WEBVTT

1
00:00:00.000 --> 00:00:03.990
In this lesson, we will learn about Data States.

2
00:00:03.990 --> 00:00:06.570
Data states are the different conditions

3
00:00:06.570 --> 00:00:08.370
in which data exists.

4
00:00:08.370 --> 00:00:13.370
Specifically, data can be at rest, in transit, or in use.

5
00:00:13.620 --> 00:00:17.250
Each data state requires distinct methods of protection.

6
00:00:17.250 --> 00:00:20.730
Let's compare data states to books in a library.

7
00:00:20.730 --> 00:00:23.310
First we have data at rest,

8
00:00:23.310 --> 00:00:26.490
and data at rest is like books stored on the shelves

9
00:00:26.490 --> 00:00:27.840
at the library.

10
00:00:27.840 --> 00:00:29.940
When books are sitting on shelves,

11
00:00:29.940 --> 00:00:32.970
they're not being used just safely stored

12
00:00:32.970 --> 00:00:34.140
and organized.

13
00:00:34.140 --> 00:00:35.400
To protect the books,

14
00:00:35.400 --> 00:00:37.680
the library locks the doors at night

15
00:00:37.680 --> 00:00:40.050
ensuring that the books are secure.

16
00:00:40.050 --> 00:00:42.810
Similarly, IT Data at rest

17
00:00:42.810 --> 00:00:46.740
refers to information stored on servers, hard drives,

18
00:00:46.740 --> 00:00:50.670
or cloud storage where it isn't actively being accessed,

19
00:00:50.670 --> 00:00:52.920
but it still needs protection.

20
00:00:52.920 --> 00:00:56.730
To secure data at rest tools like BitLocker for Windows

21
00:00:56.730 --> 00:01:00.330
or FileVault for macOS can encrypt hard drives,

22
00:01:00.330 --> 00:01:02.250
making the data unreadable

23
00:01:02.250 --> 00:01:04.770
without the proper decryption key.

24
00:01:04.770 --> 00:01:08.610
In addition, various cryptographic methods can be used

25
00:01:08.610 --> 00:01:10.740
to protect data at rest.

26
00:01:10.740 --> 00:01:13.920
Symmetric Encryption, which uses a single key

27
00:01:13.920 --> 00:01:16.230
to encrypt and decrypt data,

28
00:01:16.230 --> 00:01:19.680
provides strong security for that stored data.

29
00:01:19.680 --> 00:01:24.680
256-bit Advanced Encryption standard or AES-256

30
00:01:25.140 --> 00:01:26.370
is a widely used

31
00:01:26.370 --> 00:01:29.700
and extremely difficult encryption to break.

32
00:01:29.700 --> 00:01:31.020
Another useful tool

33
00:01:31.020 --> 00:01:32.970
for protecting data at Rest

34
00:01:32.970 --> 00:01:36.480
is Transparent Data Encryption, or TDE

35
00:01:36.480 --> 00:01:40.080
Transparent Data Encryption is often used in databases

36
00:01:40.080 --> 00:01:44.040
to encrypt data automatically at the storage level.

37
00:01:44.040 --> 00:01:48.420
By using encryption alongside strict access control policies

38
00:01:48.420 --> 00:01:50.730
and multifactor authentication,

39
00:01:50.730 --> 00:01:55.170
data at rest remains protected even if the physical device

40
00:01:55.170 --> 00:01:57.150
is compromised or stolen.

41
00:01:57.150 --> 00:02:00.000
This is like keeping the library's doors locked

42
00:02:00.000 --> 00:02:03.480
and allowing only authorized people to unlock them

43
00:02:03.480 --> 00:02:05.820
and access the books inside.

44
00:02:05.820 --> 00:02:08.880
Second, we have data in transit.

45
00:02:08.880 --> 00:02:11.430
Data in transit can be compared to books

46
00:02:11.430 --> 00:02:13.800
that have been checked out of the library

47
00:02:13.800 --> 00:02:15.420
and are being transported home

48
00:02:15.420 --> 00:02:17.820
by whomever checked out the book.

49
00:02:17.820 --> 00:02:21.390
While on the way home, the books are more vulnerable

50
00:02:21.390 --> 00:02:22.980
to being lost or damaged,

51
00:02:22.980 --> 00:02:27.180
so they need a little extra care like being packed securely

52
00:02:27.180 --> 00:02:29.100
and being kept track of.

53
00:02:29.100 --> 00:02:32.700
In the same way IT Data in transit refers

54
00:02:32.700 --> 00:02:35.550
to information being transferred over networks,

55
00:02:35.550 --> 00:02:37.770
whether it's between local servers

56
00:02:37.770 --> 00:02:39.780
or being sent to the cloud.

57
00:02:39.780 --> 00:02:43.650
Data in transit is particularly vulnerable to interception

58
00:02:43.650 --> 00:02:46.590
or tampering by malicious actors.

59
00:02:46.590 --> 00:02:49.410
So to protect data in transit

60
00:02:49.410 --> 00:02:52.920
encryption protocols such as Transport Layer Security,

61
00:02:52.920 --> 00:02:57.780
or (TLS) encrypts data as it moves over the internet,

62
00:02:57.780 --> 00:03:01.410
making it unreadable to anyone who intercepts it.

63
00:03:01.410 --> 00:03:04.620
For example, when you visit a secure website

64
00:03:04.620 --> 00:03:06.930
that uses HTTPS

65
00:03:06.930 --> 00:03:10.740
or Hypertext Transfer Protocol over TLS,

66
00:03:10.740 --> 00:03:12.810
TLS is working in the background

67
00:03:12.810 --> 00:03:15.150
to keep your information safe.

68
00:03:15.150 --> 00:03:18.690
Another important transit protocol is IPsec

69
00:03:18.690 --> 00:03:21.210
or Internet Protocol Security.

70
00:03:21.210 --> 00:03:23.512
IPsec is often used to encrypt

71
00:03:23.512 --> 00:03:27.490
and secure data traveling over a Virtual Private Network

72
00:03:27.490 --> 00:03:29.070
or VPN.

73
00:03:29.070 --> 00:03:31.200
This provides safe communication

74
00:03:31.200 --> 00:03:34.920
between devices across untrusted networks.

75
00:03:34.920 --> 00:03:37.260
Other tools like Secure Shell

76
00:03:37.260 --> 00:03:42.240
or SSH are used to securely transfer files between systems.

77
00:03:42.240 --> 00:03:46.680
SFTP or File Transfer Protocol over SSH

78
00:03:46.680 --> 00:03:49.320
ensures that file transfers are encrypted

79
00:03:49.320 --> 00:03:51.960
to prevent unauthorized access.

80
00:03:51.960 --> 00:03:54.990
By combining these protocols and tools,

81
00:03:54.990 --> 00:03:59.220
organizations ensure that data in transit stays secure

82
00:03:59.220 --> 00:04:02.550
and reaches its destination without being compromised.

83
00:04:02.550 --> 00:04:04.890
Just like packing the book safely

84
00:04:04.890 --> 00:04:06.450
and tracking them carefully

85
00:04:06.450 --> 00:04:08.850
as they're taken home from the library.

86
00:04:08.850 --> 00:04:12.930
Third and last, we have data in use.

87
00:04:12.930 --> 00:04:15.810
Data in use is like someone reading a book

88
00:04:15.810 --> 00:04:18.090
they've checked out and taken home.

89
00:04:18.090 --> 00:04:22.380
The book is actively being handled, making it more exposed

90
00:04:22.380 --> 00:04:24.120
to potential damage.

91
00:04:24.120 --> 00:04:28.200
Similarly, IT data in use refers to information

92
00:04:28.200 --> 00:04:32.280
that's being actively accessed or processed by users

93
00:04:32.280 --> 00:04:35.220
or applications, making it more vulnerable

94
00:04:35.220 --> 00:04:38.760
to unauthorized access or manipulation.

95
00:04:38.760 --> 00:04:41.370
Just as the book requires careful handling.

96
00:04:41.370 --> 00:04:44.460
Data in use requires strong security measures

97
00:04:44.460 --> 00:04:48.240
to ensure it remains safe while it's being used.

98
00:04:48.240 --> 00:04:52.260
So to protect data in use Memory Encryption,

99
00:04:52.260 --> 00:04:54.480
which ensures the data is encrypted

100
00:04:54.480 --> 00:04:56.160
while it's temporarily stored

101
00:04:56.160 --> 00:04:59.430
in a computer's Random Access Memory or RAM

102
00:04:59.430 --> 00:05:01.890
during processing could be used.

103
00:05:01.890 --> 00:05:05.550
In addition to encryption, strong access controls,

104
00:05:05.550 --> 00:05:07.920
such as Role-Based Access Control,

105
00:05:07.920 --> 00:05:12.090
and Attribute-Based Access Control limit what users can do

106
00:05:12.090 --> 00:05:16.350
with data based on their roles or specific attributes.

107
00:05:16.350 --> 00:05:17.880
Access controls ensure

108
00:05:17.880 --> 00:05:21.300
that only authorized individuals can interact

109
00:05:21.300 --> 00:05:24.390
with sensitive data while it's in use.

110
00:05:24.390 --> 00:05:27.720
Data Masking is yet another method used

111
00:05:27.720 --> 00:05:29.880
to protect data in use.

112
00:05:29.880 --> 00:05:32.880
For instance, when a database administrator

113
00:05:32.880 --> 00:05:34.920
is viewing customer data,

114
00:05:34.920 --> 00:05:37.770
they might only see partial information

115
00:05:37.770 --> 00:05:41.640
such as the last four digits of a social security number.

116
00:05:41.640 --> 00:05:45.870
This limits exposure to sensitive data while allowing users

117
00:05:45.870 --> 00:05:47.760
to perform their tasks.

118
00:05:47.760 --> 00:05:51.360
Secure Processing Environments or Secure Enclaves

119
00:05:51.360 --> 00:05:53.970
provide an additional layer of protection

120
00:05:53.970 --> 00:05:55.890
for data in use.

121
00:05:55.890 --> 00:05:58.290
Tools like Intel SGX

122
00:05:58.290 --> 00:06:02.940
or Software Guard Extensions create isolated environments

123
00:06:02.940 --> 00:06:06.270
where data can be processed without being exposed

124
00:06:06.270 --> 00:06:07.860
to the rest of the system.

125
00:06:07.860 --> 00:06:11.250
This ensures that even if the system is compromised,

126
00:06:11.250 --> 00:06:15.390
the sensitive data being processed within the secure enclave

127
00:06:15.390 --> 00:06:17.130
remains protected.

128
00:06:17.130 --> 00:06:20.190
By using Encryption, Access controls,

129
00:06:20.190 --> 00:06:22.920
Data masking and Secure enclaves,

130
00:06:22.920 --> 00:06:25.800
data in use can be effectively protected,

131
00:06:25.800 --> 00:06:27.360
ensuring its integrity

132
00:06:27.360 --> 00:06:30.570
and security while it's actively being processed

133
00:06:30.570 --> 00:06:31.770
or accessed.

134
00:06:31.770 --> 00:06:33.510
So remember,

135
00:06:33.510 --> 00:06:37.710
data exists in three primary states at rest,

136
00:06:37.710 --> 00:06:40.050
in transit, and in use.

137
00:06:40.050 --> 00:06:43.680
Each state requires specific methods of protection

138
00:06:43.680 --> 00:06:46.470
to ensure the data remains secure.

139
00:06:46.470 --> 00:06:50.880
Data at Rest is stored and not actively being accessed.

140
00:06:50.880 --> 00:06:54.990
So Encryption and strict Access controls keep it safe.

141
00:06:54.990 --> 00:06:56.160
Data in Transit,

142
00:06:56.160 --> 00:06:58.770
which is being transferred over networks

143
00:06:58.770 --> 00:07:00.750
is vulnerable to interception.

144
00:07:00.750 --> 00:07:04.080
So protocols like TLS and IPsec

145
00:07:04.080 --> 00:07:08.670
encrypt and protect the data to prevent unauthorized access.

146
00:07:08.670 --> 00:07:10.680
Finally, Data in Use,

147
00:07:10.680 --> 00:07:13.110
which is being actively processed

148
00:07:13.110 --> 00:07:16.800
requires strong access controls, encryption,

149
00:07:16.800 --> 00:07:19.500
and secure environments like enclaves

150
00:07:19.500 --> 00:07:23.523
to protect it while it's being accessed and used.