From intellectual property (IP) and financial data to customer details and employee information, organizations are filled with valuable data that they need to keep secure. Data loss prevention (also known as data leakage prevention or just DLP) is a key solution in the quest to accomplish this. It refers to a number of capabilities which identify sensitive information and provide varied levels of access to it in order to prevent unauthorized access and illegitimate usage.
However, because organizations have embraced digital transformation in the form of SaaS apps, IaaS platforms, remote work, and bring your own device (BYOD), legacy DLP tools that are focused solely on controlling the flow of data on premises are no longer sufficient. In other words, in light of the rapid evolution of IT ecosystems in recent years, security teams must ensure that their DLP strategies and technologies evolve, as well. Modern organizations need modern DLP that can detect and protect sensitive data in any interaction across the IT ecosystem, from the cloud, to the web, to the network. 

Detecting Sensitive Data Patterns

The first step to preventing leakage is identifying the sensitive information that you need to keep from leaking. Consequently, leading DLP solutions come equipped with predefined identifiers that can be used out of the box to detect sensitive patterns like personally identifiable information (PII), Social Security numbers (SSN), protected health information (PHI), and credit card numbers. They also offer prebuilt identifiers for information regulated under compliance frameworks like GDPR, HIPAA, HITEC, PCI-DSS, FISMA, FERPA, SOX, and GLBA, and equip your organization with the ability to create custom data patterns as needed. 

Organizations can leverage their libraries of prebuilt and custom identifiers in tandem with a variety of other capabilities to detect sensitive data. For example, simpler tools scan for keywords like "confidential" or "sensitive" within documents to identify what should be protected. More developed solutions provide advanced regex to scan concurrently for multiple data patterns while using logical operators (and, or, not) and mathematical operators (count). Additionally, advanced solutions can scan for file formats (MIME types) and file fingerprints (templates), use exact data match to find specific values contained in reference databases, and leverage all of the above detection mechanisms to scan data at rest as well as in real time at upload and at download. 

Where secure access service edge offerings (described more below) are used to prevent leakage, Field Programmable SASE Logic (FPSL) offers admins the freedom to code to their exact needs directly in the platform dashboard, giving unprecedented granularity and control to their DLP policies. This is accomplished by scrutinizing attributes like domain, URI, query string, cookie, and method (PUT, POST, GET, and others), as well as scanning for data patterns. The unlimited flexibility that this customization provides allows organizations to address any use case in a highly surgical fashion.

Remediation Options for Stopping Leakage

Once sensitive or regulated files and data patterns are identified, DLP solutions can take a variety of actions that are designed to prevent leakage at rest or in transit. Importantly, leading DLP solutions can import data patterns and policies from on-premises systems to extend them to other environments like the cloud. Different remediation actions can be enforced for different users whose permissions may vary; DLP policies can be triggered based on user identity, group, device, or location at access. 

As an illustration, if a user attempts to download a document that contains sensitive data such as a handful of customer credit card numbers, the solution can identify said data at access. Consequently, depending on the user's authorization, it can encrypt the file on download or enforce digital rights management (DRM), which requires additional authentication and provides read-only access to the file via the web browser. Likewise, if an uploaded file is deemed sensitive or suspect, the upload can be prevented or a copy can be created in an admin-only folder for review. Similarly, documents already at rest can be quarantined and moved to admin-only folders, or, along with sensitive field-level data, be encrypted

Secure Access Service Edge

SASE (secure access service edge) offerings integrate complementary technologies so that they can secure any interactions between any devices, apps, web destinations, on-premises resources, or infrastructure. In this way, they provide comprehensive, integrated protection against all risk of data leakage. Through a single portal, admins can customize a single set of automated policies which enforce DLP measures that secure data consistently wherever it goes. Detailed dashboards give visibility into policy violations over time to enable audit and demonstrate regulatory compliance. To achieve all of this, a SASE offering must contain SWG, CASB, and ZTNA technologies.

Secure web gateways (SWGs) are solutions designed to stop data leakage, block malware, and prevent access to sensitive destinations as users leverage the web and unmanaged applications which are not sanctioned by IT. They do this by scanning file uploads and downloads and stopping them as needed, filtering malicious or unproductive URLs, rendering unmanaged apps read only, and more. Where SWGs are deployed locally on users' endpoints, scalability and performance are enhanced.

Through cloud access security broker (CASB) functionality, SASE platforms deliver end-to-end protection for data in sanctioned cloud resources, including IaaS platforms like AWS and Azure as well as managed SaaS like Office 365 and Salesforce. When it comes to stopping data leakage, it is critically important that a CASB provides a reverse proxy deployment mode so that it can agentlessly secure access from any device, including personal endpoints where controlling software installations is infeasible.

Zero trust network access (ZTNA) is another key component of SASE. Unlike VPN (which typically provides access to every resource on the network simultaneously), ZTNA provides secure access to specific on-premises resources individually, reducing data exposure. Additionally, ZTNA enforces granular, real-time data and threat protection policies. Through an agentless deployment option, ZTNA can even extend secure access to personal devices without the need for software installations.


Kaito is a physician for a healthcare firm. While collaborating with a colleague, he decides to download some of a patient’s PHI from an internal application onto his personal device so that he can send it to his peer’s personal email for her inspection. However, the healthcare firm has a SASE platform that identifies the sensitive information, determines the data shouldn’t be on an unmanaged endpoint, and blocks the download. Next, while using a managed device, Kaito tries to upload the patient’s record to his personal Dropbox instance so that he can access it on his personal phone. Upon accessing Dropbox, he is presented with a coaching reminder from IT to use his organization’s secure OneDrive instance instead. He disregards the message, but when he attempts the upload, the sensitive data pattern is detected once again, and the leakage is prevented in real time. Only SASE platforms can prevent data leakage in this consistent, comprehensive fashion.


Bitglass DLP

Want to learn more about Bitglass' DLP offering?

Download the technical brief below.