Data loss prevention splits into two architectures, and the split has real cost consequences. Network DLP inspects traffic as it leaves the building; endpoint DLP makes the decision on the laptop itself. The endpoint approach is harder to build but covers the case the network never sees — the file copied to a USB stick on a plane, the upload over a personal hotspot.
CA, Inc.'s US10819748B2, “Systems and methods for enforcing data loss prevention policies on endpoint devices” (issued October 27, 2020; CPC G06F 21/6218 — protecting access to data, and H04L 63/20 — security policy), describes pushing and enforcing the DLP policy at the device so the allow/block decision happens locally. Read it at US10819748B2.
Mechanically, the endpoint carries an agent that holds the current policy and intercepts the actions that matter — file writes, transfers, clipboard moves, channel uploads — evaluating each against the policy before letting it complete. Because the decision is local, it survives the laptop going offline, which is exactly the scenario network DLP misses.
Why this matters to the business desk: DLP was a feature that vendors used to anchor enterprise data-protection suites, and the endpoint-versus-network architecture decision shaped acquisition strategy across the 2010s and into the SASE consolidation that followed. CA's portfolio in this area was part of what made it an attractive target; Broadcom acquired CA in 2018 and the enterprise-security IP travelled with the deal.
The grounded read: endpoint DLP is policy enforcement that lives on the device and decides before data moves. The buyer question is coverage of the offline and personal-channel cases that network inspection cannot see. CA's 2020 grant describes that local enforcement model directly.