Data Loss Prevention (DLP) is a security strategy and class of software that detects and prevents the unauthorised exfiltration, transmission, or use of sensitive data. A DLP system monitors data in three states — at rest (stored on disk), in motion (moving over the network or USB), and in use (being viewed or edited by a user) — and applies rules that flag, block, or quarantine violations in real time.
Why DLP exists
Every organisation handles data that should not leave its boundary — customer financial records, intellectual property, source code, healthcare PHI, government secrets. Without DLP, that data exfiltrates through ordinary employee actions: someone emails a customer list to their personal Gmail, copies a database to a USB drive, uploads a project folder to their personal Dropbox, or screenshots a confidential dashboard and shares it on WhatsApp.
Most data leaks are not malicious — they are accidental, convenience-driven, or the result of an employee preparing to leave the company. DLP exists to catch all three.
The three types of DLP
1. Network DLP
Watches data flowing across the network — emails, HTTPS uploads, FTP transfers, instant messages. Typically deployed at the gateway (proxy or firewall). Catches: someone emailing 10,000 customer rows; someone uploading a large file to an unsanctioned cloud service.
2. Endpoint DLP
Runs as an agent on each laptop or desktop. Watches what the user does locally — copying to USB, dragging files, copying to clipboard, printing, taking screenshots. This is the type most employee-monitoring platforms (Headx, Teramind, Veriato) ship.
3. Storage / Cloud DLP
Scans data at rest in databases, file servers, SharePoint, Google Drive, Dropbox, S3. Identifies where sensitive data is stored, classifies it, and flags risky permissions (a Drive folder shared with "anyone with link" that contains PAN numbers).
How DLP detects sensitive data
DLP rules combine four detection techniques:
Pattern matching (regex)
Look for strings matching a defined pattern. Examples:
- PAN number: 5 letters, 4 digits, 1 letter (regex:
[A-Z]{5}[0-9]{4}[A-Z]) - Aadhaar: 12-digit number with Verhoeff checksum validation
- Credit card: 13-16 digits with Luhn algorithm check
- Indian phone: 10-digit number starting with 6-9
- Email: standard RFC 5322 pattern
Keyword and dictionary
Match against a list of sensitive terms. Useful for product code names, project IDs, customer names, internal terminology.
Document fingerprinting
Generate cryptographic hashes of sensitive documents at rest, then watch for transmission of files containing those fingerprints. Detects exact and near-duplicate copies even if renamed.
Content classification (ML)
Machine-learning models trained to recognise document types (invoices, contracts, source code, patient records) regardless of exact wording. More accurate than keyword matching, more expensive computationally.
Real-world DLP rule examples
Below are the DLP rules most Indian businesses configure in their first month of deployment.
| Rule | Trigger | Action |
|---|---|---|
| Block USB writes over 10 MB | Endpoint DLP | Block + alert IT |
| Flag upload of file > 50 MB to non-sanctioned cloud | Endpoint + Network DLP | Alert + manager review |
| Block paste of more than 5 PAN/Aadhaar numbers into external apps | Endpoint DLP (clipboard) | Block + alert |
| Flag print of any document containing "Confidential" header | Endpoint DLP (print) | Watermark + audit log |
| Block email of attachments > 25 MB to external domain | Network DLP | Quarantine + manager approval |
| Flag screenshot capture while a banking application is in focus | Endpoint DLP | Alert + audit log |
| Block source code file copy to USB | Endpoint DLP (file fingerprint) | Block + alert |
| Flag any file access by an employee in their notice period | Endpoint DLP (user attribute) | Increased audit + manager review |
DLP vs antivirus vs firewall vs encryption
| Tool | What it does | What it does not do |
|---|---|---|
| DLP | Watches data movement; flags or blocks unauthorised exfiltration | Does not detect malware or block external attacks |
| Antivirus / EDR | Detects malicious code, ransomware, suspicious processes | Does not stop an employee emailing customer data |
| Firewall | Controls network traffic by port/protocol/IP | Does not inspect the content of allowed traffic |
| Encryption | Makes data unreadable to unauthorised parties | Does not stop an authorised user from exporting and decrypting the data |
| Access control (IAM) | Limits who can open what | Does not control what users do with data once opened |
DLP is the missing layer in the standard security stack — it watches what authorised users do with data they are authorised to access.
How to choose a DLP tool
Five practical evaluation criteria:
- Where does it run? Endpoint, network, cloud, or all three. Match to your highest-risk leak vectors.
- What does it detect? Pattern, keyword, fingerprint, ML — and crucially, does it ship templates for Indian data types (PAN, Aadhaar, GSTIN, IFSC, bank account)?
- How does it deploy? Cloud SaaS, on-premise, hybrid. For BFSI in India, on-premise or India-region SaaS is usually required.
- Does it integrate with your stack? SIEM, ticketing, IAM, CASB. APIs and webhooks matter.
- What does it cost in INR at your scale? Standalone enterprise DLP (Forcepoint, Digital Guardian, Symantec) costs ₹2,000-5,000/user/month. Combined employee-monitoring+DLP platforms (Headx, Teramind) cost ₹1,499-2,500/PC/month.
Deploying DLP step-by-step
- Discovery — find your sensitive data. Where does it live? Who can access it? Which systems handle it?
- Classify — tag data by sensitivity (Public, Internal, Confidential, Restricted). Most organisations end up with 3-4 levels.
- Define policies — for each sensitivity class, what data movement is allowed, allowed-with-justification, or blocked outright?
- Roll out in monitor-only mode first — run the rules for 30 days with no blocking. You will discover that 80% of your rules need tuning (false positives are very common in the first month).
- Flip on enforcement gradually — start with the highest-confidence rules (PAN/Aadhaar pattern matches), expand from there.
- Review and tune monthly — DLP is never "done". New data types, new SaaS apps, new attacker techniques.
- Train users — tell employees what is monitored and why. Confusion creates resentment; clarity creates compliance.
FAQ
Is DLP mandatory in India?
Not explicitly named in any statute, but RBI cyber-security framework (BFSI), IRDAI guidelines (insurance), and SEBI cyber-resilience framework (capital markets) all effectively require DLP for regulated entities. ISO 27001 and SOC 2 audits also expect DLP controls.
Does DLP work for cloud apps like Google Drive and Dropbox?
Endpoint DLP watches the upload from the user's PC. Cloud DLP (CASB-style) watches the data once it is in the cloud app. Both have a place — endpoint DLP is faster to deploy, cloud DLP catches what endpoint misses.
How is DLP different from an Insider Threat Program?
DLP is the technical control. An Insider Threat Program is the broader programme that combines DLP signals with HR data, access logs, and UEBA behaviour scores to identify and respond to insider risk. What is UEBA →
What is the typical false-positive rate?
In monitor-only mode (first month), 50-80% of fires are false positives. After 90 days of tuning, well-configured DLP runs at 5-15% false positive rate. Plan for the tuning effort upfront.
Can DLP catch a user taking a photo of the screen with their phone?
Not directly. Some platforms detect when a user holds a phone up to the screen using webcam computer-vision (rare and expensive). Most organisations accept this is an out-of-band leak vector and address it through screen watermarking and policy (no phones at the workstation in restricted areas).
Does Headx Monitor include DLP?
Yes — endpoint DLP is included on every Headx plan at no extra cost. See features or compare DLP depth against Teramind.
Ready to try Headx on your team?
Cloud from ₹1,900/PC/month or On-Premise from ₹1,499/PC/month. 30-day money-back guarantee on the Cloud plan.
Get Started