DLP (Data Loss Prevention)

Data Loss Prevention (DLP) is a family of technologies and processes designed to stop sensitive data — PII, payment-card numbers, source code, regulated health records, IP — from leaving authorized boundaries. DLP solutions classify data, inspect it across channels (endpoint, network, email, SaaS), and apply policies that block, quarantine, encrypt, or alert when a classified payload moves where it shouldn’t.

DLP is typically deployed in three modes: data-at-rest (scanning file stores for unprotected sensitive data), data-in-motion (inspecting email and network traffic), and data-in-use (monitoring endpoint actions like copy-paste, USB writes, screen capture). Defining properties:

• Content-classification first. Effective DLP depends on accurate classifiers — regex for known formats, dictionaries for keywords, ML for unstructured content. False positives are the operational tax.
• Policy-driven. Each rule maps a classification to an action: allow, block, encrypt, alert, require justification.
• Channel coverage. Mature DLP spans email gateway, web proxy / CASB, endpoint agent, and SaaS APIs. Gaps in any channel become exfiltration paths.
• Regulatory mapping. DLP is one of the few controls that maps cleanly to GDPR Article 32, PCI-DSS, HIPAA, and similar mandates for “appropriate technical measures.”

DLP is foundational and unlikely to disappear from regulated environments. Its honest limit is the same one CASBs face: DLP enforces content rules, but a growing share of SaaS-era risk lives in behavior that doesn’t trip any content classifier — granting an OAuth scope to a “free productivity” tool, leaving a contractor account dormant for six months, sharing a perfectly innocuous-looking link that happens to expose strategy. That’s the layer behavior-centered SaaS monitoring addresses, alongside (not instead of) DLP.