When someone talks undertaking a “Data Loss Prevention” (DLP) initiative, they are usually talking about deploying a product from one of the DLP vendors such as McAfee, Symantec, EMC/RSA and so on. Much like I talked about in this post on application security, a product cannot solve what first and foremost is a process problem. The same is true with data protection.
Data protection is the process of identifying and understanding where and how sensitive information is created, used, processed, moved, shared, stored and retired and protecting it throughout this lifecycle.
Endpoint DLP is a possible technical control to map against this process. So is endpoint encryption. So is endpoint device control. So are email and web security gateways that support basic DLP functions. Start first with the process, identity and prioritize gaps, then decide where a tool is needed.