Data Loss Prevention (DLP) is a security technology designed to discover, monitor, and protect sensitive data wherever it resides. A key function of endpoint DLP solutions is to scan data at rest, such as files stored on hard drives, to identify content that violates organizational policies. By using content-aware detection methods like regular expressions or data fingerprinting, DLP can effectively detect the unauthorized storage of sensitive information (e.g., personally identifiable information, intellectual property) on user workstations and servers. This capability directly addresses the requirement of the question.

B. IDS: An Intrusion Detection System (IDS) monitors network or system activity for malicious patterns or policy violations but is not designed to scan the contents of files on a hard drive.

C. TLS: Transport Layer Security (TLS) is a cryptographic protocol that provides security for data in transit over a network; it does not address the detection of data stored at rest.

D. IPS: An Intrusion Prevention System (IPS) is an active security device that detects and blocks network-based attacks; its function is not to discover sensitive data stored on local drives.

---

1. National Institute of Standards and Technology (NIST). (2018). NIST Internal Report 8202: Data Loss Prevention Practices. Section 2.1

"DLP systems are tools that can be configured to detect and prevent the unauthorized use and transmission of sensitive information... DLP systems can be used to protect data in any of its three states: data in use

data in motion

and data at rest."

2. Carnegie Mellon University

Software Engineering Institute. (2017). A Look at Data Loss Prevention. CERT/CC. Page 2

"For data at rest

DLP solutions can scan file systems

databases

and other data repositories for sensitive data. This capability is useful for discovering where sensitive data resides within the organization..."

3. Vaidya

T.

& Soni

D. (2013). Data Leakage Prevention System. International Journal of Engineering Research & Technology (IJERT)

2(12)

2990-2994. Section III.A

"Data-at-rest DLP typically involves a client-based agent that runs on end-user workstations or servers. The agent can be configured to scan the local hard drive to discover sensitive information and report back to a central management server."