The Best Sensitive Data Discovery Tools

The rules around the treatment of Personally Identifiable Information (PII) are complicated and failure to protect PII can be devastating for the business both financially and in terms of reputation. As it is so important to protect PII from accidental disclosure or inappropriate use, this information requires an extra security process in addition to the access controls imposed on all company data stores. Knowing where the stores of PII are, is step one in controlling access, so sensitive data discovery tools are fundamental to the protection of PII.

Many business processes will require access to PII. For example, the sales department will need information about customer habits, the dispatch office will need address information and the financial office will be responsible for processing payments. This means that customer information can be spread over several storage locations. Distributed systems for global operations might have local data stores in each branch. So, there can be many places where PII is held.

Here is our list of the best sensitive data discovery tools:

1. iDox.ai Sensitive Data Discovery – EDITOR’S CHOICE This platform provides a tailored discovery service for HIPAA, PCI DSS, SOX, FISMA, GDPR, PIPEDA, and CCPA. The package runs on Docker, AWS, and Azure and you can also access it as an API. Start a 7-day free trial.
2. ManageEngine Endpoint DLP Plus (FREE TRIAL) A bundle of data protection services that include sensitive data discovery and categorization. The console offers temples to simplify data protection policy creation. Available for Windows Server. Get a 30-day free trial.
3. ManageEngine DataSecurity Plus (FREE TRIAL) This package of data protection tools includes a Data Risk Assessment module that locates, protects, and tracks sensitive data. It is available for Windows Server. Start a 30-day free trial.
4. N-able Risk Intelligence This data breach vulnerability assessment tool includes PII data discovery along with other security tightening systems, such as a permissions analyzer. This is a cloud platform.
5. Spirion Sensitive Data Manager A tracker and manager for sensitive data that can locate sensitive data stores on the local network, remote sites, and on cloud systems. Available for installation on Windows Server or as a SaaS package with device agents for Windows, macOS, and Linux.
6. Datadog Sensitive Data Scanner This cloud-based system is able to scan servers for sensitive data instances according to the patterns that you set up, then redact it or log access to it.
7. Thales CipherTrust Data Discovery and Classification This cloud platform launches searches for sensitive data on your local and remote sites and also on the cloud.
8. Azure Information Protection This service from the well-known cloud platform tracks your sensitive data no matter where it is – it doesn’t have to be on an Azure server.
9. Mage iDiscover An AI-based tracker for sensitive data that categorizes data for GDPR, CCPA, and HIPAA requirements, among other standards. This is a cloud platform.

You can read more about each of these options in the following sections.

Management of sensitive data

There is a strong business case for centralizing data stores. However, that is a separate issue to the protection of sensitive data. If you can centralize data you can eliminate redundancy. You can also control access better because you only need to have one instance of supervisory software running.

Whether you intend to move sensitive data or leave it in its many current locations, you first need to identify it. To find sensitive data, you need to locate all data and categorize it. Even “sensitive data” is not one category – there are many types of sensitive data. So, a sensitive data discovery tool needs to be able to categorize data as well as locate it.

The best sensitive data discovery tools

A sensitive data discovery tool has a finite requirement. You would expect that the discovery process should be ongoing. Ordinarily, it can be expected that PII will always be stored in the same locations, so once several servers and folders have been identified, they will probably be the only places to continue to look. However, PII data needs to be tracked and sensitive data discovery tools can play a part in tracking the distribution – authorized or otherwise – of that data.

As the discovery of sensitive data is just one step in the process of protecting PII, the best tools for the job should be integrated into data management systems that perform a wide range of administration tasks, not just locating stores of sensitive data.

The best strategy to aim for when looking for sensitive data discovery tools is to get a system that forms part of a wider data security service. This will provide the best value for money and also reduce the number of interfaces that the system administrator needs to open to fully manage data.

1. iDox.ai Sensitive Data Discovery (FREE TRIAL)

iDox.ai Sensitive Data Discovery is a suitable discovery service for businesses that need to comply with the bank card standard, PCI DSS, the health data system, HIPAA, SOX, the financial reporting standard, FISMA, for US federal agencies or the personal data standards GDPR, PIPEDA, and CCPA.

Key Features:

 

• Compliance-Oriented Discovery: Targets compliance needs like PCI DSS, HIPAA, and GDPR through precise data identification.
• Intellectual Property Protection: Efficiently locates and classifies trade secrets and proprietary information.
• Project Management Tools: Simplifies oversight of sensitive data discovery projects with integrated management features.
• Flexible Integration: Offers API access for seamless integration into existing systems, enhancing adaptability.
• Enhanced Security Measures: Utilizes storage encryption to safeguard sensitive data against unauthorized access.

Why do we recommend it?

iDox Sensitive Data Discovery is part of a platform of data security systems that also includes a redaction suite. The system lets you know where the stores of sensitive data are and that search will be tailored to a specific data standard. It will also look for trade secrets and intellectual property.

This tool can be integrated into other software systems through an API. You have the option of accessing the package on AWS Marketplace or Azure Marketplace. It is also possible to download the software and run it on your own server. The system runs on Docker.

The iDox.ai system is ISO 27001 accredited. This means that the platform provides the highest levels of security and confidentiality. Discovered sensitive data is protected by encryption and even administrators are not able to get access to it without registered authorization. iDox is also SOC 2 Type II certified.

Businesses that manage personally identifiable information are required to enforce protection in order to win contracts and get insured. The first step of this process is to identify where that type of data is stored.  This is the service that you get from iDox.ai

Who is it recommended for?

This package is suitable for a wide range of businesses because its installed software package is easy to run and its API provides more complex solutions for businesses that want a customized service. Integrating a data discovery service into other tools is difficult when you are dealing with standalone sensitive data discovery tools but that task is a lot simpler with the iDox.ai API.

The iDox.ai system is evolving and the company is bringing online extra features, such as data movement tracking, compliance reporting, integrated redaction, and Active Directory integration. You can try iDox.ai with a 7-day free trial.

2. ManageEngine Endpoint DLP Plus (FREE TRIAL)

ManageEngine Endpoint DLP Plus is a data protection system that includes sensitive data discovery. The package will also help you to formulate a data security policy that extends to user activity monitoring, device control, and data movement scrutiny. Endpoint DLP Plus installs on one device on your network and then reaches out to all other computers, centralizing controls.

Key Features:

• Sensitive Data Identification: Discovers and classifies sensitive information across endpoints, reinforcing data security.
• Customizable Security Policies: Supports the formulation of bespoke data protection strategies with adaptable standards.
• Robust Access and Transfer Controls: Implements data access and transfer restrictions to mitigate risks of unauthorized sharing.
• Comprehensive Compliance Documentation: Facilitates the creation of detailed compliance reports, simplifying audit processes.

Why do we recommend it?

ManageEngine Endpoint DLP Plus is a bundle of ManageEngine tools and the data discovery part of the package is supplied by DataSecurity Plus, which you can buy as a standalone product. Endpoint DLP Plus includes additional tools to protect data through containerization.

The first step in managing sensitive data with this tool is to set up a security policy. This process is supported y a library of templates. After selecting a suitable match for your needs, you can adjust your chosen template to fine-tune the system’s data protection strategy. This dictates what constitutes ”sensitive” data and it can be tailored to a data protection standard.

The system will then scour all of the endpoints on your network and identify data stores containing matches for your chosen data protection definition. The system is able to spot combinations of fields that represent PII even if they are not collected in a formal storage format, such as a database or spreadsheet. This technique is called “fingerprinting.”

Once a store of sensitive data has been identified, all access to it is tracked. It is also possible to nominate trusted applications that regularly originate or access sensitive data. Data exports from these tools can be blocked. The system will also watch over USB devices and data movements in emails and out to cloud platforms.

Who is it recommended for?

ManageEngine has provided a complete package for data protection with this bundle and that completeness makes it ideal for businesses of all sizes. Small businesses would get sufficient service from the Free edition, which will cover data management of 25 devices. That’s a generous allowance and it provides all of the features of the paid service – crucially, the eDiscovery service is in there.

ManageEngine Endpoint DLP Plus has a free version, which is limited to monitoring 25 endpoints. The full package is called Professional and it can be extended to cover multiple sites from one console. The software package installs on Windows Server and the tool is available for a 30-day free trial.

3. ManageEngine DataSecurity Plus (FREE TRIAL)

ManageEngine DataSecurity Plus is a software package that includes three modules. You can buy just one of the modules as a standalone service or all three in a package. Those modules are File Server Auditing, Data Leak Prevention, and Data Risk Assessment. The sensitive data discovery tool of this package is contained in the Data Risk Assessment module.

Key Features:

• Comprehensive Discovery and Classification: Efficiently locates sensitive data, facilitating robust data management practices.
• File Access Monitoring: Offers detailed insights into data access patterns, enhancing security protocols.
• Data Movement Regulation: Ensures strict controls over data transfers, preventing unauthorized distribution.
• Web Application Surveillance: Monitors web applications for potential data exfiltration threats.

Why do we recommend it?

ManageEngine DataSecurity Plus already got a mention in this article as part of the Endpoint DLP Plus bundle. DataSecurity Plus isn’t offered as a single package. Instead, it is made up of four modules, which you can buy separately. The eDiscovery service is contained in the Data Risk Assessment package. You also get file integrity monitoring with this unit. Add on the Data Leak Prevention service to get almost exactly the same set of services that Endpoint DLP Plus gives you.

The sensitive data discovery tool seeks out all stores of PII and Protected Health Information (PHI) and then categorizes all instances in terms of vulnerability. As well as looking for sensitive data, this service looks for obsolete files that have not been accessed for a long time. Being aware of this type of data gives you the option of either archiving it or deleting it. The service also examines file permissions and access rights to devices and folders, presenting them to you for analysis and decision-making.

The full package of DataSecurity Plus includes File Integrity Management (FIM), which tracks all changes to files, which also includes those that hold sensitive data. You don’t have to apply FIM to all files – you decide which directories should have this service enabled. The FIM is connected to an alert system so you will be notified whenever a protected file is changed or deletion is attempted.

The DataSecurity Plus system is also able to block USB devices or allow them but monitor which files are copied onto them, selectively blocking files that contained identified sensitive data. That graded control can also be applied to the email system – you can choose to block attachments or just block sensitive data files from being sent out by email.

Who is it recommended for?

Any business would get value for money out of DataSecurity Plus. However, it is necessary to compare it to Endpoint DLP Plus before purchasing. Confusingly, there is also data loss prevention in the Log360 package from ManageEngine. You can get a free trial of Endpoint DLP Plus and also of DataSecurity Plus. Small businesses would probably prefer the Endpoint DLP option because it has a Free edition, which DataSecurity Plus doesn’t have.

ManageEngine DataSecurity Plus is a software package that installs on Windows Server. You can get it on a 30-day free trial to run it through its paces.

ManageEngine DataSecurity Plus Access 30-day FREE Trial

4. N-able Risk Intelligence

N-able Risk Intelligence offers a good deal because it is more than just a sensitive data discovery tool. This service scans Windows and macOS devices connected to your network and identifies security weaknesses, such as out-of-date software. It also examines the security surrounding email systems.

Key Features:

• Security Vulnerability Detection: Identifies system weaknesses and outdated software, enhancing overall security posture.
• Customizable Data Scans: Offers both pre-set and tailor-made scans for comprehensive sensitive data discovery.
• Risk Assessment Reports: Generates detailed risk analyses, highlighting potential data breach impacts.

Why do we recommend it?

N-able Risk Intelligence is part of a platform of tools that are designed for use by managed service providers as part of their work looking after the systems of client companies. This is purely a detection and analysis system – it doesn’t include active data access monitoring. Although it would be nice to see protection implementation bundled in, the risk assessment services are extensive and go beyond the discovery of sensitive data. You also get financial assessments and some great reports to pass on to clients to show that your MSP is earning its fees.

The vulnerability scanner uses the Common Vulnerability Scoring System (CVSS) to identify the latest threats and attack strategies of hackers and then checks each device to close down the entry points those strategies exploit. This vulnerability sweep touches on all devices connected to your network.

The sensitive data discovery tool in the N-able Risk Intelligence package offers pre-formatted scans and also allows for customized scans. It searches for email addresses, license plate numbers, bank accounts, social security numbers, ACH data, and credit card numbers. The system produces a risk report for each type of PII that it discovers.

Who is it recommended for?

As stated above, N-able is designed for use by MSPs. However, the IT operation department of large multi-site organizations would also benefit from the use of this tool. Smaller businesses would be more likely to encounter this tool if it is in use by the MSP that they choose to run their IT services.

N-able offers a wider system administration service that includes security software. N-able Risk Intelligence can be integrated into an N-Able remote monitoring and management plan. This system is hosted as a SaaS system.

5. Spirion Sensitive Data Manager

Spirion Sensitive Data Manager installs agents on the devices on your site and can also implement agentless monitoring of cloud platforms. This data discovery tool is available as a SaaS package or for installation on Windows and it gives you a data management strategy. The service is geared around reducing the attack vulnerabilities of sensitive data storage. This system looks for intellectual property, as well as PII, PHI, and credit card information.

Key Features:

• Holistic Data Management Platform: Integrates several tools for effective data protection and compliance.
• Integrity Monitoring: Includes file integrity management to track unauthorized changes to sensitive files.
• Vulnerability Scanning: Assesses system vulnerabilities to prevent potential data breaches.

Why do we recommend it?

Spirion Sensitive Data Manager is an on-premises package, just like the two ManageEngine options. This service includes discovery and classification for different types of sensitive data and protects discovered data stores with file integrity monitoring (FIM). An interesting feature of Sensitive Data Manager is that it also provides recommendations for reorganizing your system to improve data security.

The processes in the Spirion Sensitive Data Manager will help you with compliance to GDPR, CCPA, HIPAA, and PCI DSS. The data discovery module of the Sensitive Data Manager is called AnyFind. It can find sensitive data on all of your infrastructure – on all sites and all platforms. You can see where all of the data is stored through the dashboard of the system, which is hosted on Spirion servers and can be accessed through any web browser. That information gives you options over whether you are going to consolidate your data storage in one place or implement a distributed system.

The next phase in sensitive data management is classification and that task is carried out by the Watcher module. As well as identifying sensitive data, this examines vulnerability levels and recommends tightening access rights to specific files. A module called Spyglass helps you apply security procedures to your sensitive data stores. This includes FIM and data loss protection processes.

Who is it recommended for?

The flexibility of the tool’s deployment option gives Spirion Sensitive Data Manager a wide pool of potential clients. The system is very thorough and small businesses might not need all of the capabilities of the package when there are free alternatives available. Mid-sized businesses that manage sensitive data will find that Spirion meets all of their needs.

The Spirion system offers value for money because it provides all of the services you will need to protect sensitive data and comply with data protection standards. Spirion offers a demo of the Sensitive Data Manager.

6. Thales CipherTrust Data Discovery and Classification

Thales CipherTrust Data Discovery and Classification is a cloud-based service that can search through all of your data stores on all of your sites plus on the cloud. This tool is part of a suite of data security services that is called the CipherTrust Data Security Platform.

Key Features:

• End-to-End Data Classification: Automates the discovery and categorization of sensitive data across multiple environments.
• Robust File Encryption: Employs encryption to secure data at rest and in transit, ensuring comprehensive protection.
• Adaptive Access Controls: Implements dynamic access controls based on data sensitivity and user authorization.

Why do we recommend it?

Thales CipherTrust Data Discovery and Classification is part of a platform of data security tools that includes transmission encryption services. So, you might end up buying several of the modules on this system. The Thales system offers a full data protection system as an alternative to data loss prevention strategies that rely on activity monitoring. Other sensitive data management tools in the package include a data redaction service.

The sensitive data discovery tool provides a service needed by businesses that follow GDPR, CCPA, LGPD, PCI DSS, and HIPAA. The system can analyze all types of data storage, not just file stores. It is also able to examine databases and other big data storage systems. Unstructured data is also a target for the search facility. The search utility can explore all of your sites plus cloud storage services for sensitive data.

The categorization processes in the Data Discovery and Classification module assess the vulnerability of each piece of data and its importance in terms of data protection standards. This gives you a report on which data stores require heavier protection and suggests methods to improve security.

Categorizing data in terms of data protection standards gives you a better grounding on which pieces of information can be shared with other organizations, in which format, and by what methods.

The console for the service is hosted in the cloud and accessed through any standard Web browser. The screens within the dashboard include data visualizations that make it easy to create presentations to communicate security issues to stakeholders. It is also possible to generate compliance reports from the system.

Who is it recommended for?

The Thales service operates both on-premises and on cloud data stores. So, it is doubly good for businesses that operate hybrid environments and have data on their own servers and on cloud accounts.

Other modules in the CyberTrust Data Security Platform offer encryption solutions to protect sensitive data at rest and in transit and data storage control mechanisms that reduce the number of people who can access sensitive data.

7. Datadog Sensitive Data Scanner

Datadog Sensitive Data Scanner is delivered from the cloud and provides a flexible service. You need to set up the data formats to search for and that process can be aided by templates that provide standard data types, such as credit card numbers or social security numbers.

Key Features:

• Configurable Data Patterns: Enables users to define specific data types for targeted scanning, increasing detection precision.
• Automated Data Surveillance: Conducts automatic scans to identify sensitive information, streamlining data governance.
• Data Entry Interception: Identifies sensitive data upon entry, reducing the risk of unauthorized access or leakage.
• Data Scrubbing: Offers options to cleanse data streams of sensitive information, maintaining data integrity.

Why do we recommend it?

The Datadog Sensitive Data Scanner can be integrated into the platform’s Log Manager, APM, or Real User Monitoring service to identify sensitive data as it travels into storage or moves out. This avoids the need to tamper with records and offers better data governance by preserving the original data where needed.

The actions of the Datadog system upon the discovery of an instance of sensitive data depend on the settings that you define. The tool doesn’t scan files but instead operates on data entered into Web forms, accessed through applications, or recorded in logs.

So, when an application accesses a data store, the sensitive data scanner can be set to obscure the sensitive data in the display. You could choose to delete sensitive data from log messages before filing them or showing them in a log management data viewer. In these examples, the working data is left intact – it shouldn’t be necessary to save data in log files, so this instance is a little different.

One option that you can activate is logging by the sensitive data tool. So, whenever a piece of sensitive data is spotted moving into an application, that event and the user account involved can be recorded. This action is important for compliance with GDPR, CCPA, and HIPAA.

Who is it recommended for?

The Sensitive Data Scanner is priced as an individual module. However, it is difficult to imagine how the tool would be used by itself. Instead, this system should be used in conjunction with other Datadog modules. Effectively, it is an add-on for the APM, the Log Manager, or the Real User Monitoring services.

You sign up for the Sensitive Data Scanner at the Datadog cloud platform. Consider the system as part of a group of modules on the platform that you might like to try and then get all of them on a free trial to see how you could use this data protection service.

8. Azure Information Protection

You probably know about the Azure platform and you might even use Azure servers for storage. However, you might not know that Azure offers a menu of services that can be applied to storage and processing virtual server account and are also available to businesses that don’t even use Azure servers.

Key Features:

• Cloud and On-Premises Data Management: Searches for sensitive data across various platforms, ensuring thorough coverage.
• Configurable Data Protection Policies: Allows for detailed policy settings, tailoring data security measures to specific needs.
• Integrated Microsoft Office Support: Enhances document security with encryption and access controls within Office applications.

Why do we recommend it?

The Azure Information Protection service is delivered from the Azure platform but it can reach out to AWS accounts as well as storage on Azure. You can also use this tool to swatch your own servers for sensitive data. This is a very affordable tool that can be used to control data on many sites. Other services in the package include copy tracking and watermarking.

One of those services is the Azure Information Protection system. This package can search for sensitive data on any of your sites or any of your cloud services. The system offers continuous monitoring for emails, document access, and data stores. So, once sensitive data has been located, it will be monitored.

You have to set up a policy for data protection before running a data search with this service. This enables you to specify the type of information that needs to be protected – a decision that will be dictated by the data protection standard that you are following. You can decide what level of control should be applied to sensitive data. For example, you can ban all transfers of the data or decide that only certain personnel should have access and the right to share the data – and who they can share it with.

Documents can be stamped and copies can be enumerated in the metadata to make disclosure tracking easier. It is possible to allow files to be viewed by others but not edited, downloaded, forwarded, or printed.

Who is it recommended for?

A great feature of Azure products is that they are charged for retrospectively on a meter rather than as a subscription, which requires a fixed fee advanced payment. The best thing about this is it is very scaleable. Small businesses don’t have to pay for the average business’s data throughput but only for the actions that they use. The Azure platform has massive capacity that means this system will also work well for very large multinationals.

The Azure Information Protection service includes an encryption service that you can use to protect all sensitive data stores at rest and in transit. The system can be linked to Active Directory for access control and there is also a cloud-based version of Active Directory available within the Azure platform if you don’t already implement AD.

9. Mage iDiscover

Mage iDiscover can track down structured, unstructured, and BigData stores of sensitive data on-premises and on the cloud. This cloud-based service supports compliance with GDPR, CCPA, and HIPAA.

Key Features:

• Comprehensive Data Coverage: Identifies sensitive data across on-premises and cloud environments, including structured and unstructured data.
• Advanced AI Detection: Utilizes artificial intelligence and natural language processing for accurate data identification.
• Proactive Data Management: Automates workflows for efficient sensitive data protection and compliance alignment.

Why do we recommend it?

Mage iDiscover is a strong competitor to the Thales and Spirion systems. It is able to scan for sensitive data on sites and also on cloud platforms. Although we put Mage last on the list, this review is not ordered in terms of impressive functionality, other than the number one slot, which is reserved for our favorite. This service uses AI to identify adjacencies in data field that need to be combined before they constitute sensitive data that needs to be protected.

After tracking sensitive data, the service assesses the vulnerability of its location and analyzes file permissions. The system dashboard displays all stores of sensitive data so you get a visual record of storage. Sensitive data discovery can be set up as an incremental process, so it will notify you of any new instances that get saved. The system also scours log files and raises an alert if they contain sensitive data.

This system scours databases and unstructured data as well as files in its search for sensitive data. It also analyzes the users that have access permissions on data. It recommends changes to access rights. The service also back-chains through to the applications that store data, offering you the opportunity to change settings and alter storage locations for sensitive data.

This system uses artificial intelligence and natural language processing to spot instances of sensitive data. It implements automated workflows to save you time and take care of sensitive data protection for you.

Who is it recommended for?

Mage iDiscover is suitable for mid-sized companies and businesses of that size should really compare Mage with the Thales and Spirion systems to get a good fit.

Mage iDiscover’s built-in capabilities to interface with 35 data management systems, such as database management systems and cloud platforms. You can request a demo to assess the system for yourself.