Episode 64 — Choose Cryptographic Implementations for Data In-Transit, In-Use, and At-Rest
This episode covers how to choose cryptographic implementations based on when data is moving, being processed, or stored, which ISSAP often tests through scenarios where the wrong answer protects one state while leaving another exposed. You’ll learn how to reason about encryption in transit with protocols like TLS and IPsec, encryption at rest with file, volume, and database controls, and the harder topic of data in use, where protections rely on process isolation, access control, and in some cases specialized hardware features. We’ll cover practical examples such as securing service-to-service traffic with mutual TLS, enforcing encryption for backups with separate keys from production data, and designing secure memory and secrets handling so sensitive values do not leak through logs, crash dumps, or debugging interfaces. Troubleshooting considerations include weak cipher configuration drift across services, inconsistent key usage that makes recovery impossible during incidents, and architecture choices that place decryption too early in the pipeline, expanding the plaintext attack surface even though “encryption is enabled” on paper. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
