Domain 2: Cloud Data Security Module 19 of 70

Module 19: Data Loss Prevention (DLP)

CCSP Domain 2 — Cloud Data Security Section B 6 min read
DLP questions on the CCSP exam test whether you understand where to deploy DLP controls in cloud environments and what types of data movement each deployment pattern can detect. A DLP strategy that only monitors one data path leaves the other paths unprotected.

What Is DLP?

Data Loss Prevention encompasses technologies and processes that detect and prevent unauthorized data transfers. DLP identifies sensitive data through content inspection, context analysis, and policy enforcement. In cloud environments, DLP must cover multiple data paths that do not exist in traditional architectures.

DLP Deployment Patterns

Network DLP (Data in Motion)

Monitors network traffic for sensitive data leaving the organization. In cloud, this includes traffic between the cloud and the internet, between cloud services, and between cloud and on-premises. The challenge: encrypted traffic requires TLS inspection or API-level monitoring rather than traditional packet inspection.

Storage DLP (Data at Rest)

Scans cloud storage repositories for sensitive data. Identifies files containing personally identifiable information (PII), financial data, health records, or other classified information. Critical for discovering "shadow data" — sensitive data in locations where it should not exist.

Endpoint DLP (Data in Use)

Monitors data being accessed, copied, or transferred on user endpoints. In cloud contexts, this includes monitoring browser-based access to SaaS applications, clipboard operations, and file downloads from cloud storage.

Exam insight: The exam expects you to deploy DLP across all three patterns. A question describing a DLP deployment that only monitors storage but not network traffic is testing whether you recognize the gap. Sensitive data can leave through network paths that storage DLP never sees.

DLP Detection Methods

  • Content inspection: Examining data content for patterns (credit card numbers, Social Security numbers, email addresses) using regular expressions and data identifiers.
  • Context analysis: Examining metadata, file properties, sender/receiver information, and access patterns to determine sensitivity without inspecting content.
  • Machine learning: Training models on known sensitive data to identify similar patterns in new data. Reduces false positives but requires quality training data.
  • Exact data matching: Comparing data against a database of known sensitive values (specific credit card numbers, employee IDs). Highest accuracy, lowest false positives, but requires maintaining the reference database.

Cloud-Specific DLP Challenges

Encryption Blind Spots

DLP cannot inspect encrypted data. If users upload encrypted files to cloud storage or use end-to-end encrypted communication channels, DLP is blind. Solutions include inspecting data before encryption, using API-level DLP that monitors unencrypted cloud service interactions, or implementing cloud-native DLP that integrates with the CSP's decryption capabilities.

SaaS Application Gaps

SaaS applications often have their own sharing mechanisms (Slack messages, Teams file sharing, Salesforce reports). Traditional network DLP may not see these data paths. Cloud Access Security Brokers (CASBs) extend DLP to SaaS applications by monitoring API-level data transfers.

Shadow IT

Users may use unapproved cloud services to store or share data. DLP must be combined with cloud discovery tools to identify and monitor shadow IT services.

DLP Policy Design

Effective DLP policies define: what data is sensitive (classifications), where it is allowed (approved locations), how it can be shared (approved channels), and what happens when a violation is detected (block, alert, encrypt, quarantine). The exam tests whether your policy addresses all four elements.

Key Takeaways

Deploy DLP across all three patterns: network, storage, and endpoint. Use multiple detection methods for accuracy. Address cloud-specific challenges: encryption blind spots, SaaS data paths, and shadow IT. Integrate DLP with CASBs for SaaS visibility. Define comprehensive policies covering data classification, approved locations, sharing rules, and violation responses.

Next Module Module 20: Data Discovery and Classification