I'm finding it really tough to get a solid answer on Data Loss Prevention (DLP) as part of SASE (Secure Access Service Edge) lately. My organization has about 700 users spread across several office locations, and most of our traffic now goes to cloud applications. Right now, we're using a standalone DLP tool, but I'm starting to see serious coverage gaps regarding remote users and cloud traffic.
So, I'm now looking into SASE platforms that claim to have DLP capabilities built into their system. However, it seems like when you dig deeper, many vendors just rebrand third-party DLP engines, which results in separate policy management and tuning processes. I'm currently considering options like Palo Alto, Zscaler, and Cato. Here are a few things I'm particularly interested in:
- Is the DLP truly native or just integrated?
- How does policy enforcement work across web applications, cloud apps, and private access?
- Are we managing a single set of policies, or will we still have to juggle multiple consoles?
- What's the practical experience with false positive tuning?
4 Answers
You hit the nail on the head—most SASE DLP issues arise from the policies. If each layer of your system has its own rules, you end up replicating policies unnecessarily, which can get messy fast.
I can give you some insight into Skyhigh SSE. Their DLP engine is in-house, thanks to McAfee acquiring Skyhigh Networks, which has led to a pretty seamless integration. The policy structure is quite interesting; both CASB/ZTNA and SWG use the same classifications, but the policies differ a bit in their responses. When it comes to incidents, you get a unified view across the inspection points, which is a big plus. As for false positive tuning, that can be adjusted through classification changes or REGEX-based exceptions. However, if you want advanced features, you might need to look into additional licensing for things like evidence storage and AI classifiers.
AdaAlvarin is right; the policy flow is where these so-called 'unified' platforms often break down. We advise mid-sized organizations on M365 security, and honestly, before going all-in on SASE, I'd suggest checking if Microsoft Defender for Cloud Apps matches your needs. At 700 users and using cloud apps, you might already have licensing that allows syncing DLP policies across platforms like Exchange, SharePoint, and Teams. It's a single engine handling all DLP instead of juggling various consoles. Some clients opted for Zscaler just for SWG/ZTNA and relied on Purview for DLP to avoid confusion.
Honestly, I think DLP is often more trouble than it's worth. I've had bad experiences with both Zscaler and Palo Alto Networks. Zscaler’s approach feels like it’s just following the trends without fully committing, and Palo Alto seems to be stuck on its traditional firewalls while now trying to milk enterprise compliance.
What do you mean by 'cosplaying'? It seems they're trying to adapt to the market.