Connect with us

Hi, what are you looking for?


Data Protection

From Traffic Cop to Fleet Manager, DLP Evolves Beyond the Perimeter

Perimeter-based DLP Enforcement Has Increasingly Taken a Backseat to Host-based Implementations

Perimeter-based DLP Enforcement Has Increasingly Taken a Backseat to Host-based Implementations

Harkening back to a time before “cyber” entered a CISO’s daily vocabulary, data leakage prevention (DLP), even after two decades, has adapted new enterprise defense in depth strategies to protect the outbound flow of business data beyond the traditional network perimeter. DLP has broadened to encompass a menagerie of three-letter acronyms, such as information leak prevention (ILP), content monitoring and filtering (CMF), and extrusion prevention system (EPS). 

Of all the technologies commonly employed to protect the enterprise, the evolution of DLP perhaps most closely captures the changing practices of how information security should be applied and the business role of the team managing the system.

Traditionally, DLP deployments have been led and defined by IT departments – and more recently by security operations teams. For a long time, data inspection and policy enforcement has occurred at or near the best approximation of the businesses perimeter. In such environments, IT and security professionals have effectively operated as an internal police force – following strict policies, enforcing regulations, and dealing with offenders on a case by case basis. DLP has always been tricky to deploy and enforce, and most CISOs can freely regale stories of DLP promises and their subsequent failures. A common tale is the typically cringe-worthy reality of policing a brand-spanking, newly deployed, network DLP solution.

Data Leakage Prevention -  EnforcementThe aspirations are high, but the goal simple – prevent users from emailing, posting, or otherwise sharing customer credit card details insecurely over the Internet. Deployment is where theory diverges from reality. 

Day One: DLP threshold set to ANY credit card details being sent, resulting in 50,000 alerts, the DLP solution grinding to a halt, and so too does the business.

Day Two: DLP threshold set to emails and files containing 10 or more credit card details, resulting in 5,000 alerts and complaints that the business “clearly can’t operate this way”.

Day Three: DLP thresholds set to emails and files containing 1,000 or more credit card details, resulting in a more manageable but still not ideal “few dozen” incidents.

Advertisement. Scroll to continue reading.

Then, over the next many months, thresholds gradually get reduced – edging closer to the experience the company envisaged when they aspired to deploy the solution.

This often-repeated experience underlines the reality that security operations take much longer to change than what the business needs. It also highlights the awkward position security professionals traditionally occupy – ineffectively policing and enforcing centrally-defined barriers to business productivity, reinforcing an “us versus them” relationship with IT and line-of-business colleagues.

Thankfully, new approaches to achieving DLP objectives have been making their way to the enterprise. While perimeter enforcement is still an important element, it has increasingly taken a backseat to host-based implementations. 

Today we see leakage prevention embedding itself within the data and document creation process itself. The user is given real-time feedback on the level of importance or confidentiality of the document they are creating along with recommendations on enforcement – allowing them to take an active role determining the appropriate level of sensitivity and grade of protection required. Behind the scenes, user behavioral analytics and AI help to prevent misclassification or intentional insecure data handling. Meanwhile, the data labeling and management policies come from within the business unit itself (often using classification processes learned and improved by AI) rather than the IT department.

In so doing, enforcement also has moved from being a gateway security function to become a built-in document feature – with standardization underway. 

Security and privacy enforcement are now native to the data and document itself. A new range of remote management and policy enforcement capabilities have done away with the concept of the enterprise “perimeter network”. For example, popular business document formats increasingly support capabilities for remotely monitoring their use (e.g. opened by, edited by, location and time opened), providing selective revocation of partial or complete access at any time, and changing the security protections of the data (e.g. copy/paste, printing, projection) within the document, from anywhere in the world – regardless of whether the document is on-premises, in the cloud, or sitting in the recipient’s unopened mailbox.

A range of open platforms that support information protection and leakage prevention are extending their way to additional document types, creators, and viewers to reuse and build-upon. This enables greater transparency for end users into the labeling, classification, protection, and enforcement mechanisms, making DLP easier to consume within the desktop and mobile products they use (i.e. to view, share, or generate content).

This shift from hard-edge DLP enforcement to a continual visibility and creator-level control paradigm underscores the fundamental change CISO’s need to guide their teams through implementing. This approach also allows security professionals to break from the “us versus them” confrontational shackles of policing and policy enforcement, becoming instead the enablers of secure business practices – while allowing  business units to retain ownership of their data and policies. 

Instead of being the traffic cop ticketing every single infringement, security operations become more akin to a delivery company managing a fleet of armored cars. The job now focuses on ensuring each business package arrives to its destination on time, in the most secure manner possible, as efficiently and cost effectively as budgets will allow while enabling the business unit to define package content and destination. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...