Domain 2 of 6 · Chapter 6 of 8

Information Rights Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • What IRM is, and why it travels with the file
  • How an open works: the online policy check and PKI
  • Objectives, access models, and provisioning rights
  • Where IRM fits: classification, DLP, and exam traps

Where each data-security control enforces, and what it controls

ControlEnforcement pointSurvives leaving the perimeter?GranularityPrimary job
IRM / DRMInside the file, checked at every open against a policy/key serverYes, travels with the filePer-user, per-action (view, print, copy, expiry)Persistent usage control after distribution
ClassificationMetadata label on the objectLabel travels, but enforces nothing by itselfSensitivity tier (e.g. Confidential)Decide how data should be handled
DLPChokepoint: network egress, endpoint, or storage scanNo, stops at the inspection boundaryPolicy match on content or destinationDetect and block policy-violating transfers
Storage / volume encryptionAt rest in the storage layerNo, protection ends when data is read outAll-or-nothing for holders of the keyMake data unreadable on disk or in a bucket

Decision tree

Control actions after the fileleaves, or revoke a sent copy?IRM / DRMper-user, per-action policytravels with the fileDetect or block a fileleaving a boundary?DLPinspects at egress chokepointOnly make stored dataunreadable on disk?Encryption at reststorage / volume + key mgmtClassificationlabels only, enforces nothingYesNoYesNoYesNo

Cheat sheet

  • IRM protection rides inside the file, so it survives leaving your perimeter
  • IRM and DRM are the same concept; CCSP uses them interchangeably
  • Every open is an online policy check, not a one-time unlock
  • Revocation is effectively instant, even on already-distributed copies
  • IRM enforces; classification decides and DLP detects
  • Use DLP, not IRM, to stop a file from leaving in the first place
  • Use encryption at rest, not IRM, when you only need data unreadable on disk
  • IRM rests on PKI: a certificate per user and device
  • Provisioning means issue a certificate and map rights; deprovisioning means revoke it
  • IRM data rights are far finer than read/write on a storage ACL
  • IRM's online dependency is its main operational constraint
  • Offline IRM use is a bounded pre-issued window, not indefinite
  • Match the IRM access model to who the recipients are
  • IRM enforcement needs a compatible client or viewer
  • Chain classification to IRM so protection applies automatically
  • When a stem says already sent yet still need control, the answer is IRM

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. https://www.isc2.org/certifications/ccsp/ccsp-certification-exam-outline
  2. https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final