What is data loss prevention?
Data loss prevention (DLP) is the control of access to the data that your company holds. A data loss prevention strategy makes sure end-users aren’t able to intentionally destroy or steal data.
It’s important to have a data loss prevention policy in place at your enterprise. This can cover: data loss prevention tools, intrusion prevention systems, system information, event management, endpoint protection, and anti-malware systems are areas of IT security that overlap.
When you come to tighten up your system protection, you will find that you don’t need one of each of these because just one will take care of many tasks, including blocking access to the system and protecting data simultaneously. With the correct policy and systems in place, you will be able to reduce or eliminate data loss incidents across your business.
Here is our list of the best data loss prevention (DLP) software & tools:
- SolarWinds Data Loss Prevention with ARM EDITOR’S CHOICE Access rights manager can be set up to help shield against accidental or malicious data loss. Can automate user access and activities through policy, respond to suspicious activity and investigate user events that could potentially compromise your systems.
- CoSoSys Endpoint Protector (GET DEMO) A choice of onsite or cloud-based data loss prevention systems.
- CrowdStrike Falcon Device Control (FREE TRIAL) This module fits into packages of CrowdStrike security bundles and watches over USB port activities. Available for Windows, macOS, and Linux.
- ManageEngine Device Control Plus (FREE TRIAL) Blocks unauthorized data transfers onto peripheral devices. Runs on Windows and Windows Server.
- Symantec Data Loss Prevention Includes threat protection and data encryption.
- Teramind DLP A user tracker and data access controller.
- Clearswift Adaptive DLP A range of data protection products.
- SecureTrust Data Loss Prevention Includes pre-written policies.
- Check Point Data Loss Prevention Adopts a user monitoring and education approach.
- Digital Guardian Endpoint DLP A data event tracker.
- Code42 Restores altered data to its original state.
- CA Data Protection Protects data and audits access events.
- Comodo MyDLP A user data access control system.
The Best Data Loss Prevention Software Tools
You likely won’t get all of your data loss prevention needs fulfilled by the one tool. However, many software providers produce suites of tools that fit together. There is a lot of overlap between data loss prevention, standard compliance, and data backup. You will need all of these to successfully protect and manage your company’s data.
What should you look for in data loss prevention software?
We reviewed the market for data loss protection tools and analyzed the options based on the following criteria:
- A detection system that can interact with access rights managers and firewall to shut down data theft
- Email attachment scanning and logging
- Suitability for use for HIPAA, GDPR, SOX, and PCI DSS
- Variable controls to offer tighter scrutiny of PII usage
- Endpoint identification for both source and destination of data movements
- A free trial or money-back guarantee for a risk-free assessment
- Value for money represented by a trade-off between delivered functions and price
SolarWinds is a leading producer of IT infrastructure monitoring tools and its DLP security solution is part of its Access Rights Manager.
- Access rights manager
- Spots suspicious activity
- Automated responses
- Auditing for data protection standards compliance
- 30-day free trial
A key starting point in your data loss prevention strategy is to set a company policy on data access control. The SolarWinds Access Rights Manager supports this task by giving you clear reports on current access permissions. You then have an opportunity to set better controls, which can be implemented through the Access Rights Manager.
Ongoing monitoring keeps a constant check on data access and generates alerts whenever copies are made or data is transferred. The manager unifies user monitoring for Active Directory, Windows File Share, SharePoint, and Microsoft Exchange. This enables you to monitor the activities of a user who has displayed unusual or suspicious behavior across many communication channels.
- Is a robust solution for larger networks, support both DLP and permission monitoring to support multiple compliance standards
- Integrates well into existing Active Directory environments
- Saves times by creating simple visualizations of permissions structures
- Leverages behavior analysis to identify insider threats and policy violations
- Can be paired with automation to save time on remediation, and avoid data recovery completely
- Highly detailed solution designed for sysadmins in an enterprise environment – may take time to fully explore and utilize all features
The auditing and reporting function of the Access Rights Manager supports GDPR, HIPAA, and PCI DSS compliance. The interface of the tool is very easy to use, making user access management a much simpler task. The software installs on Windows Server and you can get it on a 30-day free trial.
Lightweight package with automated user access policy analysis and enforcement, lets you identify threats to data and helps stop data exfiltration attempts in progress. Set up data leak alerts and more.
Get 30 Day Free Trial: solarwinds.com/access-rights-manager
OS: Windows Server 2008 R2 or higher & AD domain
Related post: File Activity Monitoring Software
CoSoSys offers a is Endpoint Protector as an onsite solution, as a cloud-based service, and as a standalone software package. The onsite version will protect computers running Windows, Mac OS, and Linux. A central Endpoint Protector Server appliance communicates across the network with client software installed on each endpoint. The Server will also protect attached devices, such as digital cameras and USB sticks. The Endpoint protector system is also available as software that implements a virtual appliance on your own server.
- Endpoint protection platform
- Appliance, on-premises software, or cloud service
- HIPAA, PCI DSS, and GDPR compliant
- Also protects attached devices
- Enforced encryption
The full Endpoint Protector system includes content protection, device control, enforced encryption, network discovery and mobile device management. A standalone version is available to protect just one endpoint per install. This is Endpoint Protector Basic and it includes the content and device protector modules of the Server version.
Those who prefer to subscribe to “software as a service” packages instead of running their own hosts and software can opt for My Endpoint Protector. This includes content protection, device control, and mobile device management. In all implementations, the system is HIPAA, PCI DSS, and GDPR compliant.
The content protection system in Endpoint Protector manages file transfers according to the policies you set. All file transfers can be blocked for specific user groups or sensitive files can be allowed to be moved as long as they meet certain criteria. Similarly, the device control system can either completely block devices from attaching to a protected endpoint or can be allowed for file transfers under specified conditions.
- Flexible multi-platform option for Windows, Linux, and Mac
- Can monitor individual files as well as single machines
- Pre-configured to monitor for HIPAA, PIC, and GDPR compliance
- Easy to implement custom rulesets
- Could benefit from a full-featured trial rather than a demo
The online version can be accessed for evaluation on a free demo.
CrowdStrike Falcon is offered in packages of modules and Falcon Device Control is available as an add-on to each of those bundles. This tool installs on endpoints alongside the Falcon Prevent endpoint detection and response (EDR) package. While the EDR looks for incoming threats, Falcon Device Control scan for data exfiltration attempts.
- Control on data passing onto memory sticks
- Variable security set by policies
It is very easy to disable USB ports entirely. However, this approach is not always suitable. For example, USB ports can be used for many features, not just for removable storage. You might want to keep USB ports active but just control what data passes over them.
The question of data movement is not an all-or-nothing decision either. You could allow certain types of data to be moved onto USB devices while blocking more important data collections from being moved. So, the control of USB devices needs to be finely tuned.
With Falcon Device Control you get to specify which types of devices can be connected or, more easily, define which device types are banned. The control extend to user access controls, so you can allow some users or user groups to use USB devices while blocking all others.
The software for Falcon Device Control is able to identify and document all devices as they are connected to a USB port on an endpoint. You can install this software on all of your endpoints and nominate one device to host the server. Thus, you get all activity reports for all devices forwarded to one dashboard for consolidated reporting.
- Distributed implementation
- Centralized dashboard
- The possibility to block certain types of devices
- The ability to interface with access rights managers
- Fast local controls
- The Falcon family doesn’t include controls over other channels of data exfiltration, such as email attachments.
CrowdStrike Falcon Device Control is an extra service that can be added to a subscription to the Falcon Pro, Falcon Enterprise, Falcon Premium, and Falcon Complete packages. The endpoint agents for this solution install on Windows, macOS, and Linux. You can get a 15-day free trial of the software.
You might want to allow staff to copy files onto removable media, such as USB memory sticks. However, this is one of the main ways that employees can steal data. This situation presents a dilemma. You want to keep the system secure without blocking normal and acceptable working practices.
- Whitelist for acceptable devices
- Variable controls on different data types
The solution to managing the use of peripheral devices for data carriage is to control the access of devices rather than disable them entirely. ManageEngine Device Control Plus offers a way to implement a range of security devices for peripheral devices.
This device management system lets you define a security policy and then it translates those requirements into manageable controls. For example, you can allow a list of approved devices to attach to endpoints and you can also set a file size limit, or a total data transfer limit, to account for acceptable office use of peripheral devices. It is also possible to block the copying of data from some sources while allowing other types of data to be transferred to memory sticks. For Example, if you follow data security standards, such as HIPAA or PCI DSS, you need to pay particular attention to personally identifiable information (PII).
The Device Control Plus system is very easy to use and it includes guidance points to assist those who are not security experts. The system also logs all data access events and copying attempts, which is a necessary feature for those following data security standards.
- Great user interface – easy to nativate
- Balances visualizations alongside recent event insights nicely
- Supports hardware lockdown options to restrict removable media
- Custom security policies are easy to define
- Can scan systems for PHI content
- Could benefit from a full-featured trial rather than a demo
Device Control Plus installs on Windows and Windows Server. ManageEngine offers the system on a 30-day free trial.
Symantec’s DLP solution combines user activity tracking with data risk controls. It can monitor data held on servers, desktops, mobile devices, and in cloud storage. An initial sweep on installation identifies all locations that hold sensitive data and gives you the option to remove it all to a central management server, secure data repository or secure it in place. You receive templates and workflows for compliance with HIPAA, GDPR, and PCI DSS standards.
- User activity tracking
- Encryption protection
- HIPAA, GDPR, and PCI DSS compliant
The tool logs all access to sensitive data and tracks those accounts that have raised alerts. Sensitive documents are encrypted and can only be seen by authorized users. The tool also makes sure that discarded copies and retired documents are completely destroyed, leaving no recoverable versions in memory. All copies are tracked and kept secure even when sent out to remote locations or onto user-owned mobile devices.
The Symantec DLP contains documents with sensitive data by using encryption and it identifies the intended recipients by fingerprinting every copy. This encryption and access identification are paired with data movement and copy restrictions. This enables you to block files and data from being attached to emails or transferred over the network or the internet.
The Symantec DLP system is part of its endpoint protection system. This searches for intrusion and malicious software, which could compromise your data privacy. This system includes the monitoring of software that is not authorized by the business but is installed on the same device as sensitive data – a situation that is particularly common in the case of the use of user-owned devices for access to company data.
- Combines DLP with user activity tracking, giving it additional functionality
- Automatic scanning can map out sensitive locations where data is stored
- Offers pre-built temples and works flow for major compliance standards, offering good out of box functionality
- Supports file integrity monitoring through a fingerprinting system
- Could integrate better with other Symantec tools
- Need better Mac functionality
Teramind DLP will help you to be compliant with GDPR, HIPAA, ISO 27001, and PCI DSS. The tool starts off by searching your entire system for sensitive data. The search follows typical data formats, such as Social Security or credit card numbers. It also uses OCR and natural language processing to scan all documents. It then prioritizes those that contain personally identifiable information, personal financial data, and personal health information. Scans to spot new instances of these data categories continue during the software’s service life.
- System audit
- GDPR, HIPAA, ISO 27001, and PCI DSS compliant
- Ongoing risk assessment
The package includes templates for data security policies that will help you set your DLP strategy. This tool has two focuses: insider threats and data security. The user tracking functions cover activities on websites, applications, and on the network. It monitors emails and also includes a keystroke logger for special scrutiny.
Overall system activity is measured to establish a baseline of normal behavior. This is a typical strategy of intrusion detection systems so it will identify external as well as internal threats.
Data protection measures include clipboard monitoring and blocking. A fingerprinting system for files will enable you to trace who leaked a file.
The console for the software includes a Risk Dashboard, which centralizes notifications of all threats and vulnerabilities that require investigation.
- Great user interface, simple to navigate and learn
- Highly visual reporting and real-time monitoring
- Built with compliance in mind
- Goes beyond DLP with options for actively monitoring and keylogging
- Platform tries to do it all, which can be overwhelming for those who only wish to use DLP features
- Some features like keylogging can be invasive
- Steep learning curve
Clearswift produces a range of data loss prevention tools under the umbrella brand of Adaptive DLP.
- Complete system and data protection suite
- Endpoint protection platform
- Covers email and web server
The product line is made up of seven packages:
- ARgon for Email: Monitoring of emails for data leaks.
- CIP Management Server and Agent: For endpoint activity monitoring.
- SECURE ICAP Gateway: Monitors web apps and file transfers.
- SECURE Web Gateway: Covers data access on the web.
- Information Governance: Document access control.
- SECURE Email Gateway: Protection for email servers for external mail.
- SECURE Exchange Gateway: Protection for email servers for internal mail.
The whole suite would replace all of the other security management software that you might have because it covers all of the functions that you would usually use anti-malware and firewall systems for. Adaptive DLP protects files from unauthorized copying and keeps ownership traceable through fingerprinting.
The system filters out any malicious code as it tries to enter the network and it spots unauthorized activities both by intruders and malicious insiders.
- Features tools for email security, web interfaces, and endpoint monitoring, offering an umbrella of DLP services
- Can act as an antivirus, detection malware, attempted intrusions, and infected files
- Better suite for smaller environments that have fewer events per day
- Not the best option for enterprise-level networks
- Lacks machine learning capabilities
- Would like to see better reporting options in regards to compliance standards
This is a good option if you are having difficulty working out your DLP security strategy. When you install the software, it will present you with a list of 70 policies, which you can activate. Reading through the explanations of each will probably give you some suggestions for data control that you hadn’t even thought of.
Data Loss Prevention is part of a suite of security management tools from SecureTrust. The company also produces a SIEM tool, which is a great option for detecting and blocking intruders. These two tools can work together, although SecureTrust states that the DLP utility is efficient at detecting malicious activity by itself.
The security system scans all channels of communication for privacy violations. These include file transfer applications, email, chat apps, file sharing systems, blogs, and social media. The response mechanism of the tool automatically blocks transfers midstream. It will also identify the correspondents at each end of the data transfer. This tool includes reporting and auditing facilities that will help you prove standards compliance.
- Preloaded with over 70 different policies that can be turned on right away
- Integrates with the Clearswift SIEM tool, for more comprehensive network security
- Supports scanning across multiple channels to monitor for inappropriate file access
- Interface could be updated to be more user friendly
- Visualizations are fairly limited
- Reporting can be clunky, especially when attempting to customize certain reports
Check Point is one of the largest cybersecurity providers in the world. This company’s data loss prevention solution includes a great deal of assistance to help you get your data protection strategy in place. This is because the package includes policies, so you just have to check which of those fit with your security strategy requirements and activate them.
The remediation module of the tool takes a different approach to user activity management to that used by the other utilities in this list. Rather than alerting IT department staff of unwelcome activity and automatically shutting down the user’s account or file access, it issues a warning directly to the user.
The ethos behind this approach is to educate the user community about the rules of data access rather than trying to catch them out when they cross a line that they didn’t know about. The data usage scrutiny of the system extends to emails.
- Good for companies who want to help educate users as they attempt to access information inappropriately
- Supports major compliance standards
- Supports email scanning that can automatically restrict emails from being sent
- Interface be easily be cluttered with an excessive amount of events, making it hard to use at scale
- Warns the user directly, which isn’t always an option sysadmins want
- Would like to see better out-of-box templates and options for DLP
- Policies can be difficult to customize
The Data Loss Prevention Software Blade includes reporting and auditing for HIPAA, SOX, and PCI DSS. The tool is available on a 30-day free trial.
The Digital Guardian Endpoint DLP starts its service life by searching through-out your system for sensitive data. The tool logs those locations and tracks all events that occur at them. It is able to communicate with the Windows, Mac OS, and Linux operating systems and its tracking capabilities extend out to cloud resources. This package focuses on endpoint security. Digital Guardian produces a companion tool that hardens networks against data loss events.
The endpoint data protection system can block activities on offline computers as well as monitoring devices over the network. It will automatically block unauthorized user actions, such as the destruction, alteration, copying, or transferring of protected data. This equally prevents both insider and outsider activities.
This system is suitable for the protection of intellectual property as well as personal information. It requires the network administrator to define categories of data and assign specific protection policies to each. Enhancements to the DLP give you the option of adding encryption to data storage and transmissions.
- Simple and sleek interface keeps insight easy to read
- Balances simple visualizations with recent events
- Available for Windows, Linux, and Mac
- Agents can still work to stop access, even when offline
- As options to protect compliance data as well as company intellectual property
- Plugins can sometimes cause issues, especially the email plugins
- False positives can be excessive
You will notice from the descriptions of the other tools here that corporate data protection strategies are implemented within the DLP tool by rule bases, called “policies.” Code42 has a different system and doesn’t use policies. Despite not operating on policies, the tool does link detected problems with remediation actions.
Code42 works on data files the way a SIEM tool behaves with log files. It monitors data files, backing them up and restoring the original version should any changes be made. It also tracks every access to those data files and blocks any copy or transfer actions.
All actions on files, including those performed by Code42 are recorded, which generates the audit trail that you need for data security standards. The tool includes an analysis utility that uses event information to present exposure of internal misdeeds or intrusion threats.
- Can automatically restore files to their previous location and state
- Operates more as a SIEM tool, making it a good option for those looking for more advanced coverage and monitoring
- Can audit user access to network files and locations
- Analysis tools can help determine if actions were malicious or accidental
- Can be resource-intensive
- Has a steep learning curve than other DLP software
- Expensive, pricing based per computer
CA Data Protection controls all of your sensitive data in order to protect it. This process involves three main tasks: locating sensitive data, protecting it, and reporting on unauthorized attempts against it. This straightforward strategy is effective at preventing intruder threats, accidental damage, or internal data theft.
The tool helps you define your protection strategy through pre-written policies. The reach of this system has no boundaries – it will protect data at all of your sites and also cloud storage.
A reporting and auditing module helps you review the success of your security strategy and confirm compliance with data confidentiality standards.
- Can protect local servers as well as files located on cloud services
- Reporting feature is easy to set up
- The platform is straightforward and easy to learn
- Interface feelsantiquated
- Not a great option for larger networks
- Lacks machine learning capabilities and behavior analysis
You receive a license for your entire organization that covers all of your endpoints and sites. This tool will also protect data held on cloud servers. MyDLP will discover all of the sensitive data held by your company, log it, and protect it.
This system focuses on a user permissions service. It lists who can have access to which data and what actions each person is allowed to perform on each bit of data. The data it protects might be trade secrets, development plans, engineering drawings, accounts, or the personal data of employees and customers. It is able to monitor devices running any operating system and the software can be installed on premises or accessed online as a cloud-based service.
- Designed for the enterprise, features can scale well
- Can automatically discover sensitive data, or be manually pointed to specific permission groups, files, or directories
- Available as an on-premise solution or cloud deployment
- Could use better integration options within the Comodo ecosystem
- Steeper learning curve than similar tools
Priorities for DLP
The first and most obvious topic to deal with when trying to prevent the data your business stores is to control access to it. However, this is not your only task. In order to prove compliance with data security standards, you are going to need some evidence. So, constant transaction logging is needed, and you are going to need to store those logs for years so that they can be available for spot audits. Constant self-auditing is also necessary to ensure that security procedures are sufficiently strong.
Although failure to protect data is a setback, any leakage should not be covered up. Non-disclosure of data leakage is a big mistake. It will cause you to lose your accreditation. Data protection standards all include protocols for data loss notification and they should be followed.
Surprisingly, most organizations don’t properly track all of the locations on the system where data is stored. Staff might keep notes in documents on their desktop computers and forget to delete them; other local stores, such as contact databases can sometimes be overlooked. It is important to centralize the data storage and track access to it.
The data held by your company is a potential money earner for hackers. So, you have to properly defend your network against intrusion. However, authorized users also present a security risk. They might be tricked into passing on data to outsiders or might be motivated through resentment or greed to steal the company’s data. Preventing the copying of data onto portable devices, or printout, or sending data out through email, or a chat app is another important requirement of your DLP system.
Compliance to a data security standard is also important in order to win contracts. The public sector is very strong about protecting personal data and they ripple that priority through all of the services that they buy. So, if you don’t implement effective data loss prevention you will be locked out of the opportunity for new contracts. The need to comply with the standards of the public sector continues through the supply chain. So, even if you don’t bid for public sector contracts, your ability to do deals with businesses that do work for the public sector will be reduced.
Data loss events were once seen as an unfortunate risk. The IT industry and the legal systems of most advanced economies recognize that no IT system can ever be 100 percent secure. However, the requirements for companies to take all possible steps to prevent data disclosure have become far stricter in recent years.
Many businesses are unable to fully identify all of the locations of data storage and fixing that issue is the first step to a comprehensive data loss prevention strategy. Getting the right DLP tools is very important and you won’t be able to fully comply with the law or data security standards without them. Without standards accreditation, you will be barred from bidding for many contracts and without full data loss protection systems you run the risk of a disclosure event, which could lead to destructive prosecutions.
You run a great risk of your business being destroyed if you don’t have a data protection strategy. Data loss prevention software is no longer optional.
Data Loss Prevention Software FAQs
How can cloud computing prevent data loss?
The data loss risk is no different in cloud computing than it is with onsite infrastructure with the exception of the communication channel between your site and the cloud host.
- Locate all sensitive data
- Categorize data according to security standards requirements
- Track all access to categorized data
- Track changes to device configurations
- Monitor log file records for unexpected user behavior or unauthorized traffic
- Install all updates and patches to firmware, operating systems, and software
- Secure all access channels across the internet
What is a data loss prevention policy?
A data loss prevention policy is a set of rules and workflows laid down by your business to define how to allow access to data and protect the information that you hold. This strategy applies to working procedures, access rights management, activity monitoring procedures, reporting requirements, and disaster recovery measures.
What is a DLP alert?
A DLP alert is a system-generated message. A DLP tool monitors activities, such as data storage access and network traffic. The software will raise an alert if an activity lies outside registered acceptable behavior. The alert does not necessarily mean that a data loss event has occurred. It could identify a potential risk or a system weakness that the actions of intruders have exposed without successfully touching the target data. An alert should instigate an investigation into the necessity of adjusting security standards or taking some other preventative measures or it could indicate a security breach in progress.