DLP is Dead, Long Live Data Access Isolation

In the ever-evolving landscape of cybersecurity, organizations need to continuously assess and improve their security posture and operations. As businesses increasingly digitize their operations, the global data loss prevention (DLP) market is projected to reach $10.05 billion by 2030, growing at a compound annual growth rate of 24.1% from 2023 to 2030. This significant growth underscores the escalating demand for robust cybersecurity measures in an era marked by sophisticated digital threats. The traditional methods of Data Loss Prevention (DLP) have struggled to keep up with the rapid changes to the technology ecosystem. This shift in dynamics calls for a fresh approach to data security—Data Access Isolation (DAI).

The Limitations of Traditional Data Loss Prevention

The Genesis and Evolution of DLP

Data Loss Prevention technology emerged in the early 2000s as businesses increasingly needed to enable their workforce to handle sensitive data electronically. As the volume of sensitive data grew, so did the risks of that data being easily copied and moved off trusted systems and devices. DLP tools were designed to scan the content of data to ensure that it could be securely stored or transferred.

Challenges Implementing DLP Tools: Why DLP Fails to Completely Secure Data

DLP implementations often begin as a response to regulatory pressures rather than a comprehensive security strategy. This compliance-driven approach results in DLP systems that are minimally effective. These tools are frequently under-supported by staff, leading to high-risk DLP events going undetected. Additionally, inadequate collaboration between business leaders and DLP teams can disrupt business operations, causing companies to scale back or even pause their DLP initiatives.

Challenges Implementing DLP Tools:

• Defining Sensitive Data: Identifying sensitive data often relies on rules and pattern matching, which can be cumbersome to engineer effectively. Early DLP systems were adept at recognizing straightforward data elements like credit card numbers and social security numbers but struggled with more complex data types. Detection of business sensitive data like intellectual property or confidential or non-public data such as financial data required the use of complex regular expressions. Rule based data detection methods are difficult to implement consistently and effectively.
• Incorporating Business Context: DLP tools continue to struggle with understanding the context in which sensitive data access and transmission is acceptable. DLP systems often failed to adapt to complex business workflows, resulting in rules that were either too restrictive, leading to a high number of false negatives, or too lax, causing disruptions to business operations.
• Continuing Acceptance of Security Gaps: Traditional DLP tools could not secure data once it appeared on a screen. Simple methods like screen captures or photos of the screen could bypass DLP measures, and credential sharing or compromises made data accessible without the need for exfiltration.

The Rise of Data Access Isolation

The Concept of Data Access Isolation

Data Access Isolation is predicated on the principle of storing sensitive data on a secure system or application and granting just enough access to sensitive data to support operational needs while preventing the data from being stored, captured, or transferred from the secure environment onto the end-user device.

Traditional Approaches to Data Access Isolation

There are several ways in which data access isolation can be achieved, each of which varies in cost and complexity:

• Virtualization solutions ensure data is stored, accessed, and processed through secure, controlled workspaces. When data is accessed within a virtual desktop environment, the end-user can be prevented from downloading, or copying data to their local device, thus isolating the data. Virtualization solutions require specialized infrastructure that can be complicated and costly to operate.
• Thin-clients and zero-clients are developed using heavily customized operating systems that can prevent the downloading or copying of data to the local device. Thin and zero-clients require specialized hardware and software that can be complicated and costly to operate.
• Enterprise browsers enable access to sensitive data through web-based applications without requiring the extensive infrastructure of virtual desktop environments. Enterprise browsers also prevent end-users from downloading and copying the data onto their local device. While enterprise browsers require no specialized infrastructure, they can only secure web-based applications.

All the traditional approaches to data access isolation do not protect the data once on the screen from viewing by unauthorized users and capture using cameras.

SessionGuardian’s Unique Approach to Data Access Isolation

At SessionGuardian, we have redefined data security by developing a truly comprehensive data access isolation solution that closes the gaps in data loss prevention tools and:

• Prevents unauthorized viewing of sensitive: SessionGuardian ensures that only authorized users can view sensitive data, while they are present in front of the screen.
• Prohibits photos of data on the screen: SessionGuardian can detect and prevent an attempt to use a mobile device or camera to take a photo of data once on the screen.
• Prevents screen sharing via e-meeting solutions: SessionGuardian prevents the sharing of protected applications when the end-user is sharing their screen during an e-meeting.
• Prohibits screen capture using tools: SessionGuardian prohibits screen captures tools such as Snag-it, MS Snipping Tool, or Print Screen from capturing the contents of a protected application or window.
• Prevents downloading or copying data: SessionGuardian prevents downloading or copying of data from protected applications to the local device.

With SessionGuardian deployed on end-user devices, there is no longer a need to deploy a cumbersome data loss prevention tool on the endpoint, which is often a significant source of friction for end-users. SessionGuardian can also reduce the need to configure complicated data detection rules and business logic. We take the approach that all data is sensitive and only authorized users can view and work with sensitive data within the secure application or system where it’s stored. Once the data is on the screen we protect the data from capture.

The Future of Data Security

As the shortcomings of traditional DLP become more apparent, SessionGuardian’s vision for Data Access Isolation represents a more robust and adaptable approach to data security. Companies looking to protect their sensitive data must consider technologies that can keep up with the pace of change and the sophistication of threats.

To explore more about how Data Access Isolation can safeguard your business, visit our website, or contact our cybersecurity experts. Our team is ready to help you implement a security strategy that not only meets today's standards but also anticipates tomorrow's challenges.

About the Author

Sudhir Udipi

Sudhir Udipi brings over 15 years of experience in the cybersecurity industry to his role as VP of Solutions at SessionGuardian. Sudhir has extensive experience building technical presales and solutions engineering organizations for startups, having previously developed the presales organization for Securonix, a Gartner leading SaaS UEBA and SIEM provider.

Connect with Sudhir on LinkedIn for more insights into cybersecurity.

Top of Form

Bottom of Form