What Is a Data Loss Prevention System?

Data Loss Prevention (DLP) systems block actions that would result in data being purposefully or accidentally lost, leaked, or destroyed. DLP systems monitor, detect and block unauthorized access or movement of data via email, instant messaging, file transfers, website forms and other means. 

Using technology, security policies and best practices, DLP systems prevent the loss or public exposure of sensitive information like private customer data, credit card numbers, intellectual property, financial records, account login credentials, personal health information (PHI), trade secrets and other confidential data. 

Data Loss Prevention services have become a critical part of the IT security stack as organizations become more distributed and governments impose stricter data privacy and security regulations. By automating the spotting and blocking of potential data leaks, Data Loss Prevention systems help organizations avoid regulatory fines, legal action, reputational damages and loss of customer confidence.

A Data Loss Prevention system combines various standard cybersecurity technologies with AI-powered processes, automation and security policies to monitor data flow and detect potential leaks and suspicious activity. A Data Loss Prevention solution helps classify data according to criticality and potential risk, enabling security teams to guard sensitive assets more closely. By monitoring data as it is accessed or moves through the organization, DLP systems can identify and flag suspicious activity, prevent alteration, encrypt files or block a user’s actions.

Data Loss Prevention systems support the essential steps to protect against leaks and loss.

• Prevention. DLP systems enable teams to review real-time data streams and immediately block suspicious activity or unauthorized usage.
• Detection. Enhanced data capabilities deliver greater visibility to help IT teams spot suspicious or anomalous activity.
• Incident response. DLP solutions accelerate incident response with tools for tracking and reporting on data access and movement throughout the organization.
• Analytics. By reviewing the context of high-risk activity or suspicious behavior, security teams can improve prevention measures, security controls, and remediation tasks.

DLP technologies offer protection for several categories of data.

• Data in use. Authenticating users and controlling access can help protect data as an application, endpoint or user actively use it. When unauthorized users attempt to transfer files, copy data or perform a screen capture, a DLP system can flag or prevent unauthorized action.
• Data in motion. As data is transferred between locations within or between IT systems or the cloud, DLP systems can enforce encryption, implement email security and monitor data to ensure it is not routed to an unauthorized location.
• Data at rest. Data Loss Prevention systems enforce access controls for information stored in databases or file share to ensure that it is not leaked, accessed or moved without authorization.

Solutions offered by Data Loss Prevention vendors typically focus on some combination of protections for four key areas.

• Email Data Loss Prevention solutions focus on preventing accidental and malicious leaks within the body of email messages or through unauthorized or unsecured attachments. Email Data Loss Prevention systems can also spot and block phishing scams and other social engineering attacks.
• Network Data Loss Prevention systems monitor network traffic flowing in and out of an IT environment, using data security policies to spot potential leaks and misuse.
• Endpoint Data Loss Prevention technology monitors data on servers, computers and mobile devices to spot potential leaks in email, instant messaging communications, file transfers and unauthorized access to data stored on these devices.
• Cloud Data Loss Prevention systems monitor and audit data residing in and moving to and from the cloud, controlling access and usage through security policies.

DLP systems use two primary techniques to monitor data and search for potential leaks. Content awareness tools scan data for specific string matches and keywords to identify a particular data asset's sensitivity level and risk. The contextual analysis looks at metadata like file format, headers, file size and other properties. 

DLP systems use both approaches to identify sensitive data in documents, files, emails and network traffic, using multiple techniques to analyze and evaluate whether DLP policies should be deployed.

• Rule-based techniques locate sensitive information like credit card data and Social Security numbers based on specific rules.
• Exact file matching uses a hash created for each document to ensure it was not accessed or altered without authorization.
• Partial data matching helps track the movement and potential misuse of documents with multiple versions.
• Statistical analysis relies on machine learning to understand and identify which data is sensitive.
• Pre-built categorization creates rules based on compliance standards to identify sensitive data assets.

When one of these techniques spots a potential policy violation, a Data Loss Prevention system can trigger actions that protect information and prevent it from being inadvertently or maliciously leaked.
 

Recognized as a leader in cybersecurity by Gartner, Forrester, NSS Labs and others, Forcepoint delivers a powerful Data Loss Prevention system to secure data across the web, cloud, network, email, and endpoint.

With Forcepoint DLP, organizations can:

• Discover and control data everywhere it lives – in the cloud or on the network, in email and at the endpoint. 
• Protect data with robust identification for personally identifiable information (PII), including data validation checks, accurate name detection, context identifiers and proximity analysis.
• Identify and automatically prevent sharing sensitive data with unauthorized users inside or outside the organization.
• Locate and remediate regulated data with network, cloud and endpoint discovery.
• Automate data labeling and classification by integrating with third-party data classification solutions.
• Accelerate compliance with more than 1,600 classifiers applicable to the regulatory demands of 80+ countries.
• Manage DLP with central control and consistent policies across the entire IT environment.
• Improve security awareness for employees handling sensitive data and IP. 
• Protect email with Data Loss Prevention for G Suite and other cloud email solutions.