US Patent 10454933 System and methods for policy-based active data loss prevention

A system and method for policy-based active Data Loss Prevention (DLP) using a two-step process to first determine if an attempt to access a data object is governed by DLP policy, and if so, then applying the DLP policy to either allow or deny access. Attempts by an agent to access, create, modify, or distribute a data object are trapped by a policy execution point. A first query determines if DLP policies govern that access request. If they do, then the metadata is decrypted to form a second query to a policy decision point to adjudicate the access request. If the access request is allowed, then a second key is provided to decrypt the data object for further processing. The system further provides for the encryption of unencrypted data objects to protect them for all future access queries.