Skip to main content
Microsoft Security

Gain flexibility and scale with a cloud-native DLP solution

We’re living in a seismic era for data security. Chief information security officers (CISOs) have to contend with a digital landscape that seems to shift daily as more organizations move to remote and hybrid work, redrawing the boundaries for how data is used and shared. The cloud has enabled continuous collaboration, with employees creating and sharing documents easily through chat and email. This unbounded digital estate has also created new opportunities for data exfiltration, and that possibility has many organizations rethinking their approach to data loss prevention (DLP).

Forward-thinking organizations are seeking to future-proof their DLP strategy with a comprehensive solution that scales across all applications, services, endpoints, and platforms. To help those that may be considering a DLP migration, Microsoft spoke to more than 300 data and compliance professionals to create the white paper “Data Loss Prevention: From on-premises to cloud.” We’ve presented some of the study’s highlights here, including common DLP states in use, challenges in migrating to a new DLP solution, best practices, and the benefits of adopting a cloud-native DLP solution.

“Data is not confined in a certain area. In today’s environment, it’s everywhere: someone else’s phone, tablet, data center, or software as a service application—because of that, you definitely see a lot more breaches happening.”

—Vice President, Information Security Officer, Financial Services

The stages of DLP deployment

We can define DLP as the people, processes, and technology that ensure data is not lost, misused, or accessed by unauthorized users. Our research revealed that 70 percent of companies see their DLP solution as a focal point of their overall data protection strategy. For that reason, a good DLP solution uses a holistic approach to protect the organization’s data assets, aid regulatory compliance, and prevent data leakage by monitoring all endpoints, apps, services, and the cloud—anywhere data is stored or shared. Most respondents said their ideal solution would be cloud-native DLP, which could provide scalability and flexibility, balancing protection and productivity.

An organization’s DLP can exist in five different stages with regard to deployment, starting from 100 percent on-premises (obsolete) and moving to 100 percent cloud-native (ideal). For this study, we focused on the three stages in the middle that involve some level of cloud deployment.

  1. On-premises—anchored: In this stage, an organization’s DLP is roughly 40 percent cloud and 60 percent on-premises. These organizations often have concerns about cloud migration, whether because of misconceptions or real difficulties related to migrating a larger amount of on-premises data. They tend to be highly focused on maintaining their current infrastructure and managing device agents through on-premises DLP solutions. This stage is the costliest in terms of staff hours and infrastructure required. Organizations at this stage also report the lowest level of perceived success and confidence in their current DLP program.
  2. Hybrid: Looking to push their program forward, these organizations currently have amostly equal split between on-premises and cloud DLP. They see their biggest challenges around custom integrations and tend to evaluate new DLP solutions annually, seeking improvements in scalability, flexibility, and accuracy. They expend a lot of effort stitching together and managing multiple DLP solutions to support their hybrid data environments.
  3. Cloud-focused: These organizations are farthest along in their migration plans—60 percent cloud and 40 percent on-premises—and have the highest level of confidence and perceived success in their DLP program. Their goal is to improve visibility into their data, and they tend to evaluate new DLP solutions at a slower rate (every two to three years). They also experience fewer challenges with their current DLP programs and have a clearer understanding of their data. Their main challenge lies in ensuring that employees are following DLP policies for handling sensitive data.

Overall, the study found that organizations in on-premises-anchored states are experiencing the most discomfort. Hybrid organizations report feeling like they’re in a holding pattern, spending time and effort maintaining complex integrations and multiple DLP solutions across data environments. Fifty-nine percent of organizations with a hybrid DLP configuration report a desire to move to a cloud DLP solution.

The goal—cloud-native DLP: Beyond the cloud-focused stage, this is the desired destination. At this point, an organization’s DLP solution is fully cloud-native and the firm can benefit from scalable, holistic data protection across applications, services, endpoints, and platforms—all without hindering productivity or adding staff.

“It doesn’t make sense to maintain two or three different solutions because then you have to keep them updated, you have to make sure that there’s not a whole lot of difference between one, two, and three. So, you want to create the benefits and the economic savings of standardization. That’s why consolidation is critical.”

—Director, Technology Services

Benefits of leveraging a cloud-native DLP solution

In migrating your DLP solution, there are two options: a cloud-based or a cloud-native DLP solution. Both types will require the recreation of legacy policies, so how can you decide which solution better suits your organization?

Organizations that use a cloud DLP solution were twice as likely to say that cloud-native DLP solutions are easier to scale and provide a better balance of data protection and productivity. A cloud-native solution can also help reduce costs by eliminating the need for agents, infrastructure, or custom integrations while replacing inefficient silos and patchwork solutions that can create vulnerabilities. Organizations may also see improved performance because the data has to make fewer hops, enabling greater productivity.

As a cloud-native DLP solution, Microsoft Purview Data Loss Prevention provides all of the above benefits, with the added power of Adaptive Protection to help apply DLP policies dynamically based on users’ risk levels. By leveraging machine learning in Microsoft Purview Insider Risk Management, Adaptive Protection can understand how users are interacting with data, assign risk levels, and automatically tailor DLP controls. This enables DLP policies to become dynamic, ensuring that the strictest policies—such as blocking data sharing—are applied only to high-risk users. Microsoft Purview Data Loss Prevention does all this automatically wherever data is accessed or shared, so you can protect more data (with less).

Key challenges of migrating to a DLP solution

To better understand the barriers keeping companies from moving to cloud-native DLP, the study looked at the on-premises-anchored respondents, who are nearly twice as likely to cite apprehension about the unknown as a barrier to migration. We found five common themes reported as challenges preventing their DLP cloud migration:

  1. Dealing with the unknown: Reasons for being apprehensive about a cloud migration broke down predictably across roles. C-suite executives worried about the cost of a DLP migration, while IT administrators reported feeling uneasy about the perceived time and resources required. IT managers were uncertain about the unknowns of a new DLP solution, which potentially makes them hesitant to promote a cloud-based DLP solution when the one they’ve been using is still working (even if performance is unsatisfactory).
  2. Funding the DLP migration: Nearly 60 percent of organizations surveyed reported cost as a top barrier to migration. With organizations in the on-premises–anchored category, the figure rose to 70 percent. It’s appropriate for a business to consider costs first; however, upfront migration costs are often mitigated by reduced infrastructure and maintenance costs down the road. And with fewer IT professionals required to protect data, those resources can be leveraged elsewhere.
  3. Complexity of the problem: According to the study, on-premises-anchored organizations experience the highest levels of discomfort around DLP migration, with 73 percent naming it a top concern. Likewise, half of hybrid and cloud-focused companies who’ve gone through some of the migration process also stressed the high impact of data transformation. Nearly 50 percent of all organizations report that the challenge of re-engineering and recreating policies is preventing them from taking the next step.
  4. Balancing protection and productivity: Nearly half (48 percent) of on-premises-anchored organizations say DLP gets in the way of productivity, whereas cloud-focused companies show the least concern about productivity impacts. On-premises–anchored organizations are also more likely (58 percent) than hybrid or cloud-focused companies to run their DLP solutions in audit-only mode, due to the perceived impact that blocking mode may have on productivity. However, because of access to more granular controls, cloud-focused organizations have greater control over where data exfiltration is likely to happen—striking the right balance.
  5. Education of employees and administrators: On-premises-anchored companies face more challenges in educating employees on optimal data-handling practices, as well as educating administrators on better policy design. Cloud-focused and hybrid groups reported fewer challenges around education, viewing it as an important part of a holistic data-protection strategy. By prioritizing education, organizations can decrease data exfiltration risks and free up administrators to focus on other high-priority issues.

In an encouraging finding, respondents who’ve had experience migrating to a cloud-native solution report that the journey is not as difficult as others might imagine. Cloud-focused organizations were 46 percent less likely to say it’s risky to switch solutions. For the same firms, 60 percent were less likely to worry about losing control of their DLP program after migrating. They’re also 35 percent less likely to view recreating policies from their legacy DLP solutions as a major concern. In other words, migrating your DLP to a cloud-native solution isn’t as scary as it might seem.

Four best practices for migrating your DLP solution to the cloud

Moving to the cloud helps your organization future-proof its DLP solution, protecting your data across endpoints, clouds, and platforms with speed and scalability that on-premises solutions can’t match. By following a few guiding principles, your organization can achieve an effective DLP program that builds confidence and drives success.

  1. Use a cloud-native DLP with a holistic approach: A robust DLP strategy emphasizes people, processes, and education in addition to technology. Look for a solution partner that offers integrations with other key elements of a holistic data-protection strategy, like the ability to classify and label data and address insider risks. Prioritize solutions that offer a trial period; this helps alleviate anxiety and convince reluctant stakeholders that a successful migration is within reach.
  2. Recognize your apprehension so you can overcome it: Identify organizational challenges, then weigh those against the many benefits of migration, such as scalability and cost savings. Don’t let exaggerated worries hold your organization back from creating the efficient DLP solution it needs to maintain growth and respond to a changing data landscape.
  3. Ensure security without compromising productivity: Striking the right balance between data protection and productivity is essential. Getting there requires a solution that allows for granular policy configuration, helping admins fine-tune policies to fit the way your organization accesses, shares, and stores data.
  4.  Choose the right solution provider and take advantage of migration tools: A good solution provider understands the challenges of migration and offers tools that automatically convert policies from legacy solutions. This reduces manual work and helps reduce anxiety among stakeholders. A provider that offers documentation and support adds greater value.

For a small number of organizations, industry regulations, compliance, or budget constraints may prevent them from fully migrating to the cloud. However, our study concludes that the cloud-native state provides the ideal DLP approach for a majority of companies, with migration from the other stages as an inevitable progression.

Migrate to a cloud-native DLP solution—Microsoft is here to help

To learn more about migrating your DLP solution, make sure to download the complete study, Data Loss Prevention: From on-premises to cloud, containing 44 pages of valuable insights gathered from more than 300 DLP and compliance professionals. For an in-depth example of DLP migration complete with screenshots, check out this special how-to blog written by my colleague, Shilpa Bothra, Senior Product Marketing Manager for Microsoft Purview Data Loss Prevention: Easily migrate your Symantec DLP policies to Microsoft Purview Data Loss Prevention. And don’t forget to join us for the inaugural Microsoft Secure, March 28, 2023, where you can learn the latest cloud defense insights and be among the first to see the AI-powered future of cybersecurity.

Learn more about Microsoft Purview Data Loss Prevention.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.