Data Protection Methods: DRM, DLP, and CASB Explained for the CISSP Exam
Protecting data requires matching the right control to the right data state and context. The CISSP exam tests three categories of data protection control that operate across different dimensions: Data Loss Prevention (DLP) detects and prevents unauthorised data movement, Digital Rights Management (DRM) restricts what authorised users can do with data, and Cloud Access Security Brokers (CASB) extend visibility and control to cloud-hosted data. Understanding how these controls differ, where they apply, and when to recommend each is essential for Domain 2.
Data States and Appropriate Controls
Before selecting data protection controls, security professionals must understand the three states in which data exists and the distinct security challenges each presents.
Data at rest is data stored on a persistent medium: a hard drive, SSD, database, backup tape, or cloud storage bucket. The primary threat to data at rest is unauthorised access — either through physical theft of the media or logical access by an attacker who has compromised the storage system. Controls for data at rest include encryption (AES-256 is the standard), access controls (filesystem permissions, database access controls, cloud IAM policies), and physical security for storage media.
Data in transit is data moving between systems, users, or organisations across a network. The primary threats are interception (eavesdropping) and modification (man-in-the-middle attacks). Controls for data in transit include transport encryption (TLS 1.3, IPSec), message-level encryption (S/MIME, PGP for email), secure transfer protocols (SFTP, HTTPS), and digital signatures to verify integrity.
Data in use is data being actively processed in memory, displayed on screen, or manipulated by a user or application. This is the most difficult state to protect because encryption must be removed for the data to be processed. Controls for data in use include access controls on applications, session management, screen capture prevention, and emerging technologies like confidential computing (which performs calculations on encrypted data without decrypting it in unprotected memory).
For the exam: match the control to the state. Encryption at rest protects stored data. TLS protects data in transit. DRM and access controls protect data in use. CASB operates across all states for cloud-hosted data.
Data Loss Prevention (DLP)
DLP is a set of tools and processes designed to detect and prevent the unauthorised transmission, copying, or use of sensitive data. DLP systems inspect data in motion, at rest, and in use to identify sensitive content based on predefined policies (pattern matching, fingerprinting, or machine learning classification) and take action when a policy violation is detected.
DLP is deployed in three primary modes.
Network DLP (also called DLP in motion) monitors network traffic leaving the organisation. It can inspect email attachments, web uploads, file transfers, and other outbound traffic for sensitive data. Network DLP is typically deployed at the network perimeter, often inline with the organisation's proxy or secure web gateway. It is effective for detecting mass data exfiltration but cannot inspect encrypted traffic without SSL/TLS inspection capabilities.
Endpoint DLP (also called DLP at rest or at the endpoint) is deployed as an agent on endpoint devices. It monitors file operations, clipboard activity, printing, and removable media use. Endpoint DLP can prevent a user from copying sensitive files to a USB drive, printing confidential documents, or uploading data to a personal cloud storage account from the corporate laptop. It operates even when the device is off-network.
Cloud DLP (also called DLP for data in the cloud) monitors and protects data stored in cloud services. It can scan cloud storage buckets for sensitive data, enforce policies on data sharing within cloud collaboration tools, and integrate with CASB platforms for broader cloud visibility.
DLP enforcement actions range from alert (notify the security team), block (prevent the action), quarantine (isolate the data for review), encrypt (apply encryption before allowing transmission), and justify (require the user to provide a business justification for the action).
For the exam: DLP is the control for preventing sensitive data from leaving the organisation through unauthorised channels. Network DLP monitors egress traffic. Endpoint DLP monitors device-level actions. The exam may ask which type of DLP is most appropriate for a given scenario.
Digital Rights Management (DRM)
DRM is a technology that allows data owners to control how their content is used, even after it has been delivered to an authorised recipient. Unlike access controls (which govern who can access data) and DLP (which prevents unauthorised transmission), DRM governs what an authorised user can do with data they legitimately possess.
DRM controls typically include: restrictions on printing (a document may be viewable but not printable), restrictions on copying (text cannot be selected or copied), restrictions on forwarding (an email or document cannot be forwarded to others), expiry dates (access expires after a specified period), watermarking (visible or invisible marks that identify the document and the recipient), and read-only restrictions (documents can be viewed but not edited).
DRM is widely used for intellectual property protection: e-books, music, video content, and enterprise document management. In enterprise contexts, Information Rights Management (IRM) — essentially DRM applied to enterprise documents — allows organisations to protect sensitive documents even after they have been shared with external parties.
For the exam: DRM protects intellectual property and sensitive documents from misuse by authorised recipients. It is the answer when the question involves controlling what authorised users can do with data, not who can access it.
Cloud Access Security Broker (CASB)
A CASB is a security policy enforcement point, deployed between cloud service consumers and cloud service providers, that provides visibility and control over cloud application usage. As organisations have adopted cloud services — often without IT oversight (shadow IT) — CASB has emerged as a critical tool for maintaining security governance in cloud environments.
CASB provides four core capabilities.
Visibility: CASB discovers what cloud services are being used by employees, including sanctioned services (approved by IT) and shadow IT (unapproved services used without IT knowledge). This visibility is the foundation for all other CASB capabilities.
Compliance: CASB can audit cloud service usage against regulatory requirements (GDPR, HIPAA, PCI DSS) and internal policies, generating reports for compliance purposes.
Data security: CASB can inspect data being uploaded to or downloaded from cloud services, applying DLP policies to prevent sensitive data from being stored in or transmitted through unapproved cloud applications.
Threat protection: CASB can detect and respond to threats within cloud services, including compromised accounts (detecting login from unusual locations), malware uploaded to cloud storage, and insider threats detected through anomalous cloud usage patterns.
CASB deployment models include: API-based (connecting directly to the cloud service's API for inline inspection — can only see data that has already reached the cloud service), proxy-based forward (routing all traffic through the CASB before it reaches the cloud), and proxy-based reverse (the cloud service routes traffic through the CASB before delivering it to users).
For the exam: CASB is the control when data is moving to or being accessed in unmanaged cloud services. It provides visibility and enforcement where traditional network controls cannot reach. If a question involves users uploading sensitive data to a personal cloud storage account, CASB (or endpoint DLP with cloud app controls) is the answer.
Scoping and Tailoring Security Controls
Not every data protection control is appropriate for every context. The CISSP emphasises scoping (determining which controls are relevant to the system or environment) and tailoring (adjusting the implementation of controls to fit the specific context).
Scoping involves identifying which of the available controls in a framework (such as NIST SP 800-53) are applicable to a specific system. A system that does not process payment card data does not need to apply PCI DSS controls. A system that does not store personal data may not need GDPR-specific controls.
Tailoring involves adjusting the specific implementation of a control to fit the operational environment. A DLP policy tuned for a financial services firm will use different content patterns than one tuned for a healthcare organisation. The baseline control (DLP) is the same; the implementation details differ.
For the exam: scoping and tailoring are the reasons why controls are never applied uniformly across all systems. The data classification determines the required controls; scoping and tailoring determine how those controls are implemented in context.
Exam Tip
CASB is the control for visibility and enforcement when data moves to unmanaged cloud services. If a question describes users uploading data to cloud services that IT cannot control, CASB is the answer. DLP prevents data from leaving through unauthorised channels. DRM controls what authorised users can do with data they legitimately have. These three controls complement each other and are not substitutes.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Asset Security
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.