Data Loss Prevention (DLP): Keeping Sensitive Data from Leaving

Data Loss Prevention (DLP) is a set of technologies and policies designed to prevent sensitive information from being shared, transferred, or exposed outside authorised boundaries. DLP systems inspect data in motion (network traffic, email), data at rest (file servers, databases, cloud storage), and data in use (endpoint activity such as copy-paste, print, and USB transfers). When a policy violation is detected, the system can take actions ranging from logging the event and notifying an administrator to actively blocking the transfer and quarantining the content.

DLP is not a single product but rather a strategy that may involve multiple tools working in concert. A comprehensive DLP programme typically includes endpoint agents, network inspection appliances or proxies, cloud access security broker (CASB) integration, email gateway policies, and a centralised management console that ties everything together. The goal is to create a consistent set of data-handling rules that are enforced regardless of where the data is or how a user attempts to move it.

Endpoint DLP is the most granular form of data protection because it operates directly on the user's device. An endpoint DLP agent can monitor file operations, clipboard activity, screen captures, printing, and removable media usage. It can detect sensitive data being copied to a USB drive or pasted into a personal webmail compose window and either block the action or warn the user. Endpoint DLP is particularly valuable for hybrid and remote workers whose traffic may not pass through a corporate network gateway. The trade-off is that it requires agent deployment and management on every device, which can be challenging in BYOD environments.

Network DLP inspects traffic as it crosses network boundaries — typically at the email gateway, web proxy, or firewall. It is effective for catching bulk data exfiltration via email attachments, web uploads, and FTP transfers. However, the increasing prevalence of encrypted traffic (TLS) means that network DLP must either terminate and re-encrypt connections (SSL inspection) or rely on metadata analysis for encrypted flows. Network DLP is best suited as a complement to endpoint DLP, catching data movements that bypass the endpoint agent.

Cloud DLP addresses the reality that most organisations now store significant volumes of sensitive data in SaaS applications (Microsoft 365, Google Workspace, Salesforce) and IaaS platforms (AWS, Azure). Cloud DLP tools connect via API to scan data at rest in cloud repositories, monitor sharing permissions, and enforce policies on file downloads and external sharing links. Microsoft Purview, for example, can scan SharePoint Online libraries and OneDrive accounts for Australian Tax File Numbers, Medicare numbers, and other sensitive identifiers, then apply protective actions automatically.

The foundation of any DLP programme is well-crafted policy. A policy defines what constitutes sensitive data, where it is permitted to reside, who may access it, and what actions are prohibited. Start by identifying the data types that matter most to the organisation: personally identifiable information (PII), payment card data, health records, financial statements, source code, or trade secrets. For each data type, define detection rules using a combination of regular expressions, keyword dictionaries, data fingerprinting, and machine-learning classifiers. Avoid the temptation to create overly broad policies at the outset — a DLP system that generates hundreds of false positives per day will quickly be ignored or disabled by frustrated users.

DLP works best when it operates on data that has been classified and labelled. Sensitivity labels — such as Public, Internal, Confidential, and Highly Confidential — attach metadata to files and emails that DLP policies can reference. Microsoft Purview Information Protection (formerly Azure Information Protection) allows administrators to define labels, configure automatic labelling rules based on content inspection, and apply encryption and access restrictions that travel with the document. When a user labels a spreadsheet as "Confidential", DLP policies can automatically block it from being emailed to external recipients or uploaded to unapproved cloud services, regardless of where the file moves.

Automatic classification reduces the reliance on users to manually label every document. Trainable classifiers in Microsoft Purview can learn from example documents — for instance, a set of board minutes or legal contracts — and then automatically identify and label similar documents across SharePoint and OneDrive. Combining automatic classification with DLP policies creates a powerful, low-friction data protection layer that operates in the background without requiring users to change their daily workflow.

For organisations standardised on Microsoft 365, Microsoft Purview DLP is the natural choice. It provides unified policy management across Exchange Online, SharePoint Online, OneDrive, Teams, and Windows endpoints — all from a single compliance portal. Purview DLP ships with over 300 built-in sensitive information types, including Australian-specific detectors for Tax File Numbers, Medicare card numbers, Australian passport numbers, and driver's licence formats for each state. Policies can be scoped by user group, location, or sensitivity label, and enforcement actions include blocking, encrypting, notifying the user via a policy tip, and escalating to a manager.

Purview DLP for endpoints extends protection to the Windows desktop. Once onboarded through Microsoft Defender for Endpoint or Intune, endpoint DLP can monitor and restrict activities such as copying sensitive files to USB drives, uploading to unmanaged cloud services, printing documents that contain classified information, and accessing sensitive files via unallowed applications. Endpoint DLP policies are managed in the same Purview compliance portal, providing a single pane of glass for data protection across cloud and endpoint.

Australia's Privacy Act 1988 and the Australian Privacy Principles (APPs) impose obligations on organisations to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. The Notifiable Data Breaches (NDB) scheme requires organisations to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm. DLP directly supports compliance with these requirements by preventing unauthorised disclosure of personal information before it becomes a reportable breach. For resellers advising clients in regulated industries — healthcare, financial services, government — DLP is increasingly a baseline expectation rather than an optional extra.

A successful DLP deployment follows a phased approach. In Phase 1, conduct a data discovery exercise to identify where sensitive data resides — file servers, SharePoint sites, cloud apps, endpoints. Use tools like Microsoft Purview Data Map or third-party discovery scanners. In Phase 2, define and apply sensitivity labels and classification policies. Engage business stakeholders to agree on the classification taxonomy. In Phase 3, deploy DLP policies in audit-only mode across email, cloud, and endpoints. Review matches weekly, tune false positives, and educate users about policy tips. In Phase 4, switch to enforcement mode for high-confidence policies (e.g., blocking external sharing of Tax File Numbers) while keeping lower-confidence rules in audit mode for further refinement.