- On the network (data in motion). These types of DLP solutions are installed at network egress points and analyze network traffic to detect transmission of sensitive data that violates corporate security policy.
- In storage environments (data at rest), where the DLP solution discovers the presence of sensitive data in the wrong places, notably unsecured locations (e.g., open file shares).
- At endpoints like desktops, notebooks, or other end-user systems (data in use). Endpoint DLP can control the movement of sensitive data between users and the transmission and storage of email and instant messages. They can also monitor and control access to physical devices, such as mobile device data stores, and provide application controls that will block attempted transmissions of sensitive data.
Managed via a centralized framework, DLP systems use a number of techniques to identify data, including deep content inspection, tagging, and contextual security analysis of transactions (e.g., attributes of originator, data object, medium, timing, recipient/destination).
I’ll write a bit more about DLP data identification next time, and also begin a two-part look at what DLP technology can accomplish.