In this article:

This is some text inside of a div block.

Share the Article

How to Build a Modern DLP Strategy That Actually Works: DSPM + Endpoint + Cloud DLP

February 12, 2026

Min Read

Ron Reiter

Co-Founder and CTO

Most data loss prevention (DLP) programs don’t fail because DLP tools can’t block an email or stop a file upload. They fail because the DLP strategy and architecture start with enforcement and agents instead of with data intelligence.

‍

If you begin with rules and agents, you’ll usually end up where many enterprises already are:

‍

A flood of false positives
Blind spots in cloud and SaaS
Users who quickly learn how to route around controls
A DLP deployment that slowly gets dialed down into “monitor‑only” mode

A modern DLP strategy flips this model. It’s built on three tightly integrated components:

‍

DSPM (Data Security Posture Management) – the data‑centric brain that discovers and classifies data everywhere, labels it, and orchestrates remediation at the source.
Endpoint DLP – the in‑use and egress enforcement layer on laptops and workstations that tracks how sensitive data moves to and from endpoints and actively prevents loss.
Network and cloud security (Cloud DLP / SSE/CASB) – the in‑transit control plane that observes and governs how data moves between data stores, across clouds, and between endpoints and the internet.

Get these three components right and make DSPM the intelligence layer feeding the other two and your DLP stops being a noisy checkbox exercise and starts behaving like a real control.

Why Traditional DLP Fails

Traditional DLP started from the edges: install agents, deploy gateways, enable a few content rules, and hope you can tune your way out of the noise. That made sense when most sensitive data was in a few databases and file servers, and most traffic went through a handful of channels.

‍

Today, sensitive data sprawls across:

‍

Multiple public clouds and regions
SaaS platforms and collaboration suites
Data lakes, warehouses, and analytics platforms
AI models, copilots, and agents consuming that data

Trying to manage DLP purely from traffic in motion is like trying to run identity solely from web server logs. You see fragments of behavior, but you don’t know what the underlying assets are, how risky they are, or who truly needs access.

A modern DLP architecture starts from the data itself.

Component 1 – DSPM: The Brain of Your DLP Strategy

What is DSPM and how does it power modern DLP?

‍

Data Security Posture Management (DSPM) is the foundation of a modern DLP program. Instead of trying to infer everything from traffic, you start by answering four basic questions about your data:

‍

What data do we have?
Where does it live (cloud, SaaS, on‑prem, backups, data lakes)?
Who can access it, and how is it used?
How sensitive is it, in business and regulatory terms?

A mature DSPM platform gives you more than just a catalog. It delivers:

Comprehensive discovery. It scans across IaaS, PaaS, DBaaS, SaaS, and on‑prem file systems, including “shadow” databases, orphaned snapshots, forgotten file shares, and legacy stores that never made it into your CMDB. You get a real‑time, unified view of your data estate, not just what individual teams remember to register.

‍

Accurate, contextual classification. Instead of relying on regex alone, DSPM combines pattern‑based detection (for PII, PCI, PHI), schema‑aware logic for structured data, and AI/LLM‑driven classification for unstructured content, images, audio, and proprietary data. That means it understands both what the data is and why it matters to the business.

‍

Unified sensitivity labeling. DSPM can automatically apply or update sensitivity labels across systems, for example, Microsoft Purview Information Protection (MPIP) labels in M365, or Google Drive labels, so that downstream DLP controls see a consistent, high‑quality signal instead of a patchwork of manual tags.

‍

Data‑first access context. By building an authorization graph that shows which users, roles, services, and external principals can reach sensitive data across clouds and SaaS, DSPM reveals over‑privileged access and toxic combinations long before an incident.

‍

Policy‑driven remediation at the source. DSPM isn’t just read‑only. It can auto‑revoke public shares, tighten labels, move or delete stale data, and trigger tickets and workflows in ITSM/SOAR systems to systematically reduce risk at rest.

In a DLP plan, DSPM is the intelligence and control layer for data at rest. It discovers, classifies, labels, and remediates issues at the source, then feeds rich context into endpoint DLP agents and network controls.

That’s the role you want DLP to have a brain for and it’s why DSPM should come first.

Component 2 – Endpoint DLP: Data in Use and Leaving the Org

What is Endpoint DLP and why isn’t it enough on its own?

‍

Even with good posture in your data stores, a huge amount of risk is introduced at endpoints when users:

‍

Copy sensitive data into personal email or messaging apps
Upload confidential documents to unsanctioned SaaS tools
Save regulated data to local disks and USB drives
Take screenshots, copy and paste, or print sensitive content

An Endpoint DLP agent gives you visibility and control over data in use and data leaving the org from user devices.

A well‑designed Endpoint DLP layer should offer:

‍

Rich data lineage. The agent should track how a labeled or classified file moves from trusted data stores (S3, SharePoint, Snowflake, Google Drive, Jira, etc.) to the endpoint, and from there into email, browsers, removable media, local apps, and sync folders. That lineage is essential for both investigation and policy design.

‍

Channel‑aware controls. Endpoints handle many channels: web uploads and downloads, email clients, local file operations, removable media, virtual drives, sync tools like Dropbox and Box. You need policies tailored to these different paths, not a single blunt rule that treats them all the same.

‍

Active prevention and user coaching. Logging is useful, but modern DLP requires the ability to block prohibited transfers (for example, Highly Confidential data to personal webmail), quarantine or encrypt files when risk conditions are met, and present user coaching dialogs that explain why an action is risky and how to do it safely instead.

‍

The most critical design decision is to drive endpoint DLP from DSPM intelligence instead of duplicating classification logic on every laptop. DSPM discovers and labels sensitive content at the data source. When that content is synced or downloaded to an endpoint, files carry their sensitivity labels and metadata with them. The endpoint agent then uses those labels, plus local context like user, device posture, network, and destination, to enforce simple, reliable policies.

That’s far more scalable than asking every agent to rediscover and reclassify all the data it sees.

Component 3 – Network & Cloud Security: Data in Transit

The third leg of a good DLP plan is your network and cloud security layer, typically built from:

SSE/CASB and secure web gateways controlling access to SaaS apps and web destinations
Email security and gateways inspecting outbound messages and attachments
Cloud‑native proxies and API security governing data flows between apps, services, and APIs

Their role in DLP is to observe and govern data in transit:

Between cloud data stores (e.g., S3 to external SaaS)
Between clouds (AWS ↔ GCP ↔ Azure)
Between endpoints and internet destinations (uploads, downloads, webmail, file sharing, genAI tools)

They also enforce inline policies such as:

Blocking uploads of “Restricted” data to unapproved SaaS
Stripping or encrypting sensitive attachments
Requiring step‑up authentication or justification for high‑risk transfers

Again, the key is to feed these controls with DSPM labels and context, not generic heuristics. SSE/CASB and network DLP should treat MPIP or similar labels, along with DSPM metadata (data category, regulation, owner, residency), as primary policy inputs. Email gateways should respect a document already labeled “Highly Confidential – Finance – PCI” as a first‑class signal, rather than trying to re‑guess its contents from scratch. Cloud DLP and Data Detection & Response (DDR) should correlate network events with your data inventory so they can distinguish real exfiltration from legitimate flows.

‍

When network and cloud security speak the same data language as DSPM and endpoint DLP, “data in transit” controls become both more accurate and easier to justify.

How DSPM, Endpoint DLP, and Cloud DLP Work Together

Think of the architecture like this:

‍

DSPM (Sentra) – “Know and label.” It discovers all data stores (cloud, SaaS, on‑prem), classifies content with high accuracy, applies and manages sensitivity labels, and scores risk at the source.
Endpoint DLP – “Control data in use.” It reads labels and metadata on files as they reach endpoints, tracks lineage (which labeled data moved where, via which channels), and blocks, encrypts, or coaches when users attempt risky transfers.
Network / Cloud security – “Control data in transit.” It uses the same labels and DSPM context for inline decisions across web, SaaS, APIs, and email, monitors for suspicious flows and exfil paths, and feeds events into SIEM/SOAR with full data context for rapid response.

Your SOC and IR teams then operate on unified signals, for example:

‍

A user’s endpoint attempts to upload a file labeled “Restricted – EU PII” to an unsanctioned AI SaaS from an unmanaged network.
An API integration is continuously syncing highly confidential documents to a third‑party SaaS that sits outside approved data residency.

This is DLP with context, not just strings‑in‑a‑packet. Each component does what it’s best at, and all three are anchored by the same DSPM intelligence.

Designing Real‑World DLP Policies

Once the three components are aligned, you can design professional‑grade, real‑world DLP policies that map directly to business risk, regulation, and AI use cases.

Regulatory protection (PII, PHI, PCI, financial data)

Here, DSPM defines the ground truth. It discovers and classifies all regulated data and tags it with labels like PII – EU, PHI – US, PCI – Global, including residency and business unit.

‍

Endpoint DLP then enforces straightforward behaviors: block copying PII – EU from corporate shares to personal cloud storage or webmail, require encryption when PHI – US is written to removable media, and coach users when they attempt edge‑case actions.

‍

Network and cloud security systems use the same labels to prevent PCI – Global from being sent to domains outside a vetted allow‑list, and to enforce appropriate residency rules in email and SSE based on those tags.

Because everyone is working from the same labeled view of data, you avoid the policy drift and inconsistent exceptions that plague purely pattern‑based DLP.

Insider risk and data exfiltration

DSPM and DDR are responsible for spotting anomalous access to highly sensitive data: sudden spikes in downloads, first‑time access to critical stores, or off‑hours activity that doesn’t match normal behavior.

Endpoint DLP can respond by blocking bulk uploads of Restricted – IP documents to personal cloud or genAI tools, and by triggering just‑in‑time training when a user repeatedly attempts risky actions.

‍

Network security layers alert when large volumes of highly sensitive data flow to unusual SaaS tenants or regions, and can integrate with IAM to automatically revoke or tighten access when exfiltration patterns are detected.

The result is a coherent insider‑risk story: you’re not just counting alerts; you’re reducing the opportunity and impact of insider‑driven data loss.

Secure and responsible AI / Copilots

Modern DLP strategies must account for AI and copilots as first‑class actors.

DSPM’s job is to identify which datasets feed AI models, copilots, and knowledge bases, and to classify and label them according to regulatory and business sensitivity. That includes training sets, feature stores, RAG indexes, and prompt logs.

‍

Endpoint DLP can prevent users from pasting Restricted – Customer Data directly into unmanaged AI assistants. Network and cloud security can use SSE/CASB to control which AI services are allowed to see which labeled data, and apply DLP rules on prompt and response streams so sensitive information is not surfaced to broader audiences than policy allows.

This is where a platform like Sentra’s data security for AI, and its integrations with Microsoft Copilot, Bedrock agents, and similar ecosystems, becomes essential: AI can still move fast on the right data, while DLP ensures it doesn’t leak the wrong data.

A Pragmatic 90‑Day Plan to Stand Up a Modern DLP Program

If you’re rebooting or modernizing DLP, you don’t need a multi‑year overhaul before you see value. Here’s a realistic 90‑day roadmap anchored on the three components.

Days 0–30: Establish the data foundation (DSPM)

In the first month, focus on visibility and clarity:

‍

Define your top 5–10 protection outcomes (for example, “no EU PII outside approved regions or apps,” “protect IP design docs from external leakage,” “enable safe Copilot usage”).
Deploy DSPM across your primary cloud, SaaS, and key on‑prem data sources.
Build an inventory showing where regulated and business‑critical data lives, who can access it, and how exposed it is today (public links, open shares, stale copies, shadow stores).
Turn on initial sensitivity labeling and tags (MPIP, Google labels, or equivalent) so other controls can start consuming a consistent signal.

Days 30–60: Integrate and calibrate DLP enforcement planes

Next, connect intelligence to enforcement and learn how policies behave:

‍

Integrate DSPM with endpoint DLP so labels and classifications are visible at the endpoint.
Integrate DSPM with M365 / Google Workspace DLP, SSE/CASB, and email gateways so network and SaaS enforcement can use the same labels and context.
Design a small set of policies per plane, aligned to your prioritized outcomes, for example, label‑based blocking on endpoints, upload and sharing rules in SSE, and auto‑revocation of risky SaaS sharing.
Run these policies in monitor / audit mode first. Measure both false‑positive and false‑negative rates, and iterate on scopes, classifiers, and exceptions with input from business stakeholders.

Days 60–90: Turn on prevention and operationalize

In the final month, begin enforcing and treating DLP as a living system:

‍

Move the cleanest, most clearly justified policies into enforce mode (blocking, quarantining, or auto‑remediation), starting with the highest‑risk scenarios.
Formalize ownership across Security, Privacy, IT, and key business units so it’s always clear who tunes what.
Define runbooks that spell out who does what when a DLP rule fires, and how quickly.
Track metrics that matter: reduction in over‑exposed sensitive data, time‑to‑remediate, coverage of high‑value data stores, and for AI the number of agents with access to regulated data and their posture over time.
Use insights from early incidents to tighten IAM and access governance (DAG), improve classification and labels where business reality differs from assumptions, and expand coverage to additional data sources and AI workloads.

By the end of 90 days, you should have a functioning modern DLP architecture: DSPM as the data‑centric brain, endpoint DLP and cloud DLP as coordinated enforcement planes, and a feedback loop that keeps improving posture over time.

Closing Thoughts

A good DLP plan is not just an endpoint agent, not just a network gateway, and not just a cloud discovery tool. It’s the combination of:

‍

DSPM as the data‑centric brain
Endpoint DLP as the in‑use enforcement layer
Network and cloud security as the in‑transit enforcement layer

- all speaking the same language of labels, classifications, and business context.

That’s the architecture we see working in real, complex environments: use a platform like Sentra to know and label your data accurately at cloud scale, and let your DLP and network controls do what they do best, now with the intelligence they always needed.

‍

For CISOs, the takeaway is simple: treat DSPM as the brain of your modern DLP strategy, and the tools you already own will finally start behaving like the DLP architecture you were promised.

<blogcta-big>

Ron Reiter

Co-Founder and CTO

Discover Ron’s expertise, shaped by over 20 years of hands-on tech and leadership experience in cybersecurity, cloud, big data, and machine learning. As a serial entrepreneur and seed investor, Ron has contributed to the success of several startups, including Axonius, Firefly, Guardio, Talon Cyber Security, and Lightricks, after founding a company acquired by Oracle.

Latest Blog Posts

Alejandro Hernández

March 23, 2026

Min Read

Sentra MCP Server: AI-Driven Data Security Operations

The Gap Between Seeing and Doing

Data Security Posture Management has delivered on its promise of visibility. Organizations know where their sensitive data lives, which stores are misconfigured, and how many identities can reach their crown jewels. But a fundamental gap remains: the distance between seeing a security problem and resolving it is still measured in manual steps, context switches, and tribal knowledge.

‍

Security teams spend disproportionate time on operational toil -- navigating dashboards, correlating data across screens, constructing API queries, and manually updating alert statuses. Every alert triage requires the same sequence of clicks. Every compliance audit requires the same series of exports. Every access review requires the same chain of lookups.

The Sentra MCP Server closes this gap by exposing the full breadth and depth of the Sentra platform through the Model Context Protocol (MCP), an open standard that enables AI agents to discover and call tools programmatically. This turns every security operation -- from a simple status check to a multi-step investigation with remediation -- into a natural language conversation.

‍

Unlike read-only MCP implementations that provide a conversational interface to data catalogs, the Sentra MCP Server is a complete security operations platform. It reads, investigates, correlates, and acts. It chains multiple API calls into coherent workflows. And it does so with enterprise-grade safety controls that put security teams in command of what the AI agent can do.

‍

Core thesis: AI-driven DSPM doesn't just tell you what's wrong -- it investigates, triages, and helps you fix it.

How It Works

The Sentra MCP Server sits between AI agents (Claude Desktop, Claude Code, Cursor, or any MCP-compatible client) and the Sentra API, translating natural language requests into precise API call chains.

‍

Sentra MCP Server sits between AI agents and the Sentra API, translating natural language requests into precise API call chains.

Architecture highlights:

‍

Auto-generated tools: The MCP server parses Sentra's OpenAPI specification at startup and dynamically creates tool wrappers using closures with inspect.Signature -- no code generation or exec() required. This means new API endpoints are automatically exposed as tools when the spec is updated.
Unified request pipeline: All tools -- read and write -- flow through a shared HTTP client with connection pooling, automatic retry with exponential backoff for rate limits (429) and server errors (5xx), and consistent error handling.
Safety-first write operations: Write tools are organized into a 6-tier hierarchy from additive-only to destructive, gated behind a feature flag, with UUID validation and explicit safety confirmations for high-risk operations.

Capability Deep Dive

Read Operations by Domain

The Sentra MCP Server exposes read operations across every domain of the Sentra platform:

‍

Domain	Tool Count	Example Operations
Alerts	~20	List alerts, filter by severity/status, get trends, compliance aggregation, risk ratings, affected assets
Threats	~5	List threats, filter by MITRE tactic, get threat details
Data Stores	~20	Inventory stores, filter by type/region/sensitivity, aggregated risk, scan status, top data classes
Data Assets	~10	Search assets, count by type, export, file extensions, classification findings
Data Insights & Classes	~15	Data class distribution, group by account/region/store type/environment, dictionary values
Identity & Access	~15	Search/count identities, accessible stores/assets, full access graphs, permission metadata
Connectors	~5	List connectors, filter by type, associated connectors
Policies	~5	List policies, filter, incident counts
Compliance	~5	Framework compliance aggregation, control mappings, security ratings, rating trends
Audit Logs	~4	Activity feed, aggregated logs, entity-specific logs, activity histograms
DSAR	~3	List DSAR requests, request details, download reports
AI Assets	~2	List AI/ML assets, asset details
Dashboard & Sensitivity	~3	Dashboard summary, sensitivity overview, scan status

‍

Every tool includes enhanced descriptions that guide the AI agent on when to use it, what parameters to pass, how to construct filters, and what follow-up tools to chain for deeper investigation.

Write Operations: The 6-Tier Hierarchy

Write operations are the key differentiator. They transform the MCP server from a query interface into an operations platform. Each tier represents increasing impact and corresponding safety controls:

‍

Tier	Category	Tools	Impact	Safety Controls
1	Additive Only	alert_add_comment, threat_add_comment	Append-only, no state change	Max 1000 chars, cannot delete
2	State Changes	alert_transition, threat_transition	Changes alert/threat status	Validated status + reason enums
3	Scan Triggers	scan_data_store, scan_data_asset	Triggers classification scans	Rate-aware, async execution
4	Configuration	policy_change_status, policy_create	Modifies security policy config	UUID validation, full policy schema validation
5	Metadata Updates	data_store_update_description, data_store_update_custom_tags	Updates store metadata	Input length limits, JSON validation
6	Destructive	data_class_purge	Irreversible deletion of all detections	Requires confirm="PURGE" safety gate

‍

All 11 write tools are gated by the SENTRA_ENABLE_WRITE_OPS environment variable (default: enabled). Setting it to false completely removes all write tools from the MCP server, leaving a read-only interface.

‍

Why this matters: Read-only MCP servers can tell you "this policy generates 200 low-severity alerts." The Sentra MCP Server can tell you that and then disable the policy and resolve its alerts -- in the same conversation.

Composite Investigation Tools

Two composite tools chain multiple API calls into single-invocation investigations:

‍

`investigate_alert(alert_id)` -- Full alert triage in one call:

Retrieves alert details (severity, policy, timestamps)
Fetches affected data assets
Gets alert status change history (recurring?)
Pulls store context (type, region, owner, sensitivity)
Maps accessible identities (blast radius)

`security_posture_summary()` -- Complete security overview:

Dashboard summary metrics
Open alerts aggregated by severity
Overall security rating
Compliance status across frameworks
Risk distribution across data stores
Sensitivity summary

These tools reduce what would be 5-6 sequential API calls into a single invocation, dramatically reducing latency and context window usage for the AI agent.

Guided Workflow Prompts

Five MCP prompts provide pre-built, step-by-step instructions that guide the AI agent through complex security workflows:

‍

Prompt	Parameters	Workflow
triage_alert	alert_id	6-step alert investigation: details, affected assets, store context, blast radius, history, sensitivity
security_posture_overview	none	7-step executive briefing: dashboard, alerts, rating, compliance, risk, sensitivity, threats
compliance_audit_prep	framework (optional)	6-step audit preparation: compliance overview, controls, violations, classification, access, encryption
investigate_identity	identity_id	5-step identity deep dive: details, accessible stores, accessible assets, access graph, related threats
investigate_data_store	store_id	7-step store assessment: details, sensitivity, asset count, access list, alerts, scan status, data classes

‍

Prompts serve as expert runbooks encoded directly into the MCP server. A junior security analyst using these prompts follows the same investigation methodology as a senior engineer.

Use Cases

UC1: Quick Security Status Check

Persona: Security operations analyst starting their shift

‍

Prompt:

"Show me all open alerts by severity and our current security rating."

Tools used: alerts_get_open_alerts_aggregated, alerts_get_risks_security_rating

Value: Instant situational awareness. No dashboard navigation, no login sequence. A 2-second question replaces a 5-minute morning routine.

UC2: Compliance Readiness Assessment

Persona: GRC analyst preparing for an upcoming HIPAA audit

‍

Prompt:

"Prepare HIPAA compliance evidence: show our compliance score, all HIPAA-related controls and their status, any open violations, and data classification coverage for PHI across all data stores."

‍

Tools used: alerts_get_frameworks_compliance_aggregation, alerts_get_framework_controls_mapping, alerts_get_all_external (filtered), data_insights_get_all (filtered for PHI), data_stores_get_all_external (filtered)

‍

Value: Audit preparation that typically takes a full day compressed into a single conversational session. The output is structured for direct inclusion in audit evidence packages.

UC3: Alert Triage and Resolution

Persona: Security engineer responding to an overnight alert

‍

Prompt:

"Investigate alert 7a3f9c21-4b8e-4d2a-9f1c-8e7d6a5b4c3d. Walk me through what happened, what data is at risk, who can access it, and whether this has happened before. If it's a false positive, resolve it and add a comment explaining why."

‍

Tools used: investigate_alert (composite), alert_add_comment (write), alert_transition (write)

‍

Value: End-to-end triage and resolution in one conversation. The composite tool gathers all context in a single call, and write operations close the loop -- no need to switch to the Sentra UI.

UC4: Identity Access Review

Persona: Security architect conducting a quarterly access review

‍

Prompt:

"Show me all external identities with access to high-sensitivity data stores. For the identity with the broadest access, map the full access graph from identity to roles to stores to assets. Flag any stores with open alerts."

‍

Tools used: search_identities (filtered), get_data_access_identities_by_id_accessible_stores, get_data_access_identities_by_id_graph, alerts_get_all_external (filtered per store)

‍

Value: Access reviews that require correlating identity data, store sensitivity, role chains, and alert status -- all unified into a single investigation flow. The graph traversal reveals access paths that flat permission reports miss.

UC5: Policy Noise Reduction (Hero Example)

Persona: Security operations lead tuning policy configurations

‍

Prompt:

"Audit all enabled security policies. For each, show how many open alerts it generates and its severity. Identify policies generating more than 50 low-severity alerts -- those are candidates for tuning. For the noisiest policy, show me sample violated assets so I can verify if it's misconfigured. Then disable that policy and resolve its existing alerts as false positives."

‍

Tools used:

policies_get_all -- Retrieve all enabled policies
policies_get_policy_incidents_count -- Alert counts per policy
alerts_get_all_external -- Alerts filtered to the noisiest policy
alerts_get_violated_store_data_assets_by_alert -- Sample violated assets
policy_change_status -- Disable the misconfigured policy (write)
alert_transition -- Resolve existing alerts as false positives (write)

Value: This is the workflow that defines the difference between observing and operating. A read-only MCP server stops at step 4. Sentra's MCP server completes the full audit-to-remediation cycle, reducing policy noise that would otherwise consume analyst hours every week.

UC6: M&A Data Security Due Diligence

Persona: CISO assessing an acquisition target's data security posture

‍

Prompt:

"We're acquiring Company X. Their AWS connector is 'companyX-aws-prod'. Give me a full data security due diligence report: all data stores in that account, sensitivity levels, open alerts and threats, access permissions, and compliance gaps. Flag anything that would be a deal risk."

‍

Tools used: lookup_connector_by_name, data_stores_get_all_external (filtered), data_stores_get_store_asset_sensitivity, alerts_get_all_external (filtered), threats_get_all_external (filtered), get_data_access_stores_by_id_accessible_identities, alerts_get_frameworks_compliance_aggregation

‍

Value: M&A due diligence that would require a dedicated workstream compressed into a structured assessment. The connector-scoped view ensures the analysis is precisely bounded to the acquisition target's infrastructure.

UC7: Board-Ready Security Briefing

Persona: CISO preparing for a quarterly board presentation

‍

Prompt:

"Prepare my quarterly board security briefing: security rating trend over 90 days, current compliance status by framework, open alerts by severity with quarter-over-quarter comparison, data-at-risk trends, sensitivity summary, and top 5 prioritized recommendations."

‍

Tools used: security_posture_summary (composite), alerts_get_risks_security_rating_trend, alerts_get_trends, alerts_get_data_at_risk_trends, data_stores_get_data_stores_aggregated_by_risk

‍

Value: Board materials that tell a story: where we were, where we are, what we've improved, and what we need to prioritize next. The AI agent synthesizes data from 6+ tools into a narrative suitable for non-technical audiences.

UC8: AI Data Risk Assessment

Persona: AI governance lead assessing training data risk

‍

Prompt:

"Show me all AI-related assets Sentra has discovered. For each, what sensitive data classes are present, who has access to the training data stores, and are there any open security alerts? Summarize the risk posture for our AI/ML workloads."

‍

Tools used: get_all_ai_assets_api_data_access_ai_assets_get, get_ai_asset_by_id_api_data_access_ai_assets__asset_id__get, get_data_access_stores_by_id_accessible_identities, alerts_get_all_external (filtered)

‍

Value: As organizations scale AI initiatives, visibility into what sensitive data feeds AI models becomes critical. This workflow surfaces PII, PHI, or proprietary data in training pipelines before it becomes a regulatory or reputational risk.

Prompt Showcase Gallery

The following prompts are designed to be used directly with any MCP-compatible AI agent connected to the Sentra MCP Server. Each demonstrates a complete workflow with the tools that fire behind the scenes.

Prompt 1: Full Alert Investigation with Remediation

‍

Tools that fire:

alerts_get -- Alert details and policy info
alerts_get_data_assets_by_alert -- Affected data assets
data_stores_get_store -- Store details including sensitivity
get_data_access_stores_by_id_accessible_identities -- Blast radius
alertchangelog_get_alert_changelog_status_change_by_alert_id -- Recurrence check
alert_transition -- Status change (write)
alert_add_comment -- Investigation notes (write)

Expected output: A structured investigation report with severity assessment, impact analysis, blast radius, recurrence history, and confirmed remediation action.

Prompt 2: Compliance Audit Evidence Package

Tools that fire:

alerts_get_frameworks_compliance_aggregation -- Framework scores
alerts_get_framework_controls_mapping -- Control-level detail
alerts_get_all_external -- Open violations by control
get_coverage_metrics_api_scan_hub_visibility_coverage_get -- Scan coverage
count_identities -- Identity totals
search_identities -- Identity type breakdown
alerts_get_risks_security_rating_trend -- Rating trend

Expected output: A multi-section evidence package with quantified compliance metrics, identified gaps, and trend data demonstrating continuous improvement.

Prompt 3: Identity Blast Radius Analysis

‍

Tools that fire:

get_identity_by_id_api_data_access_identities__identity_id__get -- Identity profile
get_data_access_identities_by_id_accessible_stores -- Accessible stores
data_stores_get_store_asset_sensitivity -- Per-store sensitivity
get_data_access_identities_by_id_graph -- Full access graph
threats_get_all_external -- Threats on accessible stores
alerts_get_all_external -- Alerts on accessible stores
get_data_access_identities_by_id_accessible_assets -- Top sensitive assets

Expected output: A risk-scored blast radius report with the identity's complete reach across the data estate, active threats in the blast zone, and a prioritized recommendation.

Prompt 4: Data Store Security Deep Dive

‍

Tools that fire:

data_stores_get_store -- Store profile
data_stores_get_store_asset_sensitivity -- Sensitivity breakdown
data_stores_get_store_assets_count -- Asset count
datastorecontroller_getfileextensionsbydatastoreid -- File type breakdown
get_data_access_stores_by_id_accessible_identities -- Identity access
alerts_get_all_external -- Open alerts (filtered)
data_stores_get_store_scan_status -- Scan status
data_stores_get_data_stores_aggregated_by_risk -- Risk context
data_store_update_custom_tags -- Apply review tags (write)
data_store_update_description -- Update description (write)

Expected output: A comprehensive store security assessment with metadata updates applied directly to the store record for audit trail purposes.

Prompt 5: Weekly Security Operations Digest

‍

Tools that fire:

alerts_get_trends -- Alert trend data
alerts_get_open_alerts_aggregated -- Current severity breakdown
threats_get_all_external -- Recent critical/high threats
alerts_get_frameworks_compliance_aggregation -- Compliance scores
data_stores_get_data_stores_aggregated_by_risk -- High-risk stores
get_assets_scanned_api_scan_hub_visibility_assets_scanned_get -- Scan coverage
security_posture_summary -- Overall posture

Expected output: A formatted weekly digest suitable for team distribution, with trend comparisons, prioritized actions, and metrics that track security operations performance.

Competitive Differentiation

Sentra vs. Read-Only Metadata MCP Servers

Dimension	Read-Only MCP Servers	Sentra MCP Server
Tool count	5–20 data catalog tools	130+ tools across 13+ domains
Operations	Read-only queries	Read + 11 write operations
Investigation depth	Single-tool lookups	Multi-step composite investigations
Guided workflows	None	5 pre-built security prompts
Security domains	Data catalog only	Alerts, threats, identity, compliance, DSAR, AI assets, policies, and more
Write operations	None	Comment, transition, scan, policy management, metadata updates
Safety controls	N/A	6-tier hierarchy, feature flags, UUID validation, safety gates
Deployment options	Desktop only	Desktop, CLI, Docker with TLS

Five Key Differentiators

1. Operational depth, not just observational breadth. The 11 write operations across 6 safety tiers transform the MCP server from a query interface into an operations platform. Security teams don't just find problems -- they fix them.

2. Composite investigation tools. The investigate_alert and security_posture_summary tools chain 5-6 API calls into single invocations. This isn't just convenience -- it reduces AI agent round trips, lowers latency, and keeps conversation context focused on analysis rather than data gathering.

3. Guided workflow prompts. Five pre-built prompts encode expert investigation methodologies directly into the MCP server. A junior analyst following the triage_alert prompt performs the same investigation as a senior engineer.

4. Full security domain coverage. From DSAR processing to AI asset risk assessment to MITRE ATT&CK threat mapping to identity graph traversal -- the Sentra MCP Server covers security operations end to end, not just the data catalog slice.

5. Enterprise-grade safety architecture. Write operations aren't an afterthought. The 6-tier hierarchy, feature flag gating, UUID validation, and explicit safety gates (like requiring confirm="PURGE" for destructive operations) ensure that conversational access doesn't compromise operational safety.

Security and Governance

The Sentra MCP Server is designed for enterprise security environments where the tools themselves must meet the same security standards as the data they protect.

Authentication and Authorization

Sentra API authentication via X-Sentra-API-Key header on all outbound API calls
MCP endpoint authentication via X-MCP-API-Key header for HTTP transport (prevents unauthorized agent connections)
API key permissions inherit from the Sentra platform -- the MCP server cannot exceed the privileges of the configured API key

Input Validation

UUID validation on all identifier parameters (alert_id, threat_id, policy_id, class_id) before HTTP calls are made
Input length limits on all string parameters (1000 chars for comments, 2000 chars for descriptions)
JSON schema validation for policy creation and tag updates
Enum validation for status transitions (only valid statuses and reasons accepted)

Network Security

SSRF protection blocks requests to private IP ranges (169.254.x, 10.x, 172.16-31.x, 192.168.x) and cloud metadata endpoints
HTTPS enforcement for all non-localhost connections
TLS-native deployment with certificate and key configuration for direct HTTPS serving
CORS controls with configurable origin allowlists for HTTP transport

Operational Safety

Feature flag gating (SENTRA_ENABLE_WRITE_OPS) enables or disables all write operations with a single environment variable
6-tier write hierarchy ensures destructive operations require explicit safety confirmation
Error sanitization strips internal details (hostnames, file paths, stack traces) from error responses returned to clients
Audit trail -- all write operations are recorded in Sentra's audit log, maintaining full traceability

Container Security

Docker deployment with non-root user, read-only filesystem, and resource limits
Health endpoint (/health) for orchestrator readiness probes, accessible without authentication

Deployment Options

Deployment Mode	Transport	Authentication	Use Case
Claude Desktop	stdio	Sentra API key only	Individual security analyst, local development
Claude Code / Cursor	stdio	Sentra API key only	Developer workflow integration, IDE-embedded security
Docker (Production)	HTTP (streamable-http)	Sentra API key + MCP API key + TLS	Team-shared instance, production security operations

‍

Prerequisites

Python 3.11+ (or Docker)
Sentra API key with v3 access
Network access to your Sentra instance (typically https://app.sentra.io)

Quick Start (Claude Desktop)

Add to your Claude Desktop MCP configuration:

Production Deployment (Docker with TLS)

‍

Configuration Reference

Environment Variable	Default	Description
SENTRA_API_KEY	(required)	Sentra API key for platform access
SENTRA_BASE_URL	https://app.sentra.io	Sentra API base URL
SENTRA_ENABLE_WRITE_OPS	true	Enable/disable all write operations
SENTRA_MCP_TRANSPORT	stdio	Transport mode: stdio, streamable-http, sse
SENTRA_MCP_API_KEY	(none)	API key required for HTTP transport authentication
SENTRA_MCP_HOST	0.0.0.0	HTTP transport bind address
SENTRA_MCP_PORT	8000	HTTP transport port
SENTRA_MCP_PATH	/mcp	HTTP transport endpoint path
SENTRA_MCP_SSL_CERTFILE	(none)	TLS certificate file path
SENTRA_MCP_SSL_KEYFILE	(none)	TLS private key file path
SENTRA_MCP_CORS_ORIGINS	(none)	Comma-separated allowed CORS origins
SENTRA_MCP_MODE	full	full (all tools) or cursor (priority subset)

‍

Call to Action

For Existing Sentra Customers

The MCP server is available today. Deploy it alongside your existing Sentra instance and start using natural language to investigate alerts, prepare compliance reports, and manage security operations. Contact your Sentra account team for deployment guidance and best practices.

For Security Teams Evaluating DSPM

The Sentra MCP Server demonstrates what modern data security operations look like: conversational, automated, and end-to-end. Request a demo to see how AI-driven security operations can reduce alert triage time, accelerate compliance preparation, and close the gap from detection to response.

For Security Engineers

The MCP server is open for customization. Add your own tools, create custom prompts that encode your organization's investigation methodologies, and integrate with your existing security workflows. The architecture is designed for extensibility -- every tool registered through the OpenAPI spec is automatically available, and custom tools can be added alongside the auto-generated ones.

‍

The future of data security operations is conversational. Investigate, triage, and resolve -- not just query.

To see Sentra MCP in action Request a Demo

<blogcta-big>

‍

Nikki Ralston

March 16, 2026

Min Read

S3 Bucket Security Best Practices

Amazon S3 is one of the most widely used cloud storage services in the world, and with that scale comes real security responsibility. Misconfigured buckets remain a leading cause of sensitive data exposure in cloud environments, from accidentally public objects to overly permissive policies that go unnoticed for months. Whether you're hosting static assets, storing application data, or archiving compliance records, getting S3 bucket security right is not optional. This guide covers foundational defaults, policy configurations, and practical checklists to give you an actionable reference as of early 2026.

How S3 Bucket Security Works by Default

A common misconception is that S3 buckets are inherently risky. In reality, all S3 buckets are private by default. When you create a new bucket, no public access is granted, and AWS automatically enables Block Public Access settings at the account level.

‍

Access is governed by a layered permission model where an explicit Deny always overrides an Allow, regardless of where it's defined. Understanding this hierarchy is the foundation of any secure configuration:

‍

IAM identity-based policies, control what actions a user or role can perform
Bucket resource-based policies, define who can access a specific bucket and under what conditions
Access Control Lists (ACLs), legacy object-level permissions (AWS now recommends disabling these entirely)
VPC endpoint policies, restrict which buckets and actions are reachable from within a VPC

AWS recommends setting S3 Object Ownership to "bucket owner enforced," which disables ACLs. This simplifies permission management significantly, instead of managing object-level ACLs across millions of objects, all access flows through bucket policies and IAM, which are far easier to audit.

AWS S3 Security Best Practices

A defense-in-depth approach means layering multiple controls rather than relying on any single setting. Here is the current AWS-recommended baseline:

‍

Practice	Details
Block public access	Enable S3 Block Public Access at both bucket and account levels. Enforce via Service Control Policies (SCPs) in AWS Organizations.
Least-privilege IAM	Grant only specific actions each role needs. Avoid "Action": "s3:*" in production. Use presigned URLs for temporary access. Learn more about AWS IAM.
Encrypt at rest and in transit	Configure default SSE-S3 or SSE-KMS encryption. Enforce HTTPS by denying requests where aws:SecureTransport is false.
Enable versioning & Object Lock	Versioning preserves object history for recovery. Object Lock enforces WORM for compliance-critical data.
Unpredictable bucket names	Append a GUID or random identifier to reduce risk of bucket squatting.
VPC endpoints	Route internal workload traffic through VPC endpoints so it never traverses the public internet.

‍

S3 Bucket Policy Examples for Common Security Scenarios

Bucket policies are JSON documents attached directly to a bucket that define who can access it and under what conditions. Below are the most practically useful examples.

Enforce HTTPS-Only Access

{
"Version": "2012-10-17",
"Statement": [{
"Sid": "RestrictToTLSRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
],
"Condition": { "Bool": { "aws:SecureTransport": "false" } }
}]
}

Deny Unencrypted Uploads (Enforce KMS)

{

"Version": "2012-10-17",

"Statement": [{

"Sid": "DenyObjectsThatAreNotSSEKMS",

"Principal": "*",

"Effect": "Deny",

"Action": "s3:PutObject",

"Resource": "arn:aws:s3:::your-bucket-name/*",

"Condition": {

"Null": {

"s3:x-amz-server-side-encryption-aws-kms-key-id": "true" } } }]}

Other Common Patterns

Restrict to a specific VPC endpoint: Use the aws:sourceVpce condition key to ensure the bucket is only reachable from a designated private network.
Grant CloudFront OAI access: Allow only the Origin Access Identity principal, keeping objects private from direct URL access while serving them through the CDN.
IP-based restrictions: Use NotIpAddress with aws:SourceIp to deny requests from outside a trusted CIDR range.

Always use "Version": "2012-10-17" and validate policies through IAM Access Analyzer before deployment to catch unintended access grants.

Enforcing SSL with the s3-bucket-ssl-requests-only Policy

Forcing all S3 traffic over HTTPS is one of the most straightforward, high-impact controls available. The AWS Config managed rule s3-bucket-ssl-requests-only checks whether your bucket policy explicitly denies HTTP requests, flagging non-compliant buckets automatically.

‍

The policy evaluates the aws:SecureTransport condition key. When a request arrives over plain HTTP, this key evaluates to false, and the Deny statement blocks it. This applies to all principals, AWS services, cross-account roles, and anonymous requests alike. Adding the HTTPS-only Deny statement shown in the policy examples section above satisfies both the AWS Config rule and common compliance requirements under PCI-DSS and HIPAA.

Using an S3 Bucket Policy Generator Safely

The AWS Policy Generator is a useful starting point, but generated policies require careful review before going into production. Follow these steps:

‍

Select "S3 Bucket Policy" as the policy type, then fill in the principal, actions, resource ARN, and conditions (e.g., aws:SecureTransport or aws:SourceIp).
Check for overly broad principals, avoid "Principal": "*" unless intentional.
Verify resource ARNs are scoped correctly (bucket-level vs. object-level).
Use IAM Access Analyzer's "Preview external access" feature to understand the real-world effect before saving.

The generator is a scaffold, security judgment still applies. Never paste generated JSON directly into production without review.

S3 Bucket Security Checklist

Use this consolidated checklist to audit any S3 bucket configuration:

‍

Control	Status
Block Public Access	Enabled at account and bucket level
ACLs disabled	Object Ownership set to "bucket owner enforced"
Default encryption	SSE-S3 or SSE-KMS configured
HTTPS enforced	Bucket policy denies aws:SecureTransport: false
Least-privilege IAM	No wildcard actions in production policies
Versioning	Enabled; Object Lock for sensitive data
Bucket naming	Includes unpredictable identifiers
VPC endpoints	Configured for internal workloads
Logging & monitoring	Server access logging, CloudTrail, GuardDuty, and IAM Access Analyzer active
AWS Config rules	s3-bucket-ssl-requests-only and related rules enabled
Disaster recovery	Cross-region replication configured where required

‍

How Sentra Strengthens S3 Bucket Security at Scale

Applying the right bucket policies and IAM controls is necessary, but at enterprise scale, knowing which buckets contain sensitive data, how that data moves, and who can access it becomes the harder problem. This is where cloud data exposure typically occurs: not from a single misconfigured bucket, but from data sprawl across hundreds of buckets that no one has a complete picture of.

‍

Sentra discovers and classifies sensitive data at petabyte scale directly within your environment, data never leaves your control. It maps data movement across S3, identifies shadow data and over-permissioned buckets, and enforces data-driven guardrails aligned with compliance requirements. For organizations adopting AI, Sentra provides the visibility needed to ensure sensitive training data or model outputs in S3 are properly governed. Eliminating redundant and orphaned data typically reduces cloud storage costs by around 20%.

‍

S3 bucket security is not a one-time configuration task. It's an ongoing practice spanning access control, encryption, network boundaries, monitoring, and data visibility. The controls covered here, from enforcing SSL and disabling ACLs to using policy generators safely and maintaining a security checklist, give you a comprehensive framework. As your environment grows, pairing these technical controls with continuous data discovery ensures your security posture scales with your data, not behind it.

‍

Nikki Ralston

March 15, 2026

Min Read

How to Evaluate DSPM and DLP for Copilot and Gemini: A Security Architect’s Buyer’s Guide

Most security architects didn’t sign up to be AI product managers. Yet that’s what Copilot and Gemini rollouts feel like: “We want this in every business unit, as soon as possible. Make sure it’s safe.”

‍

If you’re being asked to recommend or validate a DSPM platform, or to justify why your existing DLP stack is or isn’t enough, you need a realistic, vendor‑agnostic set of criteria that maps to how Copilot and Gemini actually work.

This guide is written from that perspective: what matters when you evaluate DSPM and DLP for AI assistants, what’s table stakes vs. differentiating, and what you should ask every vendor before you bring them to your steering committee.

1. Start with the AI use cases you actually have

Before you look at tools, clarify your Copilot and/or Gemini scope:

‍

Are you rolling out Microsoft 365 Copilot to a pilot group, or planning an org‑wide deployment?
Are you enabling Gemini in Workspace only, or also Gemini for dev teams (Vertex AI, custom LLM apps, RAG)?
Do you have existing AI initiatives (third‑party SaaS copilots, homegrown assistants) that will access M365 or Google data?

This matters because different tools have very different coverage:

‍

Some are M365‑centric with shallow Google support.
Others focus on cloud infrastructure and data warehouses, and barely touch SaaS.
Very few provide deep, in‑environment visibility across both SaaS and cloud platforms, which is what you need if Copilot/Gemini are just the tip of your AI iceberg.

Define the boundary first; evaluate tools second.

2. Non‑negotiable DSPM capabilities for Copilot and Gemini

When Copilot and Gemini are in scope, “generic DSPM” is not enough. You need specific capabilities that touch how those assistants see and use data.

‍

2.1 Native visibility into M365 and Workspace

‍

At minimum, a viable DSPM platform must:

Discover and classify sensitive data across SharePoint, OneDrive, Exchange, Teams and Google Drive / shared drives.
Understand sharing constructs (public/org‑wide links, external guests, shared drives) and relate them to data sensitivity.
Support unstructured formats including Office docs, PDFs, images, and audio/video files.

Ask vendors:

“Show me, live, how you discover sensitive data in Teams chats and OneDrive/Drive folders that are Copilot/Gemini‑accessible.”
“Show me how you handle PDFs, audio, and meeting recordings - not just Word docs and spreadsheets.”

Sentra, for example, was explicitly built to discover sensitive data across IaaS, PaaS, SaaS, and on‑prem, and to handle formats like audio/video and complex PDFs as first‑class sources.

‍

2.2 In‑place, agentless scanning

‍

For many organizations, it’s now a hard requirement that data never leaves their cloud environment for scanning. Evaluate if the vendor scan in‑place within your tenants, using cloud APIs and serverless functions or do they require copying data or metadata into their infrastructure?

Sentra’s architecture is explicitly “data stays in the customer environment”, which is why large, regulated enterprises have standardized on it.

‍

2.3 AI‑grade classification accuracy and context

‍

Copilot and Gemini are only as safe as your labels and identity model. That requires:

High‑accuracy classification (>98%) across structured and unstructured content.
The ability to distinguish synthetic vs. real data and to attach rich context: department, geography, business function, sensitivity, owner.

Ask:

“How do you measure classification accuracy, and on what datasets?”
“Can you show me how your platform treats, for example, a Zoom recording vs. a scanned PDF vs. a CSV export?”

Sentra uses AI‑assisted models and granular context classes at both file and entity level, which is why customers report >98% accuracy and trust the labels enough to drive enforcement.

3. Evaluating DLP in an AI‑first world

Most enterprises already have DLP: endpoint, email, web, CASB. The question is whether it can handle AI assistants and the honest answer is that DLP alone usually can’t, because:

‍

It operates blind to real data context, relying on regex and static rules.
It usually doesn’t see unstructured SaaS stores or AI outputs reliably.
Policies quickly become so noisy that they get weakened or disabled.

The evaluation question is not “DLP or DSPM?” It’s:

“Which DSPM platform can make my DLP stack effective for Copilot and Gemini, without a rip‑and‑replace?”

‍

Look for:

Tight integration with Microsoft Purview (for MPIP labels and Copilot DLP) and, where relevant, Google DLP.
The ability to auto‑apply and maintain labels that DLP actually enforces.
Support for feeding data context (sensitivity + business impact + access graphs) into enforcement decisions.

Sentra becomes the single source of truth for sensitivity and business impact that existing DLP tools rely on.

4. Scale, performance, and operating cost

AI rollouts increase data volumes and usage faster than most teams expect. A DSPM that looks fine on 50 TB may struggle at 5 PB.

Evaluation questions:

“What’s your largest production deployment by data volume? How many PB?”
“How long does an initial full scan take at that scale, and what’s the recurring scan pattern?”
“What does cloud compute spend look like at 10 PB, 50 PB, 100 PB?”

Sentra customer tests prove ability to scan 9 PB in under 72 hours at 10–1000x greater scan efficiency than legacy platforms, with projected scanning of 100 PB at roughly $40,000/year in cloud compute.

If a vendor can’t answer those questions quantitatively, assume you’ll be rationing scans, which undercuts the whole point of DSPM for AI.

5. Governance, reporting, and “explainability” for architects

Your stakeholders, security leadership, compliance, boards, will ask three things:

‍

“Where, exactly, can Copilot and Gemini see regulated data?”
“How do we know permissions and labels are correct?”
“Can you prove we’re compliant right now, not just at audit time?”

A strong DSPM platform helps you answer those questions without building custom reporting in a SIEM:

‍

AI‑specific risk views that show AI assistants, datasets, and identities in one place.
Compliance mappings to frameworks like GLBA, SOX, FFIEC, GDPR, HIPAA, PCI DSS, and state privacy laws.
Executive‑ready summaries of AI‑related data risk and progress over time (e.g., percentage of regulated data coverage, number of Copilot‑accessible high‑risk stores before vs. after remediation).

Sentra’s AI Data Readiness and continuous compliance materials give a good template for what “explainable DSPM” looks like in practice.

6. Putting it together: A concise RFP checklist

When you boil it down, your evaluation criteria for DSPM/DLP for Copilot and Gemini should include:

In‑place, multi‑cloud/SaaS discovery with strong M365 and Workspace coverage
Proven high‑accuracy classification and rich business context for unstructured data
Identity‑to‑data mapping with least‑privilege insights
Native integrations with MPIP/Purview and Google DLP, with label automation
Real‑world scale (PB‑level) and quantified cloud cost
AI‑aware risk views, compliance mappings, and reporting

Use those as your “table stakes” in RFPs and technical deep dives. You can add vendor‑specific questions on top, but if a tool can’t clear this bar, it will not make Copilot and Gemini genuinely safe - it will just give you more dashboards.

<blogcta-big>

‍

Expert Data Security Insights Straight to Your Inbox

What Should I Do Now:

Get the latest GigaOm DSPM Radar report - see why Sentra was named a Leader and Fast Mover in data security. Download now and stay ahead on securing sensitive data.

Sign up for a demo and learn how Sentra’s data security platform can uncover hidden risks, simplify compliance, and safeguard your sensitive data.

Follow us on LinkedIn, X (Twitter), and YouTube for actionable expert insights on how to strengthen your data security, build a successful DSPM program, and more!