Data Loss Prevention

Definition

Technology detecting and preventing sensitive data — credit cards, health records, PII — from being leaked or accessed by unauthorized users.

Use Cases

Provider Equivalents

Frequently Asked Questions

What's the difference between Data Loss Prevention (DLP) and data encryption?
Encryption protects data by making it unreadable without keys (at rest or in transit). DLP focuses on detecting sensitive data and preventing it from being shared or exposed in the first place (for example, blocking an email with a credit card number or alerting on a public bucket). They work best together: encryption protects stored/transmitted data, while DLP reduces accidental or malicious leakage through user actions, misconfigurations, or data movement.
When should I use Data Loss Prevention (DLP)?
Use DLP when you handle sensitive or regulated data (PII, PHI, PCI, trade secrets) and you need controls beyond access permissions. Common triggers include: moving to cloud storage, enabling broad file sharing/collaboration, onboarding many contractors, adopting SaaS apps, or preparing for compliance audits. DLP is especially useful when you need to (1) discover where sensitive data lives, (2) monitor risky sharing, and (3) automatically block or warn on policy violations.
How much does Data Loss Prevention cost?
Costs vary by where you apply DLP and how much data you scan. Typical pricing drivers are: number of users/endpoints covered (common for Microsoft 365 DLP), volume of content inspected (files, emails, messages), frequency of scans, and whether you use advanced classification or de-identification. Cloud services may charge per GB inspected or per object scanned, plus any logging/alerting costs. Start by scoping high-risk locations (for example, specific buckets, mailboxes, or repositories) and expanding coverage as you tune policies to reduce false positives.

Category: security

Difficulty: intermediate

Related Terms

See Also