DLP

DLP operates on a simple principle: identify what data is sensitive, then monitor and control where it goes. In practice this is technically difficult — data flows through dozens of channels, and DLP systems need to inspect that flow without breaking legitimate workflows.

DLP approaches

Network DLP — inspects traffic leaving the network. Can detect credit card numbers, SSNs, or specific document patterns in email attachments or web uploads. Usually deployed at the proxy or NGFW.

Endpoint DLP — agent on the device monitors file operations. Can block copying sensitive files to USB drives, personal cloud storage (Dropbox, personal Google Drive), or unapproved applications.

Cloud DLP — monitors data in cloud storage and SaaS applications. Google Workspace and Microsoft 365 both include native DLP capabilities.

Where DLP works and where it doesn't

DLP works well for clearly-structured sensitive data: credit card numbers (Luhn algorithm), SSNs, health record patterns. It works less well for unstructured sensitive content — a confidential business strategy document isn't structurally different from a publicly shareable one.

DLP is also a detective and deterrent control, not a perfect prevention control. A determined insider can photograph their screen, dictate the contents, or use techniques that bypass monitoring. The value is catching accidental leakage and deterring casual exfiltration, not stopping a sophisticated insider threat.