With the widespread use of cloud based storage and mobile computing devices, enterprises and other organizations are subject to loss and leakage of their sensitive information, as a result of both inadvertent and malicious user activity. Data Loss Prevention (“DLP”) systems can monitor, detect and block operations on sensitive information when it is accessed, transmitted and stored. By doing so, DLP systems can protect sensitive information according to an organizational policy. For example, within a given company certain members of the Human Resources department may be authorized to access personal employee information such as home addresses and social security numbers. However, printing such personal employee information or copying it to non-company cloud storage could be a violation of company policy. DLP systems can classify specific information as sensitive, identify and monitor such information, and detect and block undesirable incidents.
Print is a unique threat vector for DLP, in which digital information is converted into a physical medium. Thus, print is an operation that is important for a DLP system to monitor. Under Microsoft Windows®, monitoring print operations was conventionally performed by intercepting Microsoft's Graphics Device Interface (“GDI”) Application Program Interface (“API”). However, this only works in the case where the application in question uses GDI based printing. Windows print technology has evolved substantially over the years, and currently utilizes interface technologies such as GDI, Extensible Markup Language (“XML”) Paper Specification (“XPS”), Print Ticket and Document Package APIs.
Furthermore, in some scenarios it is not practicable for a DLP system even to be aware of specific applications in order to intercept their print operations at an application level, for example with application sandboxing and code integrity checks.
It would be desirable to address these issues.