PR.DS-10 - Safeguarding Data-in-Use
P R D S - 1 0 - Safeguarding Data-in-Use
Pee Are dot Dee Ess Dash One Zero ensures that organizations protect active data while it is being processed, accessed, or modified within applications, memory, and computing environments. This subcategory belongs to the Protect function within the National Institute of Standards and Technology Cybersecurity Framework, version two point zero, emphasizing that data-in-use must remain secure to prevent unauthorized access, manipulation, or exposure during processing. Without proper safeguards, organizations risk data leakage, insider threats, unauthorized data modifications, and exposure of sensitive information during active use.
By securing data-in-use, organizations ensure that sensitive information remains protected while being accessed by applications, systems, and users, reducing the risk of unauthorized disclosure or manipulation. A structured data protection framework enables organizations to implement secure computation methods, enforce strict access controls, and deploy real-time monitoring solutions to detect anomalies in active data usage. Organizations that adopt confidential computing techniques, integrate access management policies, and implement behavioral analytics for data-in-use monitoring improve their ability to prevent unauthorized modifications, mitigate insider threats, and comply with regulatory data protection requirements.
Multiple stakeholders play a role in safeguarding data-in-use. Data security teams and IT administrators are responsible for deploying security controls that protect data during processing, ensuring that memory and computing environments are safeguarded from unauthorized access. Compliance officers and risk management professionals ensure that data-in-use protection measures align with industry standards such as the General Data Protection Regulation (G D P R), the Health Insurance Portability and Accountability Act (H I P A A), and the Payment Card Industry Data Security Standard (P C I D S S). Application developers and cloud security engineers play a critical role in integrating secure coding practices, implementing encryption-in-use mechanisms, and protecting sensitive computations from unauthorized access.
Data-in-use protection is implemented through secure processing techniques, memory protection mechanisms, and real-time access monitoring. This includes using homomorphic encryption for secure computations, enforcing data masking techniques to conceal sensitive information during processing, and deploying confidential computing environments that isolate data from unauthorized users. Organizations that fail to implement structured data-in-use security measures risk exposure of confidential data in memory, unauthorized data modifications, and increased vulnerability to insider and external threats.
Several key terms define data-in-use protection and its role in cybersecurity governance. Confidential Computing ensures that organizations secure data while it is actively being processed in memory, preventing exposure to unauthorized entities. Data Masking ensures that organizations conceal sensitive information during active use, reducing the risk of accidental exposure or unauthorized access. Homomorphic Encryption ensures that organizations perform computations on encrypted data without decrypting it, preserving confidentiality during processing. Memory Protection ensures that organizations safeguard volatile memory from unauthorized access, preventing attackers from extracting sensitive data during execution. Real-Time Data Monitoring ensures that organizations track access to data-in-use, detecting anomalies that could indicate security breaches or unauthorized modifications.
Challenges in safeguarding data-in-use often lead to data exposure risks, weak access control mechanisms, and insecure processing environments. One common issue is lack of encryption-in-use, where organizations encrypt data at rest and in transit but fail to apply encryption while data is actively being processed, leaving it vulnerable to unauthorized access. Another issue is insufficient monitoring of data access, where organizations do not track who accesses active data, increasing the risk of insider threats or privilege abuse. Some organizations mistakenly believe that securing data-at-rest and data-in-transit is enough, without recognizing that data must also be protected while in active use to prevent unauthorized disclosure and modification.
When organizations implement structured data-in-use security frameworks, they reduce the risk of unauthorized data access, strengthen compliance with data protection regulations, and enhance security across computing environments. A structured data security model ensures that cybersecurity teams enforce secure processing techniques, business leadership prioritizes confidential computing investments, and security teams integrate real-time monitoring of active data access into cybersecurity governance initiatives. Organizations that adopt automated data masking solutions, implement policy-based access controls for data-in-use, and deploy AI-driven anomaly detection for data processing environments develop a comprehensive data protection strategy that strengthens resilience against insider threats and unauthorized access attempts.
Organizations that fail to safeguard data-in-use face serious security, operational, and compliance risks. Without proper security controls, businesses risk sensitive data being exposed while actively processed, modified, or accessed by unauthorized users. A common issue is storing unprotected data in memory, where attackers can extract sensitive information from RAM using memory scraping techniques or unauthorized debugging tools. Another major challenge is privileged user abuse, where insiders or compromised accounts gain unauthorized access to sensitive data while it is actively being used in applications or processing environments.
By implementing structured data-in-use protection measures, organizations ensure that sensitive data remains secure while being processed by systems, applications, and users, preventing unauthorized access, leakage, or modification. A well-defined security framework enforces encryption-in-use, applies memory protection techniques, and continuously monitors active data access for anomalies. Organizations that deploy confidential computing solutions, integrate secure enclaves for sensitive operations, and implement just-in-time access controls for active data use improve their ability to detect unauthorized activities, prevent data manipulation, and maintain compliance with regulatory mandates.
At the Partial tier, organizations lack structured data-in-use protection policies, leading to inconsistent security practices and increased risks of data exposure. Security measures are applied on an ad-hoc basis, with encryption and access controls focused primarily on data-at-rest and data-in-transit, while data-in-use remains unprotected. A small business at this level may store customer credit card details in application memory without encrypting or masking them, making them vulnerable to malware attacks that scan memory for sensitive information.
At the Risk Informed tier, organizations begin to establish formal data-in-use protection policies, ensuring that encryption, memory protection, and access controls are applied to sensitive data while it is actively processed. However, security enforcement may still be limited, with access controls inconsistently applied and monitoring capabilities lacking real-time visibility. A mid-sized healthcare provider at this level may encrypt patient records when stored or transmitted but fail to prevent unauthorized access by system administrators while the data is actively being processed in memory.
At the Repeatable tier, organizations implement a fully structured data-in-use security framework, ensuring that all sensitive data is encrypted, monitored, and protected against unauthorized access while being actively used. Data security governance is formalized, with leadership actively involved in defining encryption-in-use policies, ensuring compliance with industry standards, and continuously improving processing security measures. A multinational technology company at this stage may deploy hardware-based trusted execution environments (T E Es) that encrypt sensitive computations, preventing unauthorized applications or users from accessing data while it is being processed.
At the Adaptive tier, organizations employ AI-driven data-in-use security analytics, real-time anomaly detection for active data access, and automated response mechanisms for unauthorized data manipulation attempts to dynamically assess data processing risks and refine security policies in real time. Data-in-use security is fully integrated into enterprise cybersecurity governance, ensuring that all active data access and processing operations remain protected against emerging threats. A global cloud service provider at this level may use AI-powered behavioral analytics to detect unusual data access patterns, automatically revoke access to sensitive data when anomalies are detected, and enforce confidential computing policies to protect data during processing.
Safeguarding data-in-use aligns with multiple controls in the National Institute of Standards and Technology Special Publication Eight Hundred Dash Fifty Three, ensuring that organizations implement structured data protection models and proactive risk mitigation strategies. One key control is S C dash Thirty Nine, Process Isolation, which requires organizations to separate and restrict access to active data processing environments to prevent unauthorized interference or data leakage. A financial services provider implementing this control may deploy secure enclaves that isolate transaction processing from other applications, ensuring that sensitive financial data remains protected during computations.
Another key control is S C dash Forty, Protection of Volatile Memory, which mandates that organizations implement memory protection mechanisms to prevent unauthorized access to sensitive data while it is actively processed. A healthcare organization implementing this control may apply secure memory encryption for patient records, preventing attackers from extracting sensitive medical data from RAM using memory scraping techniques.
Safeguarding data-in-use also aligns with S C dash Forty One, Trusted Execution Environments, which requires organizations to use secure enclaves, confidential computing, and isolated processing environments to ensure that sensitive data remains protected during execution. This control ensures that organizations encrypt data while it is being processed, preventing unauthorized access from applications, users, or system-level processes. A global cloud provider implementing this control may use hardware-based trusted execution environments (T E Es) to process customer data securely, ensuring that even cloud administrators cannot access the underlying data during computation.
These controls can be adapted based on organizational size, industry, and cybersecurity maturity. A small business may implement basic security controls, ensuring that sensitive data is masked when displayed on user interfaces and access is logged when data is retrieved for processing. A large enterprise may deploy AI-driven monitoring solutions, secure computation frameworks, and automated anomaly detection models to ensure that data-in-use security policies are continuously refined and enforced. Organizations in highly regulated industries, such as finance, healthcare, and national security, may require legally mandated confidential computing standards, compliance-driven data execution audits, and strict data access controls to align with security requirements.
Auditors assess an organization's ability to safeguard data-in-use by reviewing whether structured, documented, and continuously enforced data execution security frameworks are in place. They evaluate whether organizations implement structured memory protection policies, real-time access monitoring, and predictive data security analytics as part of enterprise-wide cybersecurity governance. If an organization fails to secure data-in-use effectively, auditors may issue findings highlighting gaps in encryption-in-use enforcement, weak alignment between processing security policies and regulatory compliance requirements, and failure to integrate structured data protection strategies into enterprise security operations.
To verify compliance, auditors seek specific types of evidence. Encryption-in-use policy documentation and structured memory protection logs demonstrate that organizations formally define and enforce data-in-use security policies. Trusted execution environment reports and processing anomaly detection logs provide insights into whether organizations proactively monitor data processing operations and detect unauthorized access attempts in real time. Automated memory protection reports and predictive execution security analytics show whether organizations effectively track, monitor, and enhance data-in-use security using real-world risk assessments and adaptive security controls.
A compliance success scenario could involve a global financial institution that undergoes an audit and provides evidence that data-in-use protection strategies are fully integrated into enterprise cybersecurity governance, ensuring that all processing operations remain encrypted, memory access is continuously monitored, and execution security policies are enforced consistently across all computing environments. Auditors confirm that data-in-use security policies are systematically enforced, execution monitoring mechanisms are dynamically adjusted based on evolving threats, and enterprise-wide cybersecurity governance frameworks align with structured data security requirements. In contrast, an organization that fails to implement structured data-in-use security frameworks, neglects real-time access monitoring, or lacks formalized execution protection workflows may receive audit findings for poor data processing security, weak memory protection enforcement, and failure to align data-in-use security strategies with regulatory compliance mandates.
Organizations face multiple barriers in ensuring that data-in-use security strategies remain continuous and effective. One major challenge is lack of encryption-in-use enforcement, where organizations encrypt stored and transmitted data but leave active processing environments unprotected, making them vulnerable to insider threats and malware-based attacks. Another challenge is failure to integrate runtime monitoring tools, where organizations do not track or log data access during processing, increasing the risk of undetected privilege abuse or unauthorized modifications. A final challenge is over-reliance on perimeter security, where organizations assume that securing external access to systems is sufficient, without recognizing that attackers may target unprotected data within applications and execution environments.
Organizations can overcome these barriers by developing structured data execution security frameworks, ensuring that processing security policies remain continuously optimized, and integrating real-time execution monitoring models into enterprise-wide cybersecurity governance strategies. Investing in automated memory encryption solutions, predictive execution security analytics, and AI-driven runtime anomaly detection ensures that organizations dynamically assess, monitor, and refine data-in-use security strategies in real time. Standardizing execution security governance methodologies across departments, subsidiaries, and external business partners ensures that data-in-use protection policies are consistently applied, reducing exposure to processing-based security risks and strengthening enterprise-wide data security resilience. By embedding data-in-use security strategies into enterprise cybersecurity governance frameworks, organizations enhance execution security risk awareness, improve regulatory compliance, and ensure sustainable data protection processes across evolving cyber risk landscapes.
