























Your organization made a commitment: Customer data stays in your infrastructure. No exceptions.
That commitment isn’t theoretical. It’s written into customer contracts. It shows up in audits. And it shapes internal governance policies. The rule is clear, yet your Data Loss Prevention (DLP) solution sends every file to an external cloud for scanning. Even if that cloud is in the same region, data still leaves your control.
This is the data sovereignty paradox. Organizations commit to keeping sensitive data within specific boundaries, but traditional cloud-based DLP solutions undermine those commitments by forcing data to move outside of internal infrastructure.
For years, security teams with strict in-tenant requirements had no good options. Even cloud-delivered DLP meant data leaving their control.
Today, that changes.
As of February 2026, Symantec has launched Distributed Detection Service (DDS)—a fundamentally different approach to enterprise DLP.
DDS deploys scanning engines directly in your infrastructure, where data is processed locally and only metadata and incident reports flow to centralized management. This architectural shift unlocks new use cases that cloud DLP couldn't support, including real-time API scanning without latency penalties, AI safety guardrails, and compliance-by-design for high-scale machine learning (ML) pipelines.
Distributed infrastructure is now the norm. By FY27, Gartner predicts 90% of organizations will have adopted a hybrid cloud approach. As business-critical data spans cloud and on-premise environments, DLP needs to align to that reality.
Here’s what distributed detection changes—and what it makes possible.
Data control requirements rarely come from a single source. While regulations like GDPR, LGPD, and India's DPDP Act establish geographic residency baselines, many organizations face stricter constraints:
For these organizations, regional cloud deployment isn't enough. The requirement is in-tenant processing—data must stay within infrastructure they directly control. When this requirement isn't met, organizations face consequences ranging from customer trust erosion to contract violations and operational disruption.
Consider a FinServ organization contractually obligated to retain customer data within its own cloud tenant—not just within a geographic region, but within infrastructure it directly controls. Cloud DLP solutions, even with regional edge locations, still require data to leave the customer's environment for scanning. For institutions subject to strict regulatory scrutiny or contractual mandates for in-tenant data processing, this creates a compliance gap that regional deployment alone cannot solve.
Organizations need a DLP solution that respects data sovereignty without sacrificing centralized management.
Until now, that option didn't exist.
DDS is a cloud-native DLP scanning engine deployed in your infrastructure—on-premises, in your private cloud, or within your cloud region. Built on a containerized architecture, DDS deploys flexibly to match your workload demands.
Scanning happens locally using DLP REST APIs for both data-at-rest and data-in-motion. Raw content does not leave the tenant for inspection. Only metadata and incident reports flow to centralized management via Symantec CloudSOC or Enforce.
This architectural approach, commonly referred to as in-tenant scanning—means data is scanned within your own cloud tenant or data center, without sending the raw data to Broadcom's cloud for processing.
Note: While raw data is scanned locally, incident reports (including content that triggered policy violations) are transmitted to the centralized management console for review and response. This is necessary for security teams to investigate and act on incidents.
Files are scanned on DDS nodes in your environment. Only findings, violations, and metadata are reported to your central management console.
Think of it as running your metal detector at your entrance rather than routing everyone to an external screening facility.
Local scanning doesn’t mean fragmented governance. You maintain centralized policy management through Symantec DLP, with consistent incident reporting across deployment locations. A unified view across your organization. Whether DDS nodes run in your data center, AWS, GCP, or Azure, incidents flow to the same management console.
DDS is platform agnostic. Deploy where your data lives:
This flexibility supports hybrid and multi-cloud architectures. You're not locked into a single deployment model.
DDS uses a containerized deployment model designed for modern infrastructure. Multiple DDS nodes can be deployed and load-balanced across your environment. Horizontal scaling means performance can grow with your workloads.
Local processing eliminates the network round-trip latency inherent in cloud-based scanning—critical for real-time API use cases where every millisecond matters.
Because scanning happens within your tenant:
The comparison below shows how DDS differs from Cloud Detection Service (CDS), Symantec's traditional cloud-based DLP scanning:

New Use Cases: AI safety, real-time APIs, and data control at scale
DDS isn't just about sovereignty—it enables architectural patterns that cloud DLP can’t support.
GenAI adoption is accelerating, but organizations often underestimate data leakage risks. Users include PII and credentials in chatbot prompts. Models hallucinate sensitive information in responses. These aren't fringe cases—they're happening in production systems right now.
DDS offers a solution: Scan AI/LLM interactions at the application boundary:
The key advantage is latency. With DDS deployed close to the application, scanning adds minimal overhead per request. With cloud DLP, that overhead becomes unacceptable for real-time applications.
Cloud DLP introduces unacceptable latency for real-time API scanning. APIs designed for immediate responses can’t tolerate a cloud round-trip on every request. DDS deployed near API gateways solves this with:
ML training datasets often contain PII, credentials, or sensitive information. This conflicts with data minimization requirements under regulations like GDPR.
DDS integrates into data pipelines (Apache Airflow, Kubernetes orchestrators, cloud schedulers) with:
Organizations need visibility into internal traffic flows—not just north-south perimeter traffic. DDS can inspect:
This closes visibility gaps that perimeter-focused DLP solutions miss.
Organizations have massive cloud storage footprints—S3 buckets, GCS buckets, Azure Blob storage filled with sensitive data. Traditional cloud DLP discovery scans introduce latency and operational complexity. Many organizations skip discovery at scale because it’s disruptive.
DDS deployed locally within your cloud VPCs changes that.
The cloud-first mindset has dominated enterprise security for over a decade, in which traditional cloud DLP forced a trade-off between security visibility and data sovereignty. DDS reduces that trade off significantly—a shift toward a new reality that puts local processing and centralized management at the forefront. Data is inspected locally while your policies stay centralized, and infrastructure scales with demand. Data sovereignty is no longer a regulatory afterthought, but delivered by architecture.
For organizations with strict data control requirements, real-time performance demands, or high-scale scanning workloads, this unlocks a new capability category. One that Symantec is committed to supporting the proliferation of. February 2026 marks an important milestone of making data-sovereign DLP broadly accessible.
DDS provides the infrastructure. The strategy is yours. As of February 2026, organizations can deploy Symantec DDS for immediate use cases:
Visit the Symantec DDS documentation for deployment guides and API references, or contact your account team to discuss your data sovereignty requirements.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。