Data Loss|Leak Prevention - DLP
Data Loss/Leak Prevention is a security strategy aimed at preventing sensitive data from leaving the corporate environment in an unauthorized manner. The main objective is to protect confidential information — such as personal, financial data, intellectual property — against accidental or malicious leaks.
In practice, DLP exists to protect the company not only from external attackers but also from internal risk: the employees themselves. Leaks can happen unintentionally (human error), but in reality, many exposures are intentional — especially when employees leave the company and try to take privileged information with them as a competitive advantage for the market or competitors.
Among the most targeted data are:
- Supplier data
- Customer data
- Contracts
- Source code
- Market strategies
- Financial information
Many security solutions (antivirus, firewalls) protect traffic "from outside in". DLP acts from inside out, monitoring, blocking, or alerting about data movement attempts that violate the company's security policies.
DLP acts exactly at this point: monitoring, blocking, or alerting about data movement attempts that violate company policies
How can data leak?​
- Printing documents
- Sending to personal emails
- Uploading to personal clouds
- Sharing corporate cloud with third parties
- Uploading to sites like WeTransfer
- Sending via messaging apps (WhatsApp, Telegram)
- Transferring via Bluetooth
- Copying to other network folders
- Recording to USB drives or external hard drives
- Screenshot of the screen
And of course... DLP doesn't work miracles: nothing prevents the employee from taking a photo of the screen or manually noting down data. Insider creativity will always exist.
Where does DLP act?​
In the vast majority of cases, the company provides the equipment for the employee to work and a DLP agent will already come configured by the technical support team, but somehow it needs to be installed. The central configuration defines:
- Which data is considered sensitive
- What to block
- Who to block
- When to alert
The agent on the endpoint analyzes file content locally, applies rules, and sends alerts or logs to the central (backend).
DLP TYPES​
Endpoint DLP (Local Agent) controls​
This is the basic and necessary one, the one with the largest protection perimeter. Controls the real origin of data: the user's device.
Before the file goes out to the internet, email, cloud, USB, etc., it passes through the agent on the endpoint, regardless of where the user is.
Today, Machine Learning is being heavily applied to this type of DLP to expand rules and analyze user behavior.
Of course it's not perfect, as insider creativity always evolves and becomes more effective.
The BYOD (Bring Your Own Device) scenario complicates things, as you can't force the agent on the employee's personal phone. That's why other types of DLP can help complement the analysis perimeter.
Network DLP (Gateway/Firewall/Proxy)​
Network DLP alone, today, is limited and considered somewhat "outdated". It doesn't see direct user-to-internet traffic if this traffic doesn't pass through the corporate network. Still, it's not useless, serving more as a complement.
-
Encrypted traffic (TLS/SSL): more than 90% of web traffic today is HTTPS. If DLP doesn't have a well-configured SSL/TLS inspection (and nobody likes breaking SSL because it gives headaches), it doesn't see anything.
-
Users in Home Office / 5G / VPN split tunnel: network DLP doesn't see direct user-to-internet traffic if it doesn't pass through the corporate network. Cloud-first culture and remote work ended the traditional perimeter.
-
Cloud SaaS applications (e.g., Google Drive, OneDrive): many times, network DLP doesn't understand these apps' APIs — that's why Cloud DLP was born.
Physical or alternative leak: USB drive, phone, screen photo... the network doesn't see it.
Cloud DLP (CASB / SaaS)​
The world became SaaS & Cloud-first (Google Drive, OneDrive, Slack, Teams, Salesforce, M365...) and all this happens outside the corporate network. Network DLP doesn't see anything there.
Remote work is the rule, not the exception. The user at home, at the café, on 5G, uses SaaS services directly without ever passing through the corporate firewall. Only CASB (Cloud Access Security Broker) can see and control these accesses. CASB acts where network DLP doesn't reach:
- Blocks sensitive download/upload in SaaS.
- Prevents external file sharing on Google Drive, for example.
- Does discovery of Shadow IT apps (things users use without authorization).
- Allows applying policy by user identity (not by network IP).
Big Tech companies are investing heavily in this:
- Microsoft Purview DLP + Defender for Cloud Apps (ex-CASB);
- Netskope;
- Zscaler;
- McAfee/Trellix MVISION Cloud;
- Palo Alto Prisma Cloud.
Unsupported SaaS apps are off the radar and even so, if the user downloads the file to a personal machine... it's gone.
Email DLP​
Email continues to be one of the biggest leak vectors.
- People unintentionally sending customer spreadsheet outside;
- Copying sensitive document to a partner without permission;
- Using personal Gmail to "advance work at home".
Integrates well with M365 and Google Workspace. Microsoft Purview and native Google DLP already do:
- Block sending sensitive data (e.g., SSN, ID, card, medical data);
- Automatically encrypt or watermark;
- Alert when someone sends restricted information outside the organization;
- Force supervisor approval before sending.
It's invisible to the end user. Doesn't depend on agent. Doesn't impact the endpoint. The entire flow is controlled on the email server.
It's super important for GDPR compliance and facilitates proof that the company tried to prevent sensitive personal data leaks.
It's very limited to email, but today good endpoint DLP solutions also monitor other physical means and messages outside email sending. For example, a person sending data via instant messaging, this email DLP can't see.
DLP with Machine Learning (the "Next-Gen")​
What promises to be "the new era" of DLP.
- Detects strange user behavior (User Behavior Analytics).
- Learns patterns: "Why has João never sent 500 files before?" or "Now he started accessing these files outside his perimeter?";
- Detects disguised data (e.g., base64, compression).
ML generates false positives if not well trained.
Doesn't prevent 100% of creative leaks (screen photo, phone recording...). Doesn't replace an endpoint DLP with fixed rules, but serves as a complement.
| Classic Endpoint DLP | Next-Gen DLP with ML | |
|---|---|---|
| Direct user control | Yes | No |
| Explicit rule prevention (e.g., block USB) | Strong | Weak (not the focus) |
| Detect strange behavior | Doesn't do | Does (e.g., activity spike) |
| Detect creative bypass (e.g., chopped base64) | Difficult | Possible |
| Needs detailed manual rule | Yes | Automatic learning |
| False positive risk | High (if misconfigured) | Medium (ML tries to reduce) |
| Proactive response to insiders | Weak | Strong (if well trained) |
ML runs on the endpoint (for local reaction) and on the backend (for global intelligence). The combination of both makes DLP Next-Gen.
Solutions​
Many exist, but here's a list of what we have on the market. The choice depends on company size.
| Product / Vendor | Category | Highlights |
|---|---|---|
| Cyberhaven | Endpoint + Cloud | Real-time event detection; browser/cloud visibility |
| Forcepoint DLP | Endpoint + Network + Cloud | Strong UEBA, powerful analysis engine |
| Symantec (Broadcom) DLP | Endpoint + Network + Cloud | Mature solution, ideal for large corporations |
| Trellix DLP (ex-McAfee) | Endpoint + Network + Cloud | Fingerprinting, ePO integration |
| Proofpoint Enterprise DLP | Endpoint + Cloud + Email | Focus on email/multi-channel SaaS |
| Digital Guardian by Fortra | Endpoint-centric | Deep IP and insider monitoring |
| Safetica | Endpoint + Insider Risk | Classification, real-time alert |
| Endpoint Protector (CoSoSys/Netwrix) | Endpoint | USB control, cross‑OS |
| Microsoft Purview DLP + Defender | Endpoint + Cloud + Email | Excellent cost-benefit in MS environment |
| Netskope DLP (CASB) | Cloud/SaaS | Leader in CASB and SaaS visibility |
| Zscaler DLP (CASB) | Cloud/SaaS | Edge and proxy protection |
| Code42 Incydr | Endpoint + Insider Risk | File tracking in SaaS |
| Nightfall AI | Cloud-native DLP with AI | Automatic classification and lineage |
| Palo Alto Prisma Cloud / Enterprise DLP | Cloud + Network | Multi-cloud protection |
| Check Point DLP | Network + CASB | TLS/SSL inspection via gateway |
| Trend Micro IDLP / Cloud App Security | Cloud + Endpoint | Integration with M365, G Suite, Box |
| Sophos DLP | Endpoint | Part of complete security suite |
| Fidelis | Network + Endpoint | Part of XDR platform |
| Varonis | File-system DLP | Access and log auditing |
| NinjaOne | Endpoint (Admin) | IT solution with endpoint visibility |
| iboss | Network and Web DLP | Focus on web security |
| Lookout | Mobile/cloud DLP | Protection for mobile devices |
Privacy​
The implementation of Data Loss Prevention (DLP) solutions, especially on endpoints (employee computers), is a powerful tool for real-time monitoring of corporate information. However, by analyzing data content, this technology frequently raises concerns about employee privacy.
It's natural for companies to fear possible lawsuits for privacy invasion, but it's essential to analyze the facts. In the vast majority of cases, the employee uses an asset (like a notebook or phone) that belongs to the company, and it's assumed that its use is intended for professional activities.
Additionally, companies are subject to rigorous audit processes and laws like the General Data Protection Regulation (GDPR). This legislation requires the organization to have strict control over data flow, being its responsibility to know if information leaked and where. DLP is one of the main tools to ensure this compliance.
It's crucial to clarify that the objective of a DLP system is not to monitor personal conversations, but to identify and protect data classified as confidential by the company, such as intellectual property, customer data, or financial information.
To mitigate risks and strengthen transparency, many clients choose to formalize this practice in a confidentiality agreement or usage policies. Informing and obtaining employee consent, although may not be strictly required by law in all scenarios, is an excellent practice that aligns expectations and prevents future litigation.
Productivity​
Traditionally, DLP wasn't made to measure productivity, but many modern DLPs (mainly Endpoint) already deliver behavior visibility, which can YES be used to monitor:
- Applications used (e.g., time spent on Chrome, Excel, Teams)
- Reports of access to "non-corporate" sites (YouTube, Facebook, etc)
- Alert if user uses personal cloud storage (e.g., personal Google Drive)
- Detection of unauthorized app usage (Shadow IT)
- Idle time or strange activities (e.g., 2h on Spotify web)