September 13, 2022

Securing data in cloud apps with Agentless DLP

Corey Kiesewetter

Digital transformation, the rise of cloud-first organizations, and hybrid/remote work initiatives have changed the way we get to and use resources. Many organizations with hybrid or remote workforces face situations in which controlling the use of data is critical, but traditional endpoint or network-centric ways of deploying DLP aren’t an option.  Some examples?  Employees using BYOD, Linux workstations, Chromebooks; contractors’ laptops; and partners accessing supply chain apps from their own systems.

Fortunately, there is a third point of control available—in the cloud for managed applications. This is where agentless DLP comes in, using Forcepoint ONE to provide strong, consistent DLP protection for the situations that endpoint DLP can’t cover.

Forcepoint ONE is Forcepoint’s answer to Security Service Edge (SSE) and together with our SD-WAN offering, provides single vendor SASE.  Our SASE though, is a Data-first SASE. Data-first SASE focuses not just on the initial access control decision to access a resource, but more importantly, the full life cycle of access to a resource i.e., the initial access decision and what happens after—controlling content in motion to keep malware out and keep sensitive data in.


Behavior patterns have changed, and the corporate network and managed devices are now a much smaller part of the overall picture than they used to be.  A critical mass of data and workloads have moved to the cloud, and the number one concern with this is: “How do I keep my data that is in the cloud from leaking out to unmanaged devices or the general public?”

The sage advice is, look to SASE, specifically, Data-first SASE.

Not all SASE platforms are created equal.  A big point of difference among SASE vendors is how well they do DLP.  All SASE vendors will have some elements of DLP, but the ones that are just superficial will not be able to really help with this problem.  Many only have ‘lite’ DLP, or don’t include DLP as standard and instead force you to add multiple up-charge licenses for what other vendors include in their standard packages. 

The key to ensuring that you are looking at a quality SASE solution that can protect sensitive data in cloud apps is asking the following questions:

  • Does your solution have predefined DLP classifiers that go beyond PII, PHI, and PCI? (everyone will have these.  The key is what else do vendors have to address other regulations that are important to you)
  • What are the limitations to custom or advanced DLP classifiers? (for patterns that can’t be addressed with predefined rules, will you even be able to build adequate patterns.)
  • Can you enforce agentless DLP? (i.e. will this only stop data loss for managed devices, and allow any contractors, partners, or consultants to steal any data in cloud apps?) 

To find out more about how agentless DLP works in Forcepoint ONE, check out the video below. And please see our Forcepoint ONE page for more information.


Corey Kiesewetter

Corey Kiesewetter is Forcepoint’s Product Marketing Manager for cloud security products, with a focus on SASE and Zero Trust applications.  Corey has been directly helping IT practitioners realize best practices in datacenter operations the past decade and holds a degree in...

Read more articles by Corey Kiesewetter

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.