Data Loss Prevention
Definition
Technology detecting and preventing sensitive data — credit cards, health records, PII — from being leaked or accessed by unauthorized users.
Use Cases
- Netflix: Reduce the risk of customer or internal secrets being accidentally stored in the wrong S3 location or exposed through overly permissive access. — Uses AWS-native security controls at scale; Amazon Macie can be used to continuously evaluate S3 buckets for sensitive data patterns and generate findings that feed into security operations workflows (for example, triage in a central alerting system and remediation via access policy changes). (Improved visibility into where sensitive data may exist in object storage and faster detection of risky exposures, reducing the likelihood and blast radius of accidental data leaks.)
- Accenture: Prevent regulated client data (PII/financial data) from being shared externally through email or collaboration tools. — Uses Microsoft Purview DLP policies across Microsoft 365 to detect sensitive information types (for example, credit card numbers, national IDs) and automatically block, warn, or require justification when users attempt to share data outside approved boundaries. (More consistent enforcement of data handling rules across collaboration channels and reduced compliance risk through automated policy controls and auditing.)
- The Home Depot: Detect and protect sensitive customer information within data processing workflows and analytics pipelines. — Uses Google Cloud Sensitive Data Protection to inspect data for sensitive elements and apply de-identification techniques (such as masking) before data is used for analytics or shared with downstream systems. (Lower risk of exposing sensitive data in analytics environments while still enabling teams to use data for reporting and insights.)
Provider Equivalents
- AWS: Amazon Macie
- Azure: Microsoft Purview Data Loss Prevention
- GCP: Google Cloud Sensitive Data Protection (formerly Cloud DLP)
- OCI: OCI Data Safe
Frequently Asked Questions
- What's the difference between Data Loss Prevention (DLP) and data encryption?
- Encryption protects data by making it unreadable without keys (at rest or in transit). DLP focuses on detecting sensitive data and preventing it from being shared or exposed in the first place (for example, blocking an email with a credit card number or alerting on a public bucket). They work best together: encryption protects stored/transmitted data, while DLP reduces accidental or malicious leakage through user actions, misconfigurations, or data movement.
- When should I use Data Loss Prevention (DLP)?
- Use DLP when you handle sensitive or regulated data (PII, PHI, PCI, trade secrets) and you need controls beyond access permissions. Common triggers include: moving to cloud storage, enabling broad file sharing/collaboration, onboarding many contractors, adopting SaaS apps, or preparing for compliance audits. DLP is especially useful when you need to (1) discover where sensitive data lives, (2) monitor risky sharing, and (3) automatically block or warn on policy violations.
- How much does Data Loss Prevention cost?
- Costs vary by where you apply DLP and how much data you scan. Typical pricing drivers are: number of users/endpoints covered (common for Microsoft 365 DLP), volume of content inspected (files, emails, messages), frequency of scans, and whether you use advanced classification or de-identification. Cloud services may charge per GB inspected or per object scanned, plus any logging/alerting costs. Start by scoping high-risk locations (for example, specific buckets, mailboxes, or repositories) and expanding coverage as you tune policies to reduce false positives.
Category: security
Difficulty: intermediate
Related Terms
See Also