Armorblox earlier this month announced that it’s now using natural language processing (NLP) to offer enhanced data loss prevention (DLP) and role-based access controls (RBAC) for email administrators.

Dhananjay (DJ) Sampath, co-founder and CEO at Armorblox, said the enhanced DLP uses NLP techniques to stop unauthorized disclosure of PII, PCI, PHI with automatic identification and encryption of sensitive data across emails, attachments, and documents. In that sense, the privilege is associated not just with accounts and access, he said, but with the type of data you send and receive.

Here’s how it might work: If a CEO never sent an email before with sensitive documents to investors, the system would catch it as an anomaly. The system would also block any email-based invoice payments that were not sent to the company’s regular third-party vendors. 

"It’s crucial, especially when it’s tied to email administration,” Sampath said.

More broadly, the offering reflects an evolution in identity security to focus more on the individual user, versus the endpoint.

Frank Dickson, who covers security and trust at IDC, said that such role-based access targets traditional employee identity use cases to implement increasing granular least privileged access policies as security professionals look to move their organizations down the zero-trust path.

Privileged access management "is a specific set of use cases,” he said, while "role-based access is traditional to identity. Both are critical in zero trust programs.”

Dave Gruber, a principal analyst at the Enterprise Strategy Group, said role-based access solves two problems for email administrators. First, with impersonation and credential theft continuing as a major issue, reducing the privileges assigned to any given IT or security team members limits the blast radius of a successful credential theft or impersonation attack. Second, with so much sensitive data flowing through email, the addition of DLP and encryption capabilities makes a ton of sense, said Gruber.

“Anyone with admin capabilities has the potential of accessing restricted information, so these new role-based access features let admins be granted DLP admin access separately from other admin functions, stopping them from seeing restricted data,” said Gruber.

Sampath said the new DLP and role-based access features are live at Armorblox customers, who integrate the Armorblox email tool into Azure AD.