Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

Why You Should Care About Enterprise DLP


Have you seen the latest Gartner DLP Magic Quadrant? No? That’s because it doesn’t exist anymore. Does that mean that one of the mainstay protection technologies over the last 20 years is no longer relevant? Before we answer that, let's get a quick history lesson.

DLP blasted onto the scene quite some time ago. Based upon a sturdy foundation of signatures and regex, organizations across the land suddenly had impressive visibility into the movement of data across their organizations. Once the technology was proven valuable, it eventually found its way into various form factors, like Network DLP, Endpoint DLP, NGFW, and finally CASB. While it was available in all varieties, the end goal was always the same - move the technology to where the data is located, in order to improve visibility and reduce risk.

But like any good technology, it can spiral out of control and get overused or misused. With the proliferation of DLP across multiple products and channels, SOC teams started to buckle under the pressure of alerts. Too much noise and complex daily operations add to the challenge of operating a successful data protection program. This led to failed programs and unhappy organizations that never fully realized the value of data protection.

But back to the original issue of Gartner discontinuing the DLP Magic Quadrant. To understand why they did this, all you have to do is look to the Security Services Edge (SSE) Magic Quadrant. Focused squarely on a cloud and mobile world, the SSE MQ addresses one of the main challenges organizations are now facing. Cloud apps have distributed your data far and wide outside the perimeter, so a new model is needed to secure your data. Because users are connecting from everywhere and accessing your sensitive data over the internet, the days of traditional DLP are over.

Enterprise DLP explained

But what is Enterprise DLP and how does it fit into this new cloud-first security architecture? Enterprise DLP is the term used to define a solution that entails everything an organization may need for data security, all located in one cloud-delivered offering. It should protect all relevant data channels, and do it in a way that drives down complexity while solving the challenges of cloud and mobility. This is a worthwhile goal, and one that organizations are leaning into as they struggle with distributed data and point product proliferation. So while the DLP Magic Quadrant is no longer maintained, the concept of Enterprise DLP is very much alive and well.

What do you need in an Enterprise DLP offering to properly secure this new hyper-distributed world? The easiest way to approach this is to think about the big three: data in motion, data at rest, and distributed devices. If an Enterprise DLP solution focuses on all the aspects of securing these three concepts, you’re in great shape.

Securing data in motion

For data in motion, you want to protect all the destinations data would move to out of your organization. This first requires a best-in-class DLP engine that can find and classify all types of data, leveraging ML-powered detection, where possible, to improve speed and accuracy. The web, SaaS, email, and private apps are all common destinations for data. You should have control over these to secure sensitive data and determine if it should leave or not. You should also assume there will be some level of customization to your Data Protection efforts, so advanced techniques like Exact Data Match, Index Document Match, and Optical Character recognition should also be available. This ensures you can protect custom data like customer lists, forms, or images like screenshots.

How to protect data resting in cloud apps

Once you have control of what data leaves your organization, you will want to track the data you allow to leave and land in your sanctioned SaaS apps. Since you own these apps, you have control over their APIs, which is the main reason CASB comes in handy. Using these APIs, CASB can scan these apps for sensitive data being used in risky ways. You can quickly find out if data is being shared outside the organization, or shared with dangerous open internet links.  In order to identify sensitive data, CASB relies on a DLP engine, so it’s important that any Enterprise DLP uses one unified engine and policy across data in motion and CASB at rest scanning.  

Another aspect of protecting data at rest is protecting the application hosting the data. Many cloud apps have configuration settings that can be easily misconfigured. This is where SaaS Security Posture (SSPM) management comes in. You can scan these cloud applications for dangerous misconfigurations and get recommendations on how to resolve them. Some of the largest data breaches we’ve seen to date have been due to misconfigurations like this, so this is an important aspect of an Enterprise DLP solution.  

Protecting devices

The last area of focus for an Enterprise DLP solution is securing data on devices. There are a few key use cases that organizations should focus on. First is securing the data from leaving the device over connections that aren’t covered in our data in motion use case (internet, SaaS, email, and private apps). Common channels here are Bluetooth, USB Removable Media, Network Shares, etc. Usually addressed by Endpoint DLP, these channels must be secured so data can’t leave the devices - oftentimes when employees are leaving the company. Again, use the same DLP policy you’ve used before, but apply it to these “sideways” device connections.

The other common use case is bring your own device (BYOD). There are often legitimate reasons to allow BYOD access to cloud apps with sensitive data. Either from a vendor, or employees using their own devices, BYOD security is a challenge many organizations struggle to solve. Most CASB vendors have tried to solve this with the concept of the reverse proxy. However, this can be problematic. In order to secure the connection between the BYOD and the cloud app, CASB’s jump into the middle of the connection, and then proxy the cloud app web page back down to the BYOD device, inspecting it along the way. This process often breaks the functionality and usability of the webpage and only supports certain common cloud apps.   

A better way to secure BYOD is through browser isolation. With browser isolation, only pixels are streamed down to the BYOD device, not actual data. By using a cloud-based isolated browser, BYOD can leverage the cloud app and access data, but be prevented from cutting, pasting, downloading, or printing. Users get full functionality of the cloud app through the isolated browser, while organizations get to prevent sensitive data from landing and walking away on a non-corporate-owned device. When shopping for an Enterprise DLP, ensure it supports the browser isolation for the BYOD use case.

Is Enterprise DLP right for you?

Many organizations focus on threat prevention before they turn to data protection initiatives, however, this is somewhat backward. Today’s ransomware and cyberattacks are going after data like never before. A good majority of these attacks now feature double extortion, which squarely focuses on stealing data. It’s imperative now that organizations begin a concerted effort to improve data security across the board. The right Enterprise DLP solution can help tip the scales in your favor. Instead of dealing with point product sprawl, or complex protection operations, organizations can realize the dream of a unified, simplistic approach to data protection that works in concert to drive down risk and cost.   

If you’re ready to learn more about how Zscaler can help you supercharge your data protection and deliver airtight protection across all users, devices, and locations, we’d love to hear from you.


form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.