Browser DLP vs CASB vs Endpoint DLP
And why you probably need all three.
The short version
- Endpoint DLP: protects files on devices and controls exfil to removable media, local storage, and some apps.
- CASB: governance over sanctioned SaaS and policy enforcement in supported apps.
- Browser DLP: real‑time controls for copy/paste and uploads inside web pages.
Where gen‑AI leakage happens
Most "oops" incidents are:
- pasting customer data into a prompt
- uploading a doc for summarization
- sharing internal code snippets
These actions happen in the browser UI.
A practical architecture
Use layered controls:
- Endpoint DLP for device‑level controls
- CASB for sanctioned SaaS governance
- Browser DLP for the last mile (paste/upload, instant intervention)
The key insight: each tool solves a different part of the problem. Browser DLP fills the critical gap where the other two can't reach.
How to evaluate
Ask these questions when assessing any solution:
- Can it run locally (low latency)?
- Does it support monitor → warn → block?
- Can it export audit evidence?
- Can policies be role‑based and versioned?
The complete picture
| Control Layer | Best For | Limitation |
|---|---|---|
| Endpoint DLP | File system, removable media | Can't see browser context |
| CASB | Sanctioned SaaS apps | Limited unsanctioned app coverage |
| Browser DLP | Real-time paste/upload | Requires browser extension |