Data loss prevention software stops data leaks and unauthorized data access.
Data loss prevention, or DLP, is a term that refers to strategies for preventing the leaking or the destruction of company data, especially confidential data. DLP is a broad category that includes a number of cyber security products and strategies; any product that protects data can be considered part of DLP.
Dedicated DLP software performs a more specific function: stopping confidential company information from leaving company-controlled systems. DLP software must be used in conjunction with other technologies like encryption and access control to keep data secure, but it is a crucial part of the equation.
DLP software stops data from going out, instead of guarding against theoretical attacks. It does this by redacting or tokenizing outgoing information, or by blocking risky user actions. DLP systems can also detect unauthorized access of sensitive data, which could be a sign that someone is attempting to move or copy data to an environment that is not managed by the organization the data belongs to.
Imagine a walled city with guards patrolling both outside and inside the walls. Let's say the guards outside the walls watch for attacks and check everyone coming into the city to make sure they are not carrying weapons; these guards are like typical cyber security measures such as firewalls, access control systems, and secure web gateways. Meanwhile, the guards inside the walls inspect anyone leaving the city to make sure they are not stealing important city resources; these guards are like data loss prevention (DLP) software.
DLP is especially important for cloud computing. Using the cloud means that users are sending data across the Internet almost constantly, increasing the chances for data compromise. For this reason, DLP software is incorporated into many cloud security and access control services.
DLP is also growing in importance due to newer and more stringent regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), that heavily penalize companies for leaking customer data.
There are many ways to track potentially confidential information within network traffic. Some of the technologies that DLP software uses to detect outgoing sensitive data include:
Once it is detected, DLP software can stop confidential data from leaving by performing one of the following actions:
Blocking user actions: When an internal user tries to access or send out data that should be kept secret, DLP systems can block them from doing so. For instance, DLP systems can stop users from forwarding a business email to a domain outside the company. If Bob, who works at Acme and has the email address firstname.lastname@example.org, tries to forward an email from within Acme to a non-acme.com domain like email@example.com, Acme's DLP system will block that email. Similarly, some DLP systems make it impossible to copy data, so if Bob tries to copy and paste confidential data, the data will not enter his computer's clipboard for copying and pasting.
Redaction: To redact something means to hide or eliminate it. Redacted legal documents, for instance, will have certain text blacked out to conceal the information. In data loss prevention, a DLP system can remove or cover up confidential information detected in data by replacing it with a null value or a series of meaningless characters, such as "****".
Tokenization: Tokenization is a process that replaces a data value with a token that corresponds to that value. The token can be used just like the real value, and in this way, the actual value is not exposed.
Some DLP systems will tokenize outgoing confidential data instead of blocking or redacting it. Suppose Bob sends an email to Alice with his credit card number: 4111 1111 1111 1111. Bob's company's DLP system identifies this set of digits as being a credit card number and automatically replaces it with a tokenized value of ABCD EFGH ABCD EFGH. Alice can use this tokenized value instead of Bob's actual credit card number, and Bob's company's system will recognize this token and swap it out for the real value for internal processing.
DLP can be offered as a standalone product, but it is often bundled within other cloud security solutions, especially secure web gateways and cloud security access broker (CASB) product suites. This way, companies can block both incoming threats and outgoing data leaks.
Cloudflare for Teams is a product suite for organizational security that keeps internal company data, devices, and employees secure. With access control, Cloudflare blocks actions that could lead to data breaches. Cloudflare also blocks external attacks with a web application firewall (WAF), DNS filtering, and more, and Cloudflare offers strong encryption to keep data secure in transit.
What is IAM?
Zero Trust Security