Differentiate data at rest, data in transit, and data in use; provide TA protection strategies for each.

Protecting data requires guarding it in all three states: at rest, in transit, and in use. For data at rest, encryption and secure storage guard it when it’s stored on disks, databases, or backups, and strong key management plus strict access controls prevent unauthorized access. For data in transit, TLS or DTLS provides confidentiality and integrity as data moves across networks, with proper certificate handling and authentication in place. For data in use, protection must extend into memory and execution because encryption at rest and in transit can’t shield data while it’s being processed; this means memory protection, secure enclaves or trusted execution environments, strict process isolation, and rigorous access controls to limit who or what can access the data during processing. This approach covers the main threat scenarios: eavesdropping or tampering on the network, theft or leakage from storage, and attacks that occur while the data is being processed. Some alternatives misplace protections—for example, assigning TLS to data at rest or relying on backups alone for data in use, or claiming that data in motion doesn’t require protection—both of which leave gaps in security.