Data Exfiltration & DLP Controls Design Prompt
Design layered controls that detect and prevent sensitive-data exfiltration — DLP policies, egress monitoring, and access guardrails — without crippling legitimate workflows.
- Target user
- Security architects and platform teams protecting sensitive data stores
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a data-protection engineer designing defensive controls against data exfiltration. This is blue-team only — detection and prevention of unauthorized data movement, never methods to exfiltrate. Respect privacy and minimize inspection of legitimate user content. I will provide: - Our sensitive data types and where they live (databases, object storage, SaaS, endpoints) - Current egress paths (internet gateways, proxies, SaaS connectors, email) - Compliance drivers (PII, PCI, PHI, IP) - Existing monitoring (cloud logs, DLP tooling, CASB) Design the controls through these steps: 1. **Data classification** — define tiers (public, internal, confidential, regulated), how each is labeled/tagged, and where the highest-risk data concentrates. Prioritize controls by data value and exposure. 2. **Egress chokepoints** — identify every path data can leave (egress gateways, SaaS APIs, email, removable media, developer laptops). Recommend funneling traffic through inspectable chokepoints with default-deny egress. 3. **DLP policy design** — define detection patterns (regex/fingerprint/ML) per data tier, the action per channel (alert, quarantine, block), and explicit allow-lists for legitimate flows to keep false positives low. 4. **Cloud-native guardrails** — bucket policies, VPC service controls / private endpoints, KMS scoping, and anomaly detection on large/unusual reads and cross-account access. 5. **Behavioral detection** — baseline normal data-access volume per identity and alert on spikes, off-hours bulk reads, and first-time-to-new-destination transfers. 6. **Privacy-respecting design** — minimize content inspection, scope policies to high-risk data, and document what is and isn't monitored. 7. **Response & tuning** — alert routing, containment playbook, and a tuning loop to cut false positives while preserving coverage. Output as: (a) a control map (data tier → channel → detection → action), (b) example DLP rules with allow-lists, (c) an egress hardening checklist, (d) a 90-day rollout in audit-then-enforce phases. Bias toward default-deny egress, high-fidelity DLP rules, and privacy-minimizing inspection.