Data Loss Prevention (DLP)
Data Loss Prevention (DLP) refers to tools and practices designed to detect and prevent sensitive data from being leaked, exfiltrated, or shared outside of an organization's authorized boundaries, whether accidentally or maliciously.
Definition
Data Loss Prevention (DLP) refers to tools and practices designed to detect and prevent sensitive data from being leaked, exfiltrated, or shared outside of an organization's authorized boundaries, whether accidentally or maliciously.
Overview
DLP systems classify data — such as personal information, financial records, source code, or intellectual property — and enforce policies across three main states: data in use (on an endpoint device), data in motion (moving across a network, such as email or file uploads), and data at rest (stored in databases, file shares, or cloud storage). When a DLP system detects a policy violation, such as an employee attempting to email a file containing credit card numbers to a personal account, it can block the action, encrypt the content, quarantine it, or simply alert security teams depending on configured rules. DLP is a key control referenced in many compliance frameworks, including GDPR, HIPAA, and PCI DSS, since it directly addresses the risk of regulated data leaving controlled environments. Modern DLP increasingly integrates with cloud access security brokers (CASBs) and endpoint detection tools to cover SaaS applications and remote work scenarios, not just traditional corporate networks. DLP strategy sits alongside broader data protection practices like encryption at rest and secrets management, topics covered in Cloud Security Fundamentals.
Key Concepts
- Classifies and monitors sensitive data across its lifecycle
- Covers three data states: in use, in motion, and at rest
- Can block, encrypt, quarantine, or alert on policy violations
- Integrates with email gateways, endpoints, and cloud access security brokers
- Supports compliance requirements under GDPR, HIPAA, and PCI DSS
- Helps detect both accidental leaks and malicious exfiltration