DLP

What it does

Data Loss Prevention identifies sensitive data in transit across the network, at rest in cloud applications, and in use on endpoints, then enforces policies that prevent unauthorized disclosure, exfiltration, or mishandling of that data. DLP uses multiple detection techniques in combination: regular expression pattern matching identifies structured data like credit card numbers (PCI), Social Security numbers (PII), medical record numbers (PHI), and API keys. Exact data matching (fingerprinting) hashes actual sensitive records from your databases and detects when those exact records appear in any channel. Machine learning classifiers recognize categories of sensitive content — source code, legal contracts, financial statements, engineering designs — without needing explicit patterns. OCR extracts text from images and screenshots to catch data that has been screen-captured to evade text-based detection. The policy engine applies enforcement actions — block, quarantine, encrypt, alert, coach, or watermark — based on the data type, the user's identity, the destination, and the channel.

How it works

DLP in a SASE architecture operates across multiple inspection points simultaneously. At the SWG layer, DLP scans web uploads, form submissions, and file transfers to internet destinations, detecting sensitive data being exfiltrated to personal cloud storage, webmail, or AI chat services. At the CASB inline layer, DLP applies granular controls to SaaS application interactions — for example, allowing a user to upload files to corporate SharePoint but blocking uploads containing PCI data to a personal OneDrive. At the CASB API layer, DLP scans data at rest in sanctioned SaaS applications, classifying files, applying retention labels, and alerting on overshared sensitive documents. At the FWaaS layer, DLP can inspect non-web protocols for sensitive data exfiltration through channels like FTP, custom database exports, or SSH file transfers. At the ZTNA layer, DLP inspects traffic flowing through authorized tunnels to private applications, detecting data exfiltration even through legitimate access channels. For each detection, the DLP engine calculates a confidence score based on the number of matching patterns, the proximity of related context (a credit card number near an expiration date is higher confidence than a 16-digit number alone), and the volume of sensitive data in the transaction.

Why it matters

Data breaches through legitimate channels are the hardest threat to detect and the most damaging when they occur. An employee with authorized access to a customer database does not trigger any threat detection system when they export that database — they are doing something they are allowed to do. DLP is the only control that examines the content of what is being transferred, not just whether the user is authorized to perform the transfer. For regulatory compliance, DLP provides the technical control that maps to specific requirements in GDPR (Article 32, security of processing), PCI-DSS (Requirement 3 and 4, protecting stored and transmitted cardholder data), HIPAA (Technical Safeguards, access controls and transmission security), and SOX (internal controls over financial reporting). Beyond compliance, DLP protects competitive advantage: source code, product designs, pricing models, M&A plans, and customer lists are the crown jewels that competitors and nation-state actors target. A single source code leak can cost millions in competitive advantage; a customer data breach triggers notification requirements, regulatory fines, and reputational damage that dwarfs the cost of the DLP deployment.

Watch out

The number one mistake in DLP deployment is enabling blocking on day one. Every DLP implementation, without exception, generates false positives. Blocking legitimate business activity because a DLP rule incorrectly flagged a transaction as containing sensitive data will crater user productivity, flood the helpdesk with tickets, and create political opposition that can kill the entire project. Start every DLP deployment in monitor-only mode for 4-6 weeks minimum. During this period, tune detection rules to reduce false positives: adjust confidence thresholds, add context-based exceptions (the finance team legitimately handles PCI data), refine ML classifier training data, and build a whitelist of known-good destinations for sensitive data types. When you do begin enforcement, use coaching actions first — pop-up notifications that warn users and ask them to justify the action — before moving to hard blocks. Coaching reduces risky behavior by 60-70% with dramatically lower operational impact than blocking. Only apply hard blocks to the highest-risk channels: uploads to personal cloud storage, emails to personal webmail domains, and posts to AI chat services.

Vendor comparison — DLP