DLP Foundations: Stop Data Leaks
Data Loss Prevention detects sensitive data leaving your organisation and takes action. Understand DLP concepts, policy design principles, and the roles required to manage DLP.
What is Data Loss Prevention?
Think of airport security β but for your data.
Before you board a plane, security scans your bags. Some items are banned completely. Others trigger a warning and a second look. And some are fine to take. DLP works the same way: when someone tries to share, email, upload, or copy sensitive data, DLP scans the content and decides β block it, warn the user, or log the event.
DLP does not work in isolation. It uses the sensitive information types and sensitivity labels you set up in Domain 1 to know what to look for. Classification detects the data. DLP enforces the rules.
Where DLP works
DLP is not limited to email. It monitors data across your entire digital environment:
| Location | What DLP Monitors | Example |
|---|---|---|
| Exchange Online | Emails and attachments | Blocking an email with 10 credit card numbers |
| SharePoint Online | Documents in sites and libraries | Warning when a Confidential file is shared externally |
| OneDrive for Business | Files in personal cloud storage | Blocking external sharing of files with patient data |
| Microsoft Teams | Chat messages and channel posts | Blocking a Teams message containing an SSN |
| Endpoints (Windows/macOS) | Files copied, printed, or uploaded from devices | Blocking USB copy of a file with financial data |
| Power BI | Dashboards and reports | Alerting when a report with sensitive data is exported |
| Third-party apps | Cloud apps connected via Defender for Cloud Apps | Applying policies to files in Box or Google Drive |
Designing a DLP policy
Before creating policies, map your organisationβs data protection requirements:
Step 1: Identify what needs protection
Use your classification work from Domain 1:
- Which SITs detect your critical data?
- Which sensitivity labels mark your most important content?
- What regulatory requirements apply (GDPR, HIPAA, PCI-DSS, SOX)?
Step 2: Identify the risk scenarios
| Scenario | DLP Location | Action |
|---|---|---|
| Employee emails client data externally | Exchange Online | Block + notify |
| Contractor uploads files to personal cloud | Endpoints | Block + audit |
| Sensitive document shared with βAnyoneβ link | SharePoint/OneDrive | Block external sharing |
| Credit card numbers pasted into Teams chat | Teams | Delete message + warn |
| Financial reports printed on personal printer | Endpoints | Block + log |
Step 3: Choose the right action intensity
| Intensity | Action | When to Use |
|---|---|---|
| Monitor only | Audit β log the activity but do not intervene | Testing new policies, low-risk data |
| Warn | Show a policy tip β user can override with justification | Moderate risk, user education |
| Block with override | Block the action β user can provide business justification to proceed | High risk, but legitimate exceptions exist |
| Block | Hard block β no override available | Highest risk β patient data, financial records, regulated content |
Scenario: Priya designs Meridian's DLP strategy
Priya maps Meridian Financialβs DLP requirements:
| Data Type | Risk Scenario | Policy Action |
|---|---|---|
| Client account numbers (custom SIT) | Emailed externally | Block with override β auditors need access |
| Credit card numbers (built-in SIT) | Shared in Teams or email | Block β no legitimate reason to share in plaintext |
| Trading data (sensitivity label) | Copied to USB | Block β no override |
| General internal docs | Shared externally | Warn β policy tip with education link |
She starts with audit-only mode for two weeks to measure false positives before enabling enforcement.
DLP roles and permissions
| Role | DLP Capability |
|---|---|
| Compliance Administrator | Full DLP management β create, edit, delete policies |
| Compliance Data Administrator | Full DLP management |
| DLP Compliance Management role group | Create and manage DLP policies and alerts |
| Security Administrator | View DLP policies and alerts |
| Security Reader | View-only access to DLP reports |
| Information Protection Admin | Manage labels (which DLP uses as conditions) but not DLP policies directly |
Exam tip: DLP-specific role group
The exam may ask which role group is specifically designed for DLP management. The answer is the DLP Compliance Management role group. While Compliance Administrator also works, DLP Compliance Management follows least privilege for DLP-only tasks.
Remember: creating DLP policies requires one of these roles. Security Reader and Helpdesk roles cannot create or modify policies.
DLP policy components
Every DLP policy has three layers:
| Layer | What It Defines |
|---|---|
| Policy | Name, description, locations, mode (test/enforce) |
| Rules | Conditions and actions β each policy can have multiple rules |
| Conditions | What triggers the rule β SIT matches, label matches, file extensions |
| Actions | What happens β block, warn, audit, encrypt, notify |
| Notifications | Who gets told β user policy tips, admin alerts, email notifications |
Priya at Meridian Financial needs to create a DLP policy that blocks credit card numbers from being shared via email but allows the compliance team to override the block when sending to external auditors. Which DLP action should she configure?
Dr. Liam is deploying DLP at St. Harbour Health. He has created policies but wants to measure false positive rates before enforcing them. What deployment approach should he use?
π¬ Video coming soon
Next up: DLP Policies: Build, Manage & Extend β create policies, configure conditions and actions, and extend DLP to Defender for Cloud Apps.