Data loss prevention and IAM: where access controls still fall short

TL;DR: Data loss prevention works by classifying data, monitoring movement, and blocking suspicious transfer paths, but it remains rule-based and can miss unexpected exfiltration patterns, according to StrongDM. The real control problem is that DLP can reduce exposure, yet it cannot replace identity governance, access auditability, and least-privilege enforcement across NHI, autonomous, and human access.

NHIMG editorial — based on content published by StrongDM: What Is Data Loss Prevention? Best Practices

By the numbers:

• In 2021, 73% of organizations said preventing data loss and exfiltration is becoming increasingly important to them as cyberattacks become more costly and damaging than ever before.
• In 2021, 98% of businesses had one or more cloud data breaches in the previous 18 months, and 63% of those companies unintentionally exposed sensitive data during that time.
• In 2021, 83% of cloud breaches were access-related.

Questions worth separating out

Q: How should security teams use DLP without over-relying on it?

A: Security teams should use DLP as a containment and detection layer, not as the primary access control.

Q: Why do cloud environments make DLP harder to enforce?

A: Cloud environments make DLP harder because data moves through APIs, shared services, and delegated identities that do not fit simple perimeter rules.

Q: What do security teams get wrong about DLP?

A: The common mistake is assuming DLP can fix excessive access after the fact.

Practitioner guidance

• Classify sensitive data before writing DLP rules Build your DLP policy set from a current inventory of regulated, confidential, and operationally sensitive data, then map each class to the systems and identities that can touch it.
• Tie DLP to identity-aware access controls Use RBAC, ABAC, and PAM controls to limit who can reach sensitive data before DLP has to inspect it.
• Review cloud access paths for access-related exposure Focus reviews on the transfer points where cloud data leaves its intended boundary, especially delegated sharing, API-driven retrieval, and partner access.

What's in the full article

StrongDM's full blog post covers the operational detail this post intentionally leaves for the source:

• Its breakdown of DLP deployment across network, endpoint, cloud, and email channels for teams planning implementation.
• Its discussion of rule-based content review and contextual analysis for classifying sensitive data more precisely.
• Its examples of access controls, encryption, and audit practices that support compliance reporting.
• Its explanation of how StrongDM positions access management alongside DLP for practical enforcement.

👉 Read StrongDM's guide to data loss prevention best practices and access control →

Data loss prevention and IAM: where access controls still fall short?

Explore further

View Full Forum →  |  NHI Foundation Course →