Data loss prevention (DLP) ensures that business-critical or sensitive data does not leave an organization's network and is not damaged or erased.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Data loss prevention (DLP) is a strategy for detecting and preventing data exfiltration or data destruction. Many DLP security solutions analyze network traffic and internal "endpoint" devices to identify the leakage or loss of confidential information. Organizations use DLP to protect their confidential business information and personally identifiable information (PII), which helps them stay compliant with industry and data privacy regulations.
Data exfiltration is when data moves without company authorization. This is also known as data extrusion. The primary goal of DLP is to prevent data exfiltration.
Data exfiltration can occur in a number of different ways:
To prevent data exfiltration, DLP tracks data moving within the network, on employee devices, and when stored on corporate infrastructure. It can then send an alert, change permissions for the data, or in some cases block the data when it is in danger of leaving the corporate network. Some DLP security solutions can even block copying and pasting within web applications to stop confidential data from being copied into an unsecured app, or otherwise moved without permission.
Insider threats: Anyone with access to corporate systems is considered an insider. This can include employees, ex-employees, contractors, and vendors. Insiders with access to sensitive data can leak, destroy, or steal that data. DLP can help stop the unauthorized forwarding, copying, or destruction of sensitive data by tracking sensitive information within the network.
External attacks: Data exfiltration is often the ultimate goal of a phishing or malware-based attack. External attacks can also result in permanent data loss or destruction, as in a ransomware attack when internal data becomes encrypted and inaccessible. DLP can help prevent malicious attackers from successfully obtaining or encrypting internal data.
Accidental data exposure: Insiders often inadvertently expose data — for instance, an employee may forward an email containing sensitive information to an outsider without realizing it. Similar to how DLP security can stop insider attacks, it can detect and prevent this accidental data exposure by tracking sensitive information within the network.
AI data exposure: Publicly available AI apps use the inputs they receive to add to their data sets and further train their models. This can result in the apps leaking or revealing the data later on to external persons. AI tools also may not comply with the data regulations an organization needs to follow, putting an organization out of compliance if they upload their data.
Regulatory violations: If an organization is subject to data regulatory frameworks like the General Data Protection Regulation (GDPR), data exposure is a violation that can result in fines and other punishments. DLP helps reduce the risk of such violations.
DLP solutions may use a number of techniques to detect sensitive data. Some of these techniques include:
Data loss prevention is more than a technology solution: an organization's entire security strategy should revolve around averting data loss. In addition to activating a DLP solution, some of the best practices for loss prevention include:
The Cloudflare One platform has unified security capabilities, including DLP, to protect data in transit, in use, and at rest across web, SaaS, and private applications. Cloudflare One inspects files and HTTPS traffic for the presence of sensitive data, and allows customers to configure allow or block policies. Cloudflare One also integrates remote browser isolation (RBI) in order to implement further DLP features like restricting downloads and uploads, keyboard input, and printing. Learn more about Cloudflare One.