Best Sensitive Data Discovery Tools

The rules around the treatment of Personally Identifiable Information (PII) are complicated and failure to protect PII can be devastating for the business both financially and in terms of reputation. As it is so important to protect PII from accidental disclosure or inappropriate use, this information requires an extra security process in addition to the access controls imposed on all company data stores. Knowing where the stores of PII are, is step one in controlling access, so sensitive data discovery tools are fundamental to the protection of PII.

Many business processes will require access to PII. For example, the sales department will need information about customer habits, the dispatch office will need address information and the financial office will be responsible for processing payments. This means that customer information can be spread over several storage locations. Distributed systems for global operations might have local data stores in each branch. So, there can be many places where PII is held.

Here is our list of the seven best sensitive data discovery tools:

  1. ManageEngine Endpoint DLP Plus EDITOR’S CHOICE A bundle of data protection services that include sensitive data discovery and categorization. The console offers temples to simplify data protection policy creation. Available for Windows Server.
  2. N-able Risk Intelligence This data breach vulnerability assessment tool includes PII data discovery along with other security tightening systems, such as a permissions analyzer. This is a cloud platform.
  3. ManageEngine DataSecurity Plus This package of data protection tools includes a Data Risk Assessment module that locates, protects, and tracks sensitive data. It is available for Windows Server.
  4. Spirion Sensitive Data Manager A tracker and manager for sensitive data that can locate sensitive data stores on the local network, remote sites, and on cloud systems. Available for installation on Windows Server or as a SaaS package with device agents for Windows, macOS, and Linux.
  5. Thales CipherTrust Data Discovery and Classification This cloud platform launches searches for sensitive data on your local and remote sites and also on the cloud.
  6. Azure Information Protection This service from the well-known cloud platform tracks your sensitive data no matter where it is – it doesn’t have to be on an Azure server.
  7. Mage iDiscover An AI-based tracker for sensitive data that categorizes data for GDPR, CCPA, and HIPAA requirements, among other standards. This is a cloud platform.

You can read more about each of these options in the following sections.

Management of sensitive data

There is a strong business case for centralizing data stores. However, that is a separate issue to the protection of sensitive data. If you can centralize data you can eliminate redundancy. You can also control access better because you only need to have one instance of supervisory software running.

Whether you intend to move sensitive data or leave it in its many current locations, you first need to identify it. To find sensitive data, you need to locate all data and categorize it. Even “sensitive data” is not one category – there are many types of sensitive data. So, a sensitive data discovery tool needs to be able to categorize data as well as locate it.

The best sensitive data discovery tools

A sensitive data discovery tool has a finite requirement. You would expect that the discovery process should be ongoing. Ordinarily, it can be expected that PII will always be stored in the same locations, so once several servers and folders have been identified, they will probably be the only places to continue to look. However, PII data needs to be tracked and sensitive data discovery tools can play a part in tracking the distribution – authorized or otherwise – of that data.

As the discovery of sensitive data is just one step in the process of protecting PII, the best tools for the job should be integrated into data management systems that perform a wide range of administration tasks, not just locating stores of sensitive data.

What should you look for in a sensitive data discovery tool? 

We reviewed the market for sensitive data discovery software and analyzed the options based on the following criteria:

  • A service that can search through multiple sites to locate stores of sensitive data
  • A service that will rescan all systems periodically
  • Nice to have integration with data security systems, such as backup and file integrity management
  • A classification process that can be adapted to specific data protection standards requirements
  • A reporting tool that can produce standards compliance documentation
  • A free trial or demo for a cost-free assessment
  • Value for money represented by worthwhile tools at a fair price

The best strategy to aim for when looking for sensitive data discovery tools is to get a system that forms part of a wider data security service. This will provide the best value for money and also reduce the number of interfaces that the system administrator needs to open to fully manage data.

1. ManageEngine Endpoint DLP Plus (FREE TRIAL)

ManageEngine Endpoint DLP Plus

ManageEngine Endpoint DLP Plus is a data protection system that includes sensitive data discovery. The package will also help you to formulate a data security policy that extends to user activity monitoring, device control, and data movement scrutiny. Endpoint DLP Plus installs on one device on your network and then reaches out to all other computers, centralizing controls.

Key Features:

  • Discovery and classification of sensitive data
  • Adaptable to different standards
  • Data access controls
  • Data transfer controls
  • Compliance documentation

Why do we recommend it?

ManageEngine Endpoint DLP Plus is a bundle of ManageEngine tools and the data discovery part of the package is supplied by DataSecurity Plus, which you can buy as a standalone product. Endpoint DLP Plus includes additional tools to protect data through containerization.

The first step in managing sensitive data with this tool is to set up a security policy. This process is supported y a library of templates. After selecting a suitable match for your needs, you can adjust your chosen template to fine-tune the system’s data protection strategy. This dictates what constitutes ”sensitive” data and it can be tailored to a data protection standard.

The system will then scour all of the endpoints on your network and identify data stores containing matches for your chosen data protection definition. The system is able to spot combinations of fields that represent PII even if they are not collected in a formal storage format, such as a database or spreadsheet. This technique is called “fingerprinting.”

Once a store of sensitive data has been identified, all access to it is tracked. It is also possible to nominate trusted applications that regularly originate or access sensitive data. Data exports from these tools can be blocked. The system will also watch over USB devices and data movements in emails and out to cloud platforms.

Who is it recommended for?

ManageEngine has provided a complete package for data protection with this bundle and that completeness makes it ideal for businesses of all sizes. Small businesses would get sufficient service from the Free edition, which will cover data management of 25 devices. That’s a generous allowance and it provides all of the features of the paid service – crucially, the eDiscovery service is in there.

Pros:

  • Can scan images of documents with OCR as well as searching through digital documents
  • Provides a series of classification presets that automatically adapt to a given standard
  • Prevents data theft or movements through browsers
  • Scans emails to enforce data protection policies
  • USB device controls

Cons:

  • Only available for Windows Server

ManageEngine Endpoint DLP Plus has a free version, which is limited to monitoring 25 endpoints. The full package is called Professional and it can be extended to cover multiple sites from one console. The software package installs on Windows Server and the tool is available for a 30-day free trial.

EDITOR'S CHOICE

ManageEngine Endpoint DLP Plus is our top pick for a sensitive data discovery tool because the package can be easily tailored to specific data protection standards. The system discovers sensitive data and then categorizes it to allow the creation of fine-grained access controls. The system is supported by a library of policy templates that speed up the definition of a data security strategy. After you have your security requirements defined, the tool will track user activity, data access, and file movements to protect the sensitive data that your system holds.

Official Site: https://www.manageengine.com/endpoint-dlp/download.html

OS: Windows Server

2. N-able Risk Intelligence

N-Able Risk Intelligence

N-able Risk Intelligence offers a good deal because it is more than just a sensitive data discovery tool. This service scans Windows and macOS devices connected to your network and identifies security weaknesses, such as out-of-date software. It also examines the security surrounding email systems.

Key Features:

  • Detects system security weaknesses
  • Sensitive data discovery
  • Adapted to different standards
  • Risk reports

Why do we recommend it?

N-able Risk Intelligence is part of a platform of tools that are designed for use by managed service providers as part of their work looking after the systems of client companies. This is purely a detection and analysis system – it doesn’t include active data access monitoring. Although it would be nice to see protection implementation bundled in, the risk assessment services are extensive and go beyond the discovery of sensitive data. You also get financial assessments and some great reports to pass on to clients to show that your MSP is earning its fees.

The vulnerability scanner uses the Common Vulnerability Scoring System (CVSS) to identify the latest threats and attack strategies of hackers and then checks each device to close down the entry points those strategies exploit. This vulnerability sweep touches on all devices connected to your network.

The sensitive data discovery tool in the N-able Risk Intelligence package offers pre-formatted scans and also allows for customized scans. It searches for email addresses, license plate numbers, bank accounts, social security numbers, ACH data, and credit card numbers. The system produces a risk report for each type of PII that it discovers.

Who is it recommended for?

As stated above, N-able is designed for use by MSPs. However, the IT operation department of large multi-site organizations would also benefit from the use of this tool. Smaller businesses would be more likely to encounter this tool if it is in use by the MSP that they choose to run their IT services.

Pros:

  • RMM format to enable managed service providers to deploy for clients
  • An assessment of the potential financial impact of a data breach
  • Provided together with data protection backups and anti-ransomware
  • Great presentations to impress MSP clients

Cons:

  • Designed more for MSPs than IT operations departments

N-able offers a wider system administration service that includes security software. N-able Risk Intelligence can be integrated into an N-Able remote monitoring and management plan. This system is hosted as a SaaS system.

3. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is a software package that includes three modules. You can buy just one of the modules as a standalone service or all three in a package. Those modules are File Server Auditing, Data Leak Prevention, and Data Risk Assessment. The sensitive data discovery tool of this package is contained in the Data Risk Assessment module.

Key Features:

  • Discovery and classification
  • File access tracking
  • Controls data movements
  • Web app scanning

Why do we recommend it?

ManageEngine DataSecurity Plus already got a mention in this article as part of the Endpoint DLP Plus bundle. DataSecurity Plus isn’t offered as a single package. Instead, it is made up of four modules, which you can buy separately. The eDiscovery service is contained in the Data Risk Assessment package. You also get file integrity monitoring with this unit. Add on the Data Leak Prevention service to get almost exactly the same set of services that Endpoint DLP Plus gives you.

The sensitive data discovery tool seeks out all stores of PII and Protected Health Information (PHI) and then categorizes all instances in terms of vulnerability. As well as looking for sensitive data, this service looks for obsolete files that have not been accessed for a long time. Being aware of this type of data gives you the option of either archiving it or deleting it. The service also examines file permissions and access rights to devices and folders, presenting them to you for analysis and decision-making.

The full package of DataSecurity Plus includes File Integrity Management (FIM), which tracks all changes to files, which also includes those that hold sensitive data. You don’t have to apply FIM to all files – you decide which directories should have this service enabled. The FIM is connected to an alert system so you will be notified whenever a protected file is changed or deletion is attempted.

The DataSecurity Plus system is also able to block USB devices or allow them but monitor which files are copied onto them, selectively blocking files that contained identified sensitive data. That graded control can also be applied to the email system – you can choose to block attachments or just block sensitive data files from being sent out by email.

Who is it recommended for?

Any business would get value for money out of DataSecurity Plus. However, it is necessary to compare it to Endpoint DLP Plus before purchasing. Confusingly, there is also data loss prevention in the Log360 package from ManageEngine. You can get a 30-day free trial of Endpoint DLP Plus and also of DataSecurity Plus. Small businesses would probably prefer the Endpoint DLP option because it has a Free edition, which DataSecurity Plus doesn’t have.

Pros:

  • Scans all data stores to find sensitive data as defined by a given standard
  • Records and optionally blocks data access events
  • Controls data movements by email and onto USB devices
  • Scans Web pages and applications for data theft mechanisms

Cons:

  • Only available for Windows Server

ManageEngine DataSecurity Plus is a software package that installs on Windows Server. You can get it on a 30-day free trial to run it through its paces.

4. Spirion Sensitive Data Manager

Spirion Sensitive Data Manager

Spirion Sensitive Data Manager installs agents on the devices on your site and can also implement agentless monitoring of cloud platforms. This data discovery tool is available as a SaaS package or for installation on Windows and it gives you a data management strategy. The service is geared around reducing the attack vulnerabilities of sensitive data storage. This system looks for intellectual property, as well as PII, PHI, and credit card information.

Key Features:

  • A platform with a suite of tools
  • File integrity manager
  • Vulnerability scanner

Why do we recommend it?

Spirion Sensitive Data Manager is an on-premises package, just like the two ManageEngine options. This service includes discovery and classification for different types of sensitive data and protects discovered data stores with file integrity monitoring (FIM). An interesting feature of Sensitive Data Manager is that it also provides recommendations for reorganizing your system to improve data security.

The processes in the Spirion Sensitive Data Manager will help you with compliance to GDPR, CCPA, HIPAA, and PCI DSS. The data discovery module of the Sensitive Data Manager is called AnyFind. It can find sensitive data on all of your infrastructure – on all sites and all platforms. You can see where all of the data is stored through the dashboard of the system, which is hosted on Spirion servers and can be accessed through any web browser. That information gives you options over whether you are going to consolidate your data storage in one place or implement a distributed system.

The next phase in sensitive data management is classification and that task is carried out by the Watcher module. As well as identifying sensitive data, this examines vulnerability levels and recommends tightening access rights to specific files. A module called Spyglass helps you apply security procedures to your sensitive data stores. This includes FIM and data loss protection processes.

Who is it recommended for?

The flexibility of the tool’s deployment option gives Spirion Sensitive Data Manager a wide pool of potential clients. The system is very thorough and small businesses might not need all of the capabilities of the package when there are free alternatives available. Mid-sized businesses that manage sensitive data will find that Spirion meets all of their needs.

Pros:

  • Both SaaS and on-premises versions are available
  • Discovery and classification that is tailored to specific data protection standards
  • Offers options to consolidate and centralize data-sensitive storage locations

Cons:

  • A suite of tools rather than a single out-of-the-box system

The Spirion system offers value for money because it provides all of the services you will need to protect sensitive data and comply with data protection standards. Spirion offers a demo of the Sensitive Data Manager.

5. Thales CipherTrust Data Discovery and Classification

Thales CipherTrust Data Discovery and Classification

Thales CipherTrust Data Discovery and Classification is a cloud-based service that can search through all of your data stores on all of your sites plus on the cloud. This tool is part of a suite of data security services that is called the CipherTrust Data Security Platform.

Key Features:

  • Discovery and classification
  • File encryption
  • Access controls

Why do we recommend it?

Thales CipherTrust Data Discovery and Classification is part of a platform of data security tools that includes transmission encryption services. So, you might end up buying several of the modules on this system. The Thales system offers a full data protection system as an alternative to data loss prevention strategies that rely on activity monitoring. Other sensitive data management tools in the package include a data redaction service.

The sensitive data discovery tool provides a service needed by businesses that follow GDPR, CCPA, LGPD, PCI DSS, and HIPAA. The system can analyze all types of data storage, not just file stores. It is also able to examine databases and other big data storage systems. Unstructured data is also a target for the search facility. The search utility can explore all of your sites plus cloud storage services for sensitive data.

The categorization processes in the Data Discovery and Classification module assess the vulnerability of each piece of data and its importance in terms of data protection standards. This gives you a report on which data stores require heavier protection and suggests methods to improve security.

Categorizing data in terms of data protection standards gives you a better grounding on which pieces of information can be shared with other organizations, in which format, and by what methods.

The console for the service is hosted in the cloud and accessed through any standard Web browser. The screens within the dashboard include data visualizations that make it easy to create presentations to communicate security issues to stakeholders. It is also possible to generate compliance reports from the system.

Who is it recommended for?

The Thales service operates both on-premises and on cloud data stores. So, it is doubly good for businesses that operate hybrid environments and have data on their own servers and on cloud accounts.

Pros:

  • Covers data on-site and in the cloud
  • Can be tuned to specific data protection standards
  • Deploys encryption to protect data and allow access to authorized users

Cons:

  • No price list

Other modules in the CyberTrust Data Security Platform offer encryption solutions to protect sensitive data at rest and in transit and data storage control mechanisms that reduce the number of people who can access sensitive data.

6. Azure Information Protection

Azure Information Protection

You probably know about the Azure platform and you might even use Azure servers for storage. However, you might not know that Azure offers a menu of services that can be applied to storage and processing virtual server account and are also available to businesses that don’t even use Azure servers.

Key Features:

  • Azure service
  • Adaptable classification
  • Integrates into Microsoft Office

Why do we recommend it?

The Azure Information Protection service is delivered from the Azure platform but it can reach out to AWS accounts as well as storage on Azure. You can also use this tool to swatch your own servers for sensitive data. This is a very affordable tool that can be used to control data on many sites. Other services in the package include copy tracking and watermarking.

One of those services is the Azure Information Protection system. This package can search for sensitive data on any of your sites or any of your cloud services. The system offers continuous monitoring for emails, document access, and data stores. So, once sensitive data has been located, it will be monitored.

You have to set up a policy for data protection before running a data search with this service. This enables you to specify the type of information that needs to be protected – a decision that will be dictated by the data protection standard that you are following. You can decide what level of control should be applied to sensitive data. For example, you can ban all transfers of the data or decide that only certain personnel should have access and the right to share the data – and who they can share it with.

Documents can be stamped and copies can be enumerated in the metadata to make disclosure tracking easier. It is possible to allow files to be viewed by others but not edited, downloaded, forwarded, or printed.

Who is it recommended for?

A great feature of Azure products is that they are charged for retrospectively on a meter rather than as a subscription, which requires a fixed fee advanced payment. The best thing about this is it is very scaleable. Small businesses don’t have to pay for the average business’s data throughput but only for the actions that they use. The Azure platform has massive capacity that means this system will also work well for very large multinationals.

Pros:

  • Cloud-based SaaS package that can also manage on-premises assets
  • Protects files with encryption
  • File copy stamping and tracking

Cons:

  • Doesn’t cover databases

The Azure Information Protection service includes an encryption service that you can use to protect all sensitive data stores at rest and in transit. The system can be linked to Active Directory for access control and there is also a cloud-based version of Active Directory available within the Azure platform if you don’t already implement AD.

7. Mage iDiscover

Mentis iDiscover

Mage iDiscover can track down structured, unstructured, and BigData stores of sensitive data on-premises and on the cloud. This cloud-based service supports compliance with GDPR, CCPA, and HIPAA.

Key Features:

  • Data discovery on-premises and in the cloud
  • Structured and unstructured data
  • Natural language processing

Why do we recommend it?

Mage iDiscover is a strong competitor to the Thales and Spirion systems. It is able to scan for sensitive data on sites and also on cloud platforms. Although we put Mage last on the list, this review is not ordered in terms of impressive functionality, other than the number one slot, which is reserved for our favorite. This service uses AI to identify adjacencies in data field that need to be combined before they constitute sensitive data that needs to be protected.

After tracking sensitive data, the service assesses the vulnerability of its location and analyzes file permissions. The system dashboard displays all stores of sensitive data so you get a visual record of storage. Sensitive data discovery can be set up as an incremental process, so it will notify you of any new instances that get saved. The system also scours log files and raises an alert if they contain sensitive data.

This system scours databases and unstructured data as well as files in its search for sensitive data. It also analyzes the users that have access permissions on data. It recommends changes to access rights. The service also back-chains through to the applications that store data, offering you the opportunity to change settings and alter storage locations for sensitive data.

This system uses artificial intelligence and natural language processing to spot instances of sensitive data. It implements automated workflows to save you time and take care of sensitive data protection for you.

Who is it recommended for?

Mage iDiscover is suitable for mid-sized companies and businesses of that size should really compare Mage with the Thales and Spirion systems to get a good fit.

Pros:

  • Can identify disjointed fields that collectively constitute sensitive data
  • AI-based detection
  • Can update the settings of applications to change default data storage locations

Cons:

  • No free trial

Mage iDiscover’s built-in capabilities to interface with 35 data management systems, such as database management systems and cloud platforms. You can request a demo to assess the system for yourself.