Enterprise Data Loss Prevention (E-DLP) now supports multiple new regions outside of the United States for Exact Data Matching (EDM) data set uploads. This addresses the regulatory challenge of storing sensitive data within specific geographic boundaries. Previously, Palo Alto Networks stores all EDM data sets exclusively in the US West-2 storage bucket. While Palo Alto Networks ensured General Data Protection Regulation (GDPR) compliance by hashing and encrypting EDM data sets before upload to the Enterprise DLP EDM data set storage bucket, this still presents compliance obstacles for organizations operating under regional data sovereignty regulations. The support for new EDM regions requires EDM CLI app version 4.0 or later release.

With the new region for EDM data set uploads, you can now specify the specific geographic region where Enterprise DLP stores the EDM data set uploads. When uploading data sets through the EDM CLI app, you specify your preferred region when you configure the upload_config.properties file, or you can specify a region when uploading an EDM data set using Interactive mode.

Support for new regions for EDM data set uploads is valuable if your organization operates in regions with strict data protection laws, such as GDPR in Europe, where personal data must remain within approved jurisdictions. While enabling regional data storage, the feature also supports cross-boundary scanning when necessary, allowing your data security controls to function seamlessly across your entire organization while maintaining compliance with data residency requirements.

Additionally with the release of EDM CLI app version 4.0, Enterprise DLP no longer supports authentication and connectivity using an authentication token. EDM CLI app version 4.0 and later releases support EDM CLI app authentication and connectivity using only the Client ID and Client Secret.

Granular data profiles enhance your Enterprise Data Loss Prevention (E-DLP) detection capabilities by allowing you to apply differentiated inline content inspection requirements and response actions within the same Security policy rule. For example, you can use a single granular data profile to block high-risk data patterns while alerting on lower-risk ones, set varying log severities for different data profiles, and set specific file types for each data profile included in the granular data profile.

Granular data profiles simplify policy rulebase management by consolidating multiple rules into a single, more flexible Security policy rule. Furthermore, they reduce false positive detections and allow your data security admins to achieve a more nuanced approach to data protection that aligns closely with your organization's risk management strategy while maintaining a lean and efficient Security policy rulebase.

Enterprise Data Loss Prevention (E-DLP) now supports configuring Internet Content Adaptation Protocol (ICAP) forwarding to allow you to integrate your existing on-premise DLP solutions with Enterprise Data Loss Prevention (E-DLP). This feature caters to organizations, especially in sectors like finance, that need to maintain their legacy DLP systems while embracing cloud security strategies. With ICAP support, you can configure Enterprise DLP to forward inspected files to your on-premise ICAP server for further inspection, while still leveraging the advanced inline ML-based detections offered by Enterprise DLP. This one-way integration ensures all files matching your inline Enterprise DLP match criteria are transmitted to your configured ICAP server, allowing your existing DLP solution to perform its analysis. Concurrently, Enterprise DLP conducts its own inspection and policy enforcement, providing comprehensive data protection. By configuring ICAP for Enterprise DLP, you can maintain compliance with specific regulations, smoothly transition to cloud-based security, and compare detection results across both systems. This approach allows you to confidently adopt SASE technologies while preserving the value of your existing DLP investments, ultimately strengthening your overall data protection strategy and facilitating a future migration to the cloud-native Enterprise DLP.

Auth code-based activation for Enterprise Data Loss Prevention (E-DLP) creates significant challenges in policy rule enforcement and synchronization consistency. Without tenant service group (TSG) selection capability, enterprises can’t leverage existing Enterprise DLP data patterns and profiles across their data security enforcement points, resulting in fragmented policy rule enforcement.

You now activate the Enterprise Data Loss Prevention (E-DLP) license for NGFW and VM-Series firewalls managed by either Panorama or Strata Cloud Manager using a magic link rather than using an auth code. The new magic link activation flow resolves these pain points by allowing you to select a specific TSG during activation to enable a shared Enterprise DLP configuration between your NGFW, Prisma Access tenants, and VM-Series firewalls. This unified approach supports multiple deployment scenarios, including single or multiple TSGs rolling up to one CSP and hybrid environments with various enforcement points. Additionally, it gives your data security admins the flexibility to disassociate and reassociate Enterprise DLP licenses between enforcement points as your needs change.