Domain 3 of 5 · Chapter 3 of 5

Data Protection Strategies

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • Data types and classification levels
  • Data states and the methods that protect each
  • Sovereignty, geolocation, and geographic restrictions

Protection method by data state and reversibility

MethodPrimary data stateReversible?Typical use on SY0-701
EncryptionAt rest & in transitYes (with key)Default confidentiality control for stored and transmitted data
TokenizationAt restYes (via vault lookup)Replace cardholder/PII with tokens to cut PCI/audit scope
HashingAt rest (verification)No (one-way)Integrity checks and storing password representations
MaskingIn use / displayUsually no (presentation)Show partial value (last four digits) to limit exposure
ObfuscationIn use / displayVariesHide or scramble data so it is not readily readable
SegmentationAll statesn/a (isolation)Isolate sensitive data so one breach does not expose all

Decision tree

What state is the data in? at rest / in transit / in use At rest In transit In use Must the value be read back later? TLS / IPsec transport encryption Hide value or limit who can read it? No (one-way) Yes Hashing integrity / passwords Remove value to cut PCI / audit scope? Yes No Tokenization value in separate vault Encryption + permission restrictions Display Access Masking show last 4 digits Access controls Always first: classify the data + honor data sovereignty geographic restrictions keep regulated data in-jurisdiction

Cheat sheet

  • Data type and classification are two different axes
  • Regulated data is governed by an external law or standard
  • The classification label, not discretion, sets the required controls
  • Human-readable vs non-human-readable data determines the control
  • Each data state needs its own protection method
  • Data in use is the hardest state to protect
  • Encryption is the reversible confidentiality default
  • Hashing is one-way, never for recoverable data
  • Tokenization swaps the value out and shrinks compliance scope
  • Masking is a presentation-layer control, not storage protection
  • Obfuscation is broader and weaker than encryption
  • Segmentation isolates the breach blast radius
  • Permission restrictions enforce least privilege on data
  • Data sovereignty follows the data's physical location
  • Geolocation finds where data is; geographic restrictions control where it may go
  • Classify data first, then choose its controls
  • DLP stops exfiltration at the boundary; IRM controls use after sharing
  • IRM rights travel with the file, even onto unmanaged devices
  • Static data masking is a one-way, format-preserving copy for test and dev
  • A unique per-password salt defeats rainbow tables

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. CompTIA Security+ (SY0-701) certification objectives
  2. NIST SP 800-122: Guide to Protecting the Confidentiality of PII Whitepaper
  3. NIST SP 800-60 Vol. 1 Rev. 1: Mapping Information Types to Security Categories Whitepaper