use. Think TEE, secure enclave, and access control around the process.
Match the state to the control and most of these questions answer themselves. The mistakes happen when people skip step one and jump straight to "encryption," which is correct for two states and useless for the third.
Drill it until it is automatic
Concepts like this stick when you see them in exam form over and over, not when you read them once. That is the idea behind SecPlus Mastery, the SY0-701 prep platform I built while studying for the exam myself. It has 1,069 practice questions, 31 reading lessons, hands-on labs and performance-based questions, and acronym flashcards, all mapped to the current objectives.
If you want to see how well you actually classify these scenarios under pressure, the free diagnostic exam is a good gut check before you spend money on anything. It shows you which domains are solid and which ones, like the three data states, are quietly costing you points.
Learn the three states, learn which control belongs to each, and the data protection questions stop being a coin flip.
Top comments (0)