3.3 Data States and Protection Methods: DLP, DRM, and CASB

Match Controls To Data State

Data exists in several states, and each state creates different security questions. Data at rest is stored in a database, file system, object store, endpoint, backup, archive, or paper record. Data in transit moves across a network, API, message queue, email path, file transfer, replication channel, or removable media process. Data in use is being processed by an application, displayed to a user, loaded in memory, printed, analyzed, or acted on by a business workflow.

A control that works well in one state may not solve another. Full-disk encryption protects a lost laptop when it is powered off, but it does not stop an authorized user from emailing a decrypted file after login. TLS protects a network session, but it does not decide whether the recipient is allowed to have the data. Database encryption protects stored records, but an application vulnerability may still expose data through authorized queries.

Encryption is often a foundation control. For data at rest, organizations use database encryption, volume encryption, object storage encryption, file encryption, backup encryption, and hardware security modules where risk requires stronger key protection. For data in transit, TLS and secure protocols are common expectations. For data in use, encryption is harder because the application or user must often see plaintext. Specialized methods such as confidential computing, trusted execution environments, or application-level tokenization may reduce exposure in specific designs, but they are not universal answers.

Key management is part of encryption governance. If everyone who can read the data can also export the keys, encryption may not add much protection against insider misuse. Keys need ownership, access rules, rotation expectations, backup, separation of duties, and revocation procedures. A business owner does not need to operate the key vault, but the owner should understand whether key control matches classification and legal duties.

Masking and tokenization reduce sensitive exposure by changing what users or systems see. Masking may hide part of a value, such as showing only the last digits of an identifier. Dynamic masking changes the display based on user or context. Tokenization replaces a sensitive value with a substitute token while the original is stored in a controlled vault. These methods can be better than broad encryption when a workflow needs a reference value but not the raw data.

Data loss prevention, or DLP, focuses on detecting and controlling sensitive data movement. DLP may inspect email, web uploads, endpoint copy activity, cloud storage, collaboration tools, source repositories, or network egress. It can alert, block, quarantine, encrypt, warn the user, or require justification. DLP is most effective when it knows what data matters through classification labels, content patterns, fingerprints, dictionaries, and context such as user, destination, device, and application.

DLP can create operational friction. A poorly tuned rule may block legitimate legal filings, customer support attachments, or incident response evidence. A weak rule may miss sensitive data in screenshots, encrypted archives, unusual formats, or renamed files. Strong governance includes testing, phased rollout, user coaching, owner-approved exceptions, and metrics that show both risk reduction and business impact.

Digital rights management, often called DRM or information rights management in enterprise settings, attempts to keep protection with the document. It may restrict opening, printing, forwarding, copying, offline access, or expiration even after the file leaves the original repository. DRM can help with board documents, merger plans, legal files, and partner collaboration. It is not perfect because screenshots, cameras, and authorized misuse remain possible, but it raises the barrier and improves control.

A cloud access security broker, or CASB, helps govern cloud and SaaS use. CASB capabilities vary, but common functions include discovery of unsanctioned cloud use, policy enforcement for sanctioned SaaS, activity monitoring, DLP integration, anomaly detection, malware scanning, encryption or tokenization support, and access control based on user, device, location, and risk. CASB may operate through API integration, forward proxy, reverse proxy, log analysis, or combinations.

Control selection matrix:

Scenario: a finance team emails quarterly results to external counsel before public release. Encryption in transit is necessary but not enough. The organization may require confidential labeling, approved recipient verification, DLP warning or block for unapproved domains, DRM to limit forwarding, logging, and retention controls. The owner should approve the process because the business impact of early disclosure is high.

Scenario: a SaaS application is widely used by employees without security review. A CASB discovery function may identify the application, users, data volume, and risky activity. Leadership can then decide whether to sanction the application with controls, block it, migrate users to an approved service, or accept a limited exception. The point is not to blindly block productivity, but to make cloud data flow visible and governed.

Scenario: customer service representatives need to verify callers without seeing full government identifiers. Masking or tokenization can support the workflow better than giving every representative full raw values. Owners should decide which fields are necessary, custodians should implement display rules and audit logs, and supervisors should review misuse indicators.

The CISSP habit is to layer controls around the workflow. Ask which data state is exposed, who owns the decision, who needs access, how data moves, what a control can and cannot prevent, and how exceptions will be managed. Tool names matter less than control fit.