Summary — You've Built a Data Security Program
What You Built Today
You didn't just run through a demo. You built a complete data security program from scratch — the same architecture that protects real organisations at scale.
The central insight: Sensitive data doesn't have one exfiltration path. It moves through the web, onto devices, into browsers, through email, via SaaS APIs, and into GenAI tools. Each channel requires a different enforcement mechanism — but one policy engine ties them all together.
The Dataparity Story — Start to Finish
| Module | What You Did | The Risk You Addressed |
|---|---|---|
| Module 1 — Visibility | Mapped 911 apps (21 sanctioned), traced the payroll file to SharePoint, identified Copilot exposure | You can't protect what you can't see |
| Module 2 — Protection | Built detection logic, then enforced it across 3 channels | Visibility without enforcement is just a report |
| Module 3 — Investigation | Triaged Kevin's violations, coached him, escalated, automated | Enforcement without response is incomplete |
The Payroll_2025 file threaded all three modules — discovered at rest in Lab 3, exposed to Copilot in Lab 4, blocked in transit in Labs 6 and 7, blocked in a browser in Lab 8, and investigated by Priya in Lab 9. One file. Five risk contexts. One platform.
The Three Channels You Enforced
In Module 2, you protected data across three distinct exfiltration surfaces — each requiring a different enforcement mechanism:
Kevin attempted to upload the payroll report to ChatGPT. The Zscaler proxy inspected the outbound HTTPS request, matched the DP Project Code engine, and blocked the transfer before it left the network. The enforcement point: between the device and the internet.
Kevin opened the payroll report in Notepad++ and attempted to copy sensitive content. The Zscaler endpoint agent blocked the clipboard operation on the device itself — no network traffic involved. This works even when the device is completely off-network. The enforcement point: the OS layer.
Kevin pasted payroll data into a GenAI prompt. Proxy-based DLP couldn't see it — ChatGPT uses WebSocket streaming that looks like a single encrypted connection. Browser DLP intercepted the clipboard paste inside the browser process, before any network transmission. The enforcement point: the DOM layer.
The Channels We Didn't Cover Today
These three channels represent Zscaler's complete data security coverage — all enforced by the same policy engine and detection logic you built in Lab 5:
| Channel | What It Protects | Status |
|---|---|---|
| 🌐 Web / Inline DLP | Uploads to cloud apps, web transfers | ✅ Lab 6 |
| 💾 Endpoint DLP | USB, clipboard, local file operations | ✅ Lab 7 |
| 🧠 Browser DLP | GenAI prompts, web form submissions | ✅ Lab 8 |
| 📧 Email DLP | Outbound email attachments and body content | Beyond today's scope |
| ☁️ SaaS / CASB | API-level data movement in sanctioned apps | Beyond today's scope |
| 🏗️ Public IaaS | Data at rest and in motion across AWS, Azure, GCP | Beyond today's scope |
| 🏢 On-Premises | Data moving through on-prem infrastructure and private apps | Beyond today's scope |
The same DP Project Code engine you built in Lab 5 would enforce policy across all six channels — you only need to build the detection logic once.
The Architecture in One View
┌──────────────────────────────────────────────────────────────────────────┐
│ One Detection Engine │
│ (DP Project Code — built in Lab 5) │
│ SSN + Credit Cards + ABA Routing + DP Project Code │
└───┬──────────┬──────────┬──────────┬──────────┬──────────┬───────────────┘
│ │ │ │ │ │
🌐 Web 💾 Endpoint 🧠 Browser 📧 Email ☁️ SaaS 🏗️ IaaS / 🏢 On-Prem
(Lab 6) (Lab 7) (Lab 8) (future) (future) (future)
One engine. One policy intent. Enforced everywhere data moves.
Key Takeaways
1. Visibility before enforcement. Module 1 wasn't optional setup. The Shadow IT discovery, DSPM findings, and Copilot readiness assessment gave you the evidence to justify and tune the policies you built in Module 2. Most organisations skip this step — and then wonder why their DLP has too many false positives.
2. The proxy only sees what crosses the network. Labs 7 and 8 exist because Lab 6 alone isn't enough. Endpoint DLP catches what never hits the network. Browser DLP catches what the proxy can't inspect inside a WebSocket stream. Defense in depth isn't a buzzword — it's three different enforcement layers covering three different blind spots.
3. Detection logic is shared infrastructure. You built one dictionary and one engine in Lab 5. That same engine powered three labs across two enforcement channels. In a real deployment, a single well-tuned engine protects email, web, endpoint, browser, and SaaS simultaneously. Maintenance cost stays flat while coverage expands.
4. Investigation closes the loop. Blocking events without investigation is half a program. Lab 9 showed what happens after the block — triage, coaching, escalation, automation. The ZWA workflow you configured turns reactive incident response into a repeatable, auditable process.
5. The user is not the enemy. Kevin wasn't malicious. He was convenient. The block notification, the coaching email, and the escalation workflow in Lab 9 are all designed to change behaviour — not punish it. That's the difference between a security program and a security wall.
Learn More
Ready to go deeper? Explore Zscaler's full data security platform:
Whitepapers, solution briefs, and architecture guides for every data security use case covered today — and beyond.
Share Your Feedback
We'd love to hear about your experience today. Takes less than 2 minutes.
Your feedback directly shapes the next iteration of this lab. 6 questions, 2 minutes.
This is your closing moment. A few suggestions to finish strong:
- Ask the room: "Before today, how many of you thought proxy-based DLP was enough?" Then: "After Lab 7 and 8 — still feel that way?"
- Tie back to their environment: "Think about your own organisation — which of these six channels do you have covered today? Which ones are blind spots?"
- The Payroll thread: "We followed one file through 5 labs and 3 modules. In your environment, what's your Payroll_2025 file — and do you know where it is right now?"
- Leave them with the core thesis: "Data security used to be about files. Today it's about meaning — understanding what data represents, wherever it moves, on any channel, on any device."