What Is DLP?
Data Loss Prevention (DLP) protects sensitive data — personally identifiable information (PII), financial records, intellectual property, health records — from being accidentally or maliciously exfiltrated. DLP solutions monitor data in three states:
- Data at rest: Stored in databases, file shares, cloud storage
- Data in motion: Transmitted over email, web, messaging, or file transfer
- Data in use: Accessed on endpoints, copied to USB, printed, or screen-captured
How DLP Works
- Discovery: Scan repositories to find where sensitive data lives
- Classification: Label data based on sensitivity (PII, PHI, financial, IP)
- Policy Creation: Define rules for what can and cannot happen with classified data
- Monitoring: Inspect channels (email, web, endpoints, cloud apps) for policy violations
- Enforcement: Block, quarantine, encrypt, or alert based on policy
- Reporting: Provide visibility into data movement and policy violations
Types of DLP
| Type | Coverage | Use Case | |---|---|---| | Network DLP | Email, web traffic, file transfers | Prevent data leaving via network channels | | Endpoint DLP | Copy/paste, print, USB, screenshots | Prevent data leaving via user devices | | Cloud DLP | SaaS apps, cloud storage, IaaS | Prevent data leaving via cloud channels | | Email DLP | Outbound email content and attachments | Prevent accidental email data leaks |
DLP and Compliance
DLP is critical for regulatory compliance:
- GDPR — Protect EU personal data from unauthorized transfer
- HIPAA — Prevent unauthorized disclosure of protected health information
- PCI DSS — Protect cardholder data from exfiltration
- SOX — Protect financial data integrity
Leading DLP Vendors
Major DLP providers include Microsoft Purview, Forcepoint DLP, Digital Guardian, Netwrix, Varonis, Spirion, Securiti, and BigID. Many CASB and SASE platforms also include inline DLP capabilities.