SkarpChapter 12 of 25
Protecting Data: Classification, Encryption, and Key Management
Follow data through its lifecycle and see how classification, encryption, and key management work together to keep sensitive information under control.
Big Picture: Protecting Data Through Its Lifecycle
Zooming In On Data
You have seen how to secure enterprise and hybrid environments. Now we zoom in on the key asset: data itself.
Why This Matters
Organizations handle public and highly sensitive data. If sensitive data is exposed or changed, the impact can be huge: fines, lawsuits, and loss of trust.
Lifecycle View
We will follow data through its lifecycle and see how classification, encryption, and key management work together to control risk.
Exam Alignment
For SY0-701 this links mainly to Security Architecture, Security Operations, and Security Program Management and Oversight domains.
CIA and GRC
You will connect these controls to the CIA triad: confidentiality, integrity, availability and to governance, risk, and compliance obligations.
Step 1: Data Lifecycle and Where Controls Fit
Lifecycle Stages
Think in stages: create/capture, store, use/process, share/transmit, archive, destroy/dispose.
Where Classification Fits
Classification is usually set when data is created, then drives handling rules at every later stage.
Where Encryption Fits
Encryption at rest protects stored data; encryption in transit protects data moving between systems or users.
Where Key Management Fits
Key management underpins all encryption: keys must be generated, stored, rotated, and destroyed securely.
Where DLP Fits
DLP mainly monitors use and sharing, stopping sensitive data from leaving via email, web, or cloud sync.
Step 2: Data Classification Schemes and Handling Rules
Why Classify?
Classification ensures you apply the right level of protection: not too weak, not excessively strong and costly.
Typical Levels
A common scheme: Public, Internal/Private, Confidential, Restricted/Highly Confidential.
Handling Rules
Higher sensitivity means stricter rules: least privilege access, encryption, approvals, and monitoring.
Regulatory Mapping
GDPR personal/special category data, PCI card data, and health records usually map to Confidential/Restricted.
Exam Signal Words
Words like PII, PHI, card data, or trade secrets in a question signal the need for strong protection and encryption.
Interactive: Classify These Data Items
Mentally assign each item a classification in a 4-level scheme (Public, Internal, Confidential, Restricted). Then compare with the suggested answers.
- Company job postings on a public careers site
- Your classification:
- Suggested: Public. Intended for anyone.
- Internal IT help desk troubleshooting guide
- Your classification:
- Suggested: Internal. Useful for staff, but not damaging if leaked (usually).
- Customer email addresses and purchase history
- Your classification:
- Suggested: Confidential. This is PII plus behavioral data; under GDPR and many privacy laws, it must be protected.
- Database of credit card numbers and CVVs used for recurring billing
- Your classification:
- Suggested: Restricted. PCI DSS treats this as highly sensitive; expect strong encryption and access controls.
- Master encryption keys used to protect all production databases
- Your classification:
- Suggested: Restricted (often the highest level). If these are compromised, all encrypted data is at risk.
Reflection question: In your own study or work environment, can you identify at least one example of each level? How are they currently being protected?
Step 3: Encryption Fundamentals and the CIA Triad
What Encryption Does
Encryption turns plaintext into ciphertext using an algorithm and a key so only someone with the right key can read it.
CIA Link
Encryption mainly supports confidentiality. Integrity needs hashing/MACs; availability depends on key management.
Symmetric Crypto
Symmetric: one shared key for encrypt and decrypt (e.g., AES). Fast, ideal for large data and tunnels.
Asymmetric Crypto
Asymmetric: key pair (public/private) like RSA or ECC. Used for key exchange, signatures, and identity.
Exam Trap
Be careful: encryption alone does not equal non-repudiation. That usually means digital signatures plus logging.
Step 4: Data at Rest – Disks, Databases, and Backups
Why Encrypt Data at Rest?
Data at rest encryption protects stored data if devices are stolen, disks are copied, or cloud storage is exposed.
Full Disk Encryption
FDE encrypts the whole drive. Great for laptops and servers, but data is readable once the system is unlocked.
File/Folder & Database
You can encrypt specific folders or database columns, focusing protection on the most sensitive data.
Backups and Archives
Backups often contain everything. They must be encrypted, especially when stored offsite or in the cloud.
Exam Clue
Stolen laptops, backup tapes, or misconfigured storage buckets usually point to data-at-rest encryption controls.
Step 5: Data in Transit – TLS, VPNs, and Secure Protocols
Why Encrypt in Transit?
Data in transit encryption defends against eavesdropping and tampering while data crosses networks.
TLS Everywhere
TLS underpins HTTPS and many secure protocols, giving encryption, integrity, and server authentication.
VPNs
VPNs create encrypted tunnels: site-to-site between networks and remote access for users on untrusted networks.
Secure Replacements
Use HTTPS, SFTP, FTPS, SSH, POP3S/IMAPS/SMTPS instead of their insecure cleartext versions.
Exam Clue
Terms like public Wi-Fi, sniffing, or man-in-the-middle suggest TLS or VPN as the right control.
Step 6: PKI – Certificates, Key Exchange, and Non-Repudiation
What is PKI?
PKI is the system of keys, certificates, and authorities that makes asymmetric cryptography usable at scale.
Certificates and CAs
Certificates bind public keys to identities. Certificate Authorities issue and sign them so others can trust them.
Key Exchange
In TLS, PKI enables secure negotiation of a symmetric session key over an untrusted network.
Authentication & Non-Repudiation
PKI supports server/client authentication and, with digital signatures plus logging, non-repudiation.
Encrypt vs Sign
Encrypt with the recipient's public key; sign with the sender's private key. Do not mix them up on the exam.
Step 7: Key Management, Rotation, Escrow, and Backup
Why Key Management Matters
Strong algorithms are useless if keys are weak, exposed, or lost. Key management makes encryption reliable.
Lifecycle Stages
Manage keys through generation, distribution, storage, rotation, revocation, escrow, backup, and destruction.
Secure Storage
Use OS key stores, TPMs, KMS, or HSMs to store keys. Avoid hard-coding keys in code or config files.
Rotation and Revocation
Rotate keys regularly and revoke compromised certificates via CRLs or OCSP, then reissue new ones.
Escrow and Recovery
Key escrow allows recovery of encrypted data if a user's key is lost or they leave the organization.
Step 8: Data Loss Prevention (DLP) and Monitoring
What DLP Does
DLP tools detect and block sensitive data from leaving via email, web, USB, or cloud in ways that break policy.
Types of DLP
Endpoint, network, and cloud DLP work together to watch devices, traffic, and cloud apps.
How It Detects
DLP uses content inspection (patterns like card numbers) and context (user, destination) to decide actions.
DLP and Encryption
DLP works best before data is encrypted; encrypted flows may require secure inspection points.
Exam Scenarios
Staff sending PII to personal emails or cloud drives is a classic hint that DLP plus policy is needed.
Quiz 1: Data Classification and Handling
Test your understanding of data classification and its impact on controls.
A company stores customer names, email addresses, and purchase histories in a cloud database. Which combination of controls BEST aligns with a Confidential classification for this data?
- Make the database publicly readable but require strong passwords for admin access.
- Encrypt the database at rest, require TLS for all connections, and enforce least-privilege access.
- Store the data in plain text but back it up daily to an offsite location.
- Apply full disk encryption on developer laptops but allow anonymous database access from the internet.
Show Answer
Answer: B) Encrypt the database at rest, require TLS for all connections, and enforce least-privilege access.
Customer PII and purchase history should be at least Confidential. The best control set is strong access control (least privilege) plus encryption at rest and in transit (TLS). Public or anonymous access is never appropriate for this classification.
Quiz 2: Encryption, PKI, and Key Management
Check your understanding of encryption types and PKI.
During a security review, you are asked how a web application using HTTPS protects data and identities. Which statement is MOST accurate?
- HTTPS uses symmetric encryption only, so no PKI is involved.
- HTTPS uses TLS, which relies on certificates and PKI to authenticate the server and securely exchange symmetric session keys.
- HTTPS relies on full disk encryption on the web server to protect data in transit.
- HTTPS uses digital signatures only, without encrypting the data.
Show Answer
Answer: B) HTTPS uses TLS, which relies on certificates and PKI to authenticate the server and securely exchange symmetric session keys.
HTTPS is HTTP over TLS. TLS uses certificates issued by CAs (PKI) to authenticate the server and then performs a secure key exchange to derive symmetric session keys for encrypting data in transit.
Key Term Review: Data Protection and Keys
Flip through these flashcards to reinforce key terms before moving on.
- CIA triad components (3 items)
- confidentiality, integrity, availability
- Data classification
- The process of categorizing data by sensitivity and criticality to determine appropriate handling, access control, and protection requirements.
- Data at rest encryption
- Encryption applied to stored data, such as disks, databases, and backups, to protect against unauthorized access if storage media are accessed directly or stolen.
- Data in transit encryption
- Encryption applied to data moving across networks (e.g., TLS, VPNs) to protect against eavesdropping and tampering.
- Public Key Infrastructure (PKI)
- A framework of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and public/private key pairs.
- Key rotation
- The practice of replacing cryptographic keys at regular intervals or after specific events to limit the impact of key compromise and meet policy or regulatory requirements.
- Key escrow
- A process where cryptographic keys (or key recovery material) are held in a secure, centralized location so authorized parties can recover encrypted data if the original keys are lost or unavailable.
- Data Loss Prevention (DLP)
- Technologies and processes that detect and prevent unauthorized transmission, storage, or use of sensitive data based on content and context.
- Non-repudiation
- A property that provides proof of the origin and integrity of data, so that the sender cannot credibly deny having sent it, typically achieved using digital signatures and supporting logs.
- governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
Step 9: Mini Case Study – Following Data Through Controls
Scenario Context
A healthcare provider in a hybrid environment stores PHI, schedules, and anonymized research data on-prem and in the cloud.
Classifying the Data
PHI is Restricted, schedules are Confidential, and anonymized research data is Internal or Public depending on risk.
Protecting Data at Rest
Use disk and database encryption, with stronger column-level encryption for the most sensitive identifiers.
Protecting Data in Transit
Use IPsec VPNs between sites, HTTPS for portals, and TLS-encrypted APIs with mutual TLS for system-to-system traffic.
Keys and DLP
Central KMS manages keys and rotation, while DLP stops PHI from leaking via endpoints and email.
Step 10: Apply It – CIA Triad and Control Selection
Use this thought exercise to connect controls with the CIA triad and exam-style reasoning.
For each scenario, identify:
- The primary CIA objective at risk (confidentiality, integrity, or availability).
- One data protection control that best addresses it.
Scenario A: An attacker installs a packet sniffer on a public Wi-Fi network used by remote employees to access a CRM system.
- CIA at risk:
- Best control:
- Suggested answer: Confidentiality. Use TLS (HTTPS) or a remote access VPN to encrypt data in transit.
Scenario B: A developer accidentally commits an application config file containing hard-coded database passwords and encryption keys to a public code repository.
- CIA at risk:
- Best control:
- Suggested answer: Confidentiality and integrity of data protected by those keys. Controls: proper key management (no hard-coded keys), use of KMS/HSM, and secret scanning tools in CI pipelines.
Scenario C: A ransomware attack encrypts a file server that stores daily operational data. The organization has encrypted offsite backups and properly stored backup keys.
- CIA at risk:
- Best control:
- Suggested answer: Availability. Control: regular, tested backups with secure key management for backup encryption, allowing restore.
Reflect: In each case, how did classification (how important/sensitive the data is) influence which control you prioritized?
Key Terms
- SY0-701
- SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
- CIA triad
- A foundational security model consisting of three components: confidentiality, integrity, availability.
- Key escrow
- A process where cryptographic keys (or key recovery material) are held in a secure, centralized location so authorized parties can recover encrypted data if the original keys are lost or unavailable.
- zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- Data at rest
- Data stored on physical or virtual media such as disks, databases, backups, and archives.
- Key rotation
- The practice of replacing cryptographic keys at regular intervals or after specific events to limit the impact of key compromise and meet policy or regulatory requirements.
- Data in transit
- Data moving across networks between systems, users, or services.
- CompTIA Security+
- CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
- hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- Data classification
- The process of categorizing data by sensitivity and criticality to determine appropriate handling, access control, and protection requirements.
- Digital certificate
- An electronic document that binds a public key to an entity's identity, signed by a Certificate Authority.
- Certificate Authority (CA)
- A trusted organization that issues and signs digital certificates, vouching for the identity bound to a public key.
- Data Loss Prevention (DLP)
- Technologies and processes that detect and prevent unauthorized transmission, storage, or use of sensitive data based on content and context.
- Full disk encryption (FDE)
- Encryption that protects all data on a disk or volume, including the operating system, user files, and temporary data.
- Public Key Infrastructure (PKI)
- A framework of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and public/private key pairs.
- governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.