What is data loss prevention?
Data loss prevention (DLP) is the control of access to the data that your company holds. A data loss prevention strategy makes sure end-users aren’t able to intentionally destroy or steal data.
It’s important to have a data loss prevention policy in place at your enterprise. This can cover: data loss prevention tools, intrusion prevention systems, system information, event management, endpoint protection, and anti-malware systems are areas of IT security that overlap.
When you come to tighten up your system protection, you will find that you don’t need one of each of these because just one will take care of many tasks, including blocking access to the system and protecting data simultaneously. With the correct policy and systems in place, you will be able to reduce or eliminate data loss incidents across your business.
Here is our list of the best data loss prevention (DLP) software & tools:
- SolarWinds Data Loss Prevention with ARM EDITOR’S CHOICE Access rights manager can be set up to help shield against accidental or malicious data loss. Can automate user access and activities through policy, respond to suspicious activity and investigate user events that could potentially compromise your systems.
- CoSoSys Endpoint Protector (ACCESS DEMO) A choice of onsite or cloud-based data loss prevention systems that protect devices running Windows, macOS, and Linux plus attached storage devices.
- CrowdStrike Falcon Device Control (FREE TRIAL) This specialized monitor for removable devices is an add-on to the endpoint detection and response systems offered by CrowdStrike. This is a cloud-based system and coordinates with endpoint agents for Windows, macOS, and Linux.
- Trustifi Outbound Shield (ACCESS DEMO) This cloud-based service integrates into your email system to provide transmission protection and sensitive data management. Integrates with a plug-in.
- ManageEngine Device Control Plus (FREE TRIAL) This system blocks unauthorized data transfers onto peripheral devices by creating a matrix of allowable devices, actions, and users. Runs on Windows and Windows Server.
- SpinOne (FREE TRIAL) This platform of SaaS data protection services offers risk assessment, ransomware protection, DLP, and compliance auditing from its cloud platform.
- Acronis Cyber Protect Cloud (FREE TRIAL) A SaaS platform of backup and system security protection services that is designed for use by managed service providers.
- ManageEngine Endpoint DLP Plus (FREE TRIAL) This package of on-premises data protection software discovers, tracks, and protects sensitive data. Available for Windows Server.
- Symantec Data Loss Prevention This system offers data protection solutions for endpoints, networks, cloud resources, and file servers from a central console. Installs on Windows Server and Linux
- Clearswift Adaptive DLP A suite of security products for different system services that implement DLP as part of a broader protection strategy. This is a SaaS platform.
- Check Point Data Loss Prevention A suite of security products for different system services that implement DLP as part of a broader protection strategy. This is a SaaS platform.
- Teramind DLP This package focuses on user activity profiling to spot changes in behavior that could indicate malicious activity as well as sensitive data discovery. Offered as a SaaS package or a virtual appliance.
- Digital Guardian Endpoint DLP The data protection solution covers devices running Windows, macOS, and Linux. A central coordinating server operates from the cloud.
- Code42 Incydr This cloud-based service specializes in spotting insider threats and includes system preparation processes to recover from loss and destruction.
- CA Data Protection This DLP solution is designed to protect IBM z/OS mainframes and is delivered in two modules for data discovery and security policy enforcement.
- Comodo MyDLP This DLP observes activities on the web, mail, printers, removable devices to block all system exits. Runs over Hyper-V or VMWare as a virtual appliance.
The Best Data Loss Prevention Software Tools
You likely won’t get all of your data loss prevention needs fulfilled by the one tool. However, many software providers produce suites of tools that fit together. There is a lot of overlap between data loss prevention, standard compliance, and data backup. You will need all of these to successfully protect and manage your company’s data.
What should you look for in data loss prevention software?
We reviewed the market for data loss protection tools and analyzed the options based on the following criteria:
- A detection system that can interact with access rights managers and firewall to shut down data theft
- Email attachment scanning and logging
- Suitability for use for HIPAA, GDPR, SOX, and PCI DSS
- Variable controls to offer tighter scrutiny of PII usage
- Endpoint identification for both source and destination of data movements
- A free trial or money-back guarantee for a risk-free assessment
- Value for money represented by a trade-off between delivered functions and price
SolarWinds is a leading producer of IT infrastructure monitoring tools and its DLP security solution is part of its Access Rights Manager.
- Access rights manager
- Spots suspicious activity
- Automated responses
- Auditing for data protection standards compliance
- 30-day free trial
A key starting point in your data loss prevention strategy is to set a company policy on data access control. The SolarWinds Access Rights Manager supports this task by giving you clear reports on current access permissions. You then have an opportunity to set better controls, which can be implemented through the Access Rights Manager.
Ongoing monitoring keeps a constant check on data access and generates alerts whenever copies are made or data is transferred. The manager unifies user monitoring for Active Directory, Windows File Share, SharePoint, and Microsoft Exchange. This enables you to monitor the activities of a user who has displayed unusual or suspicious behavior across many communication channels.
- Is a robust solution for larger networks, support both DLP and permission monitoring to support multiple compliance standards
- Integrates well into existing Active Directory environments
- Saves times by creating simple visualizations of permissions structures
- Leverages behavior analysis to identify insider threats and policy violations
- Can be paired with automation to save time on remediation, and avoid data recovery completely
- Highly detailed solution designed for sysadmins in an enterprise environment – may take time to fully explore and utilize all features
The auditing and reporting function of the Access Rights Manager supports GDPR, HIPAA, and PCI DSS compliance. The interface of the tool is very easy to use, making user access management a much simpler task. The software installs on Windows Server and you can get it on a 30-day free trial.
SolarWinds Access Rights Manager is our top pick for a data loss prevention tool because it assists you to tighten up Active Directory instances and create more finely tuned device access controls and user permissions. Once you have improved the security provided by AD, you can use the tool to monitor the behavior of each user and spot changes in activity that could signify an account takeover or a newly dissatisfied employee. Alerts and automation features draw your attention to suspicious users and implement account suspension.
Get 30 Day Free Trial: solarwinds.com/access-rights-manager
OS: Windows Server 2008 R2 or higher & AD domain
Related post: File Activity Monitoring Software
CoSoSys offers a is Endpoint Protector as an onsite solution, as a cloud-based service, and as a standalone software package. The onsite version will protect computers running Windows, Mac OS, and Linux. A central Endpoint Protector Server appliance communicates across the network with client software installed on each endpoint. The Server will also protect attached devices, such as digital cameras and USB sticks. The Endpoint protector system is also available as software that implements a virtual appliance on your own server.
- Endpoint protection platform
- Appliance, on-premises software, or cloud service
- HIPAA, PCI DSS, and GDPR compliant
- Also protects attached devices
- Enforced encryption
The full Endpoint Protector system includes content protection, device control, enforced encryption, network discovery and mobile device management. A standalone version is available to protect just one endpoint per install. This is Endpoint Protector Basic and it includes the content and device protector modules of the Server version.
Those who prefer to subscribe to “software as a service” packages instead of running their own hosts and software can opt for My Endpoint Protector. This includes content protection, device control, and mobile device management. In all implementations, the system is HIPAA, PCI DSS, and GDPR compliant.
The content protection system in Endpoint Protector manages file transfers according to the policies you set. All file transfers can be blocked for specific user groups or sensitive files can be allowed to be moved as long as they meet certain criteria. Similarly, the device control system can either completely block devices from attaching to a protected endpoint or can be allowed for file transfers under specified conditions.
- Flexible multi-platform option for Windows, Linux, and Mac
- Can monitor individual files as well as single machines
- Pre-configured to monitor for HIPAA, PIC, and GDPR compliance
- Easy to implement custom rulesets
- Could benefit from a full-featured trial rather than a demo
The online version can be accessed for evaluation on a free demo.
CrowdStrike Falcon Device Control is a cloud-based service that is an add-on to Falcon Prevent or Falcon Insight. Falcon Prevent is a device-resident endpoint detection and response (EDR) service that can be installed on Windows, macOS, and Linux. Falcon Insight is an enterprise-wide coordinator for Falcon Prevent instances.
- Control on data passing onto memory sticks
- Variable security set by policies
- Block or monitor removable storage devices
When you pair Falcon Device Control with Falcon Prevent, the endpoint-resident Prevent communicates with the Device Control service in the cloud. When Falcon Device Control is deployed alongside Falcon Insight, both cloud services communicate with the on-device Prevent modules. In either configuration, the Device Control system reaches through the endpoint to implement data exfiltration controls on peripheral devices.
It is very easy to disable USB ports entirely. However, this approach is not always suitable. For example, USB ports can be used for many features, not just for removable storage. You might want to keep USB ports active but just control what data passes over them.
The question of data movement is not an all-or-nothing decision either. You could allow certain types of data to be moved onto USB devices while blocking more important data collections from being moved. So, the control of USB devices needs to be finely tuned.
With Falcon Device Control you get to specify which types of devices can be connected or, more easily, define which device types are banned. The control extend to user access controls, so you can allow some users or user groups to use USB devices while blocking all others.
The software for Falcon Device Control is able to identify and document all devices as they are connected to a USB port on an endpoint. You can install this software on all of your endpoints and nominate one device to host the server. Thus, you get all activity reports for all devices forwarded to one dashboard for consolidated reporting.
- Distributed implementation
- Centralized dashboard
- The possibility to block certain types of devices
- The ability to interface with access rights managers
- Fast local controls
- The Falcon family doesn’t include controls over other channels of data exfiltration, such as email attachments.
CrowdStrike Falcon Device Control is an extra service that can be added to a subscription to the Falcon Pro, Falcon Enterprise, Falcon Premium, and Falcon Complete packages. The endpoint agents for this solution install on Windows, macOS, and Linux. You can get a 15-day free trial of the software.
Trustifi Outbound Shield is a secure, hosted file service that focuses on protecting email content. When a user wants to send a secure message, the contents of that message are uploaded to the Trustifi sever. All that gets sent in the email body is a link to access the message. Within the Trustifi environment, recipients get the opportunity to reply and that text is also kept on the Trustifi server. This is like a chat system where responses are all grouped together in a conversation.
- Secure email content storage
- Sensitive data management
The Trustifi software doesn’t automatically secure all emails – only those that have sensitive data in them. The Trustifi system scans each email before it is sent and identifies sensitive data.
In order to get the system working for your business, you need to configure your Trustifi account, specifying your security policies. These are available as templates to implement specific data protection rules, such as those designated by PCI DSS, HIPAA, or GDPR. There are also templates where you can specify protection for specific types of data without needing to name a data protection standard. It is also possible to define your own protection rules. The Trustifi system is able to protect intellectual property as well as third-party information.
Access controls for email contents can be set by the administrator for sensitive data categories or by the sender per email. These can block the recipient from copying or saving the data. It is also possible to prevent recipients from forwarding emails that contain sensitive data. Access to specific emails can also be revoked for specified recipients.
Administrator tools in the Trustifi platform include a risk analysis feature that shows which user accounts handle more sensitive data than others and also spots users who display risky behavior in data sharing.
- Selective protection that only applies to email content that includes sensitive data
- The ability to enforce privileges per data category
- User controls over recipient privileges
- Blocks on recipient actions
- Would prefer a free trial
If Trustifi’s email data loss prevention strategy interests you, contact the company to get a quote and access the free demo.
You might want to allow staff to copy files onto removable media, such as USB memory sticks. However, this is one of the main ways that employees can steal data. This situation presents a dilemma. You want to keep the system secure without blocking normal and acceptable working practices.
- Whitelist for acceptable devices
- Variable controls on different data types
- Compliance enforcement
The solution to managing the use of peripheral devices for data carriage is to control the access of devices rather than disable them entirely. ManageEngine Device Control Plus offers a way to implement a range of security devices for peripheral devices.
This device management system lets you define a security policy and then it translates those requirements into manageable controls. For example, you can allow a list of approved devices to attach to endpoints and you can also set a file size limit, or a total data transfer limit, to account for acceptable office use of peripheral devices. It is also possible to block the copying of data from some sources while allowing other types of data to be transferred to memory sticks. If you follow data security standards, such as HIPAA or PCI DSS, you need to pay particular attention to personally identifiable information (PII).
The Device Control Plus system is very easy to use and it includes guidance points to assist those who are not security experts. The system also logs all data access events and copying attempts, which is a necessary feature for those following data security standards.
- Great user interface – easy to navigate
- Balances visualizations alongside recent event insights nicely
- Supports hardware lockdown options to restrict removable media
- Custom security policies are easy to define
- Can scan systems for PHI content
- Could benefit from a full-featured trial rather than a demo
Device Control Plus installs on Windows and Windows Server. ManageEngine offers the system on a 30-day free trial.
SpinOne from Spin.ai is a SaaS service that integrates with three widely-used SaaS business services – Microsoft 365, Google G Suite (Google Workspace), and Salesforce. The tool’s main aim is to provide for SaaS platforms the EDR protection that on-premises resources enjoy. The SpinOne service is offered in editions, each specialized in one of those three productivity platforms.
- Ransomware protection
- Risk assessment
- User behavior tracking
The SpinOne strategy offers three strands of data protection. The first of these is data backup to enable recovery from accidental or intentional destruction of data. The second is sensitive data protection, which tracks user activities around specific files and folders that contain sensitive data, and the third is a risk assessment service that checks on application dependencies, monitoring which third part software attaches to the platform for data access.
The need for data loss protection is particularly important because of the existence of data privacy standards. The SpinOne platform includes compliance auditing and reporting systems so that you can get regulatory benefits from this service.
SpinOne integrates AI-based machine learning techniques in its activity anomaly detection services. The tool watches over access to sensitive data stores and builds up profiles of typical activity for each user account. This baseline of acceptable behavior provides a reference for the anomaly detection system. This enables SpinOne to identify insider threats and account takeover incidences.
The SpinOne detection and response service is intelligent enough to control access to productivity suites and their related data stores without hindering users or generating excessive warnings. The constant AI-based fine-tuning of warning thresholds means that the service gets increasingly accurate during its service life and provides better performance than a system that uses out-of-the-box detection rules.
- AI-based user behavior analysis
- Application risk assessment
- Data backup and recovery
- Insider threat and account takeover protection
- Only protects three specific cloud platforms
Spin.ai doesn’t publish a price list for its SpinOne editions. However, you can begin your contact with the service by accessing a 15-day free trial of SpinOne for G Suite, SpinOne for Microsoft 365, or SpinOne for Salesforce.
Acronis Cyber Protect Cloud is a package of system protection measures that includes extensive data protection systems. The Acronis system is tailored for use by managed service providers (MSPs) and is delivered from a hosted SaaS platform. The Acronis Cyber Protect Cloud service offers a list of services that can be added to an MSP’s client account. Thus, these are sell-through services that provide extra income streams.
Acronis supplies marketing material and training guides to help MSPs sell the services in the package to their clients. Screens can also be white-labeled and the package includes consultancy and analysis tools to increase earning opportunities.
Acronis Cyber Protect Cloud isn’t an RMM package. It specifically focuses on security services and Acronis has organized integrations with the major RMM and PSA systems so it can be delivered seamlessly from an MSP’s existing operating consoles.
- Backup and recovery
- Data loss prevention
Services in the Acronis Cyber Protect Cloud package include a backup and recovery service that can operate on both a file-level basis and as a full disk backup option. This allows MSPs to structure custom solutions for their clients, including cloud storage space.
The package offers antimalware that operates on endpoints and also attaches to specific system-wide applications, such as email and data transfer services. The antimalware system also extends to a synching and file sharing service that is built into the Acronis package of services. File infection scans are integrated into both data uploads for backup and data recovery procedures.
Threat detection is organized through an AI-based baselining system for behavior anomaly tracking. Acronis also provides an in-house threat intelligence feed and includes an internal attack logging and tracking system for each account. Event remediation such as recovery from ransomware can be triggered automatically and run as a series of operations through playbooks, which include data recovery.
The intelligence and analysis features in the Acronis platform are useful for security analysts and human threat support technicians. There is also a system security auditing toolbox in the service that enables MSPs to offer high-value services to clients. The package is suitable for use by Security Operations Centers as well as regular system support MSPs.
- A cloud-based package with storage options
- Multi-tenant architecture for MSPs
- Backup and recovery automation integrated into malware remediation
- Variable controls for on-selling security services
- Isn’t a full RMM package
Acronis Cyber Protect Cloud can be assessed with a 30-day free trial.
ManageEngine Endpoint DLP Plus is a complete data protection package that identifies the locations of sensitive data, classifies it, tracks access to it, and blocks its movement. This is a networked service, so you install it on one endpoint and it will reach out to the other computers on the network. The system can also be used to protect multiple sites.
- Data discovery and classification
- Data movement tracking
- Insider threat prevention
Sensitive data discovery is guided by templates. The setup for a DLP can be quite laborious because you need to specify details about the type of data that needs to be tracked and who can do what to each category of data. The template library simplifies that process by tuning the system to conform to a particular data security standard.
Data detection and classification uses a number of identification techniques, including fingerprinting, which can spot combinations of data fields that, individually have no significance, but have importance when stored in proximity.
The insider threat prevention system in the Endpoint DLP Plus package tracks users who access sensitive data stores and logs their activity. Analysis of these records will enable you to spot where access rights are too lax and point to how that should be tightened. The data movement prevention extends to email content scanning and attachment controls plus connected device management and monitors that watch the movements of data between sites and cloud services.
The DLP package includes an interesting approach to data-handling applications. This assesses the risk of each system on an endpoint and its use of sensitive data. The administrator can then nominate specific software for data access and it will then prevent data from being exported from these trusted applications out to unauthorized systems.
The ManageEngine system includes solutions for BYOD because it containerizes data that passes onto user-owned devices. This means that corporate data does not get stored on externally-managed devices and access to it is blocked once the device leaves the company network.
- Email controls that block communications to blacklisted domains
- Data containerization for BYOD access
- Trusted software identification
- No cloud version
ManageEngine Endpoint DLP Plus is an on-premises package for Windows Server. It is available in two versions: Free and Professional. The Free package is limited to monitoring 25 endpoints. The Professional version will cover an entire network and it can be extended to monitor multiple sites from one location. The Professional edition is offered for a 30-day free trial.
The Symantec Data Loss Prevention solution from Broadcom is a module platform with protection services that you assemble to get the complete protection service for your system. Whichever of these elements, you choose, you end up with a single console to manage and monitor the security system.
The four elements to the DLP system are:
- Symantec DLP for Endpoint
- Symantec DLP for Network
- Symantec DLP for Storage
- Symantec DLP Cloud Services
Symantec’s DLP solution combines user activity tracking with data risk controls. It can monitor data held on servers, desktops, mobile devices, and in cloud storage. An initial sweep on installation identifies all locations that hold sensitive data and gives you the option to remove it all to a central management server, secure data repository or secure it in place. You receive templates and workflows for compliance with HIPAA, GDPR, and PCI DSS standards.
- User activity tracking
- Encryption protection
- HIPAA, GDPR, and PCI DSS compliant
The tool logs all access to sensitive data and tracks those accounts that have raised alerts. Sensitive documents are encrypted and can only be seen by authorized users. The tool also makes sure that discarded copies and retired documents are completely destroyed, leaving no recoverable versions in memory. All copies are tracked and kept secure even when sent out to remote locations or onto user-owned mobile devices.
The Symantec DLP contains documents with sensitive data by using encryption and it identifies the intended recipients by fingerprinting every copy. This encryption and access identification are paired with data movement and copy restrictions. This enables you to block files and data from being attached to emails or transferred over the network or the internet.
The Symantec DLP system is part of its endpoint protection system. This searches for intrusion and malicious software, which could compromise your data privacy. This system includes the monitoring of software that is not authorized by the business but is installed on the same device as sensitive data – a situation that is particularly common in the case of the use of user-owned devices for access to company data.
- Combines DLP with user activity tracking, giving it additional functionality
- Automatic scanning can map out sensitive locations where data is stored
- Offers pre-built temples and works flow for major compliance standards, offering good out of box functionality
- Supports file integrity monitoring through a fingerprinting system
- Could integrate better with other Symantec tools
The software for the Symantec DLP suite’s server installs on Windows Server, CentOS, and Oracle Linux. Endpoint agents are available for Windows and macOS.
Clearswift produces a range of data loss prevention tools under the umbrella brand of Adaptive DLP.
- Complete system and data protection suite
- Endpoint protection platform
- Covers email and web server
The product line is made up of six packages:
- ARgon for Email: Monitoring of emails for data leaks
- Endpoint Data Loss: For endpoint activity monitoring
- Secure ICAP Gateway: Monitors web apps and file transfers
- Secure Web Gateway: Covers data access on the web
- Secure Email Gateway: Protection for email servers for external mail
- Secure Exchange Gateway: Protection for email servers for internal mail
The whole suite would replace all of the other security management software that you might have because it covers all of the functions that you would usually use anti-malware and firewall systems for. Adaptive DLP protects files from unauthorized copying and keeps ownership traceable through fingerprinting.
The system filters out any malicious code as it tries to enter the network and it spots unauthorized activities both by intruders and malicious insiders.
- Features tools for email security, web interfaces, and endpoint monitoring, offering an umbrella of DLP services
- Can act as an antivirus, detection malware, attempted intrusions, and infected files
- Better suite for smaller environments that have fewer events per day
- Not the best option for enterprise-level networks
- Lacks machine learning capabilities
- Would like to see better reporting options in regards to compliance standards
The Endpoint Data Loss unit also include device control features for managing removable storage and other attachable devices. The Clearswift service from HelpSystems is a SaaS platform. You can access a demo to discover the package.
Check Point is a major provider of cybersecurity systems and it integragtes data loss prevention into its firewall and edge services products. These are:
- Quantum Network Security – a range of hardware appliances
- CloudGuard Cloud Network Security – a cloud-based firewall service to protect sites and cloud resources
- Harmony Connect – a secure access service edge (SASE) that creates a protected virtual network
These three options mean that you don’t install the DLP service as a software package on your server. Instead, it runs on a network appliance or on the Check Point servers.
- Deployment choices
- Integrates with other security packages
- Monitors data movements
Having an external, network-based viewpoint, the Check Point service doesn’t examine activity on endpoints. Instead, its strategy is to examine every channel for data movement, which includes file transfer systems, chat and messaging service, email, and other Web utilities.
On discovering a potential data leak, the Check Point DLP doesn’t notify the IT Operations team but sends an alert to the user involved in the event. This approach assumes that the user accidentally disclosed the data or that a user account has been hijacked. The ethos here is to educate users to be responsible for their actions. It also makes the system more accessible to smaller businesses that don’t have an IT department.
- Useful for businesses that want to help educate users as they attempt to access information inappropriately
- Implements email scanning that can automatically block emails from being sent
- Supports major compliance standards
- Warns the user directly, which isn’t always an option sysadmins want
- Policies can be difficult to customize
Like most DLP systems, the enforcement rules in this service are called “policies.” These are specifications that identify the types of data that are to be classified as “sensitive” and specifies which users can have access to those data points. Check Point’s DLP tool is shipped with a library of policies, which you can adapt. It is also possible to create your own policies. However, the library is organixzed into sets that categorize data according to the major data protection standards, such as HIPAA, SOX, and PCI DSS.
Your buyer’s journey for the Check Point DLP depends on which Check Point service you think would be most appropriate for your needs because the DLP isn’t sold as a standalone service. You can get a look at how the DLP works with a live demo.
Teramind DLP will help you to be compliant with GDPR, HIPAA, ISO 27001, and PCI DSS. The tool starts off by searching your entire system for sensitive data. The search follows typical data formats, such as Social Security or credit card numbers. It also uses OCR and natural language processing to scan all documents. It then prioritizes those that contain personally identifiable information, personal financial data, and personal health information. Scans to spot new instances of these data categories continue during the software’s service life.
- System audit
- GDPR, HIPAA, ISO 27001, and PCI DSS compliant
- Ongoing risk assessment
The package includes templates for data security policies that will help you set your DLP strategy. This tool has two focuses: insider threats and data security. The user tracking functions cover activities on websites, applications, and on the network. It monitors emails and also includes a keystroke logger for special scrutiny.
Overall system activity is measured to establish a baseline of normal behavior. This is a typical strategy of intrusion detection systems so it will identify external as well as internal threats.
Data protection measures include clipboard monitoring and blocking. A fingerprinting system for files will enable you to trace who leaked a file.
The console for the software includes a Risk Dashboard, which centralizes notifications of all threats and vulnerabilities that require investigation.
- Great user interface, simple to navigate and learn
- Highly visual reporting and real-time monitoring
- Built with compliance in mind
- Goes beyond DLP with options for actively monitoring and keylogging
- Platform tries to do it all, which can be overwhelming for those who only wish to use DLP features
- Some features like keylogging can be invasive
- Steep learning curve
Termaind DLP is delivered as a SaaS platform. It is also possible to get a software package if you prefer to host the system yourself. The system runs on a hypervisor created by VMWare ESXi or Microsotf Hyper-V. The cloud version requires an agent to be installed on your site. This is available for Windows, Windows Server, macOS, Citrix XenApp, and VMWare Horizon.
The Digital Guardian Endpoint DLP starts its service life by searching through-out your system for sensitive data. The tool logs those locations and tracks all events that occur at them. It is able to communicate with the Windows, Mac OS, and Linux operating systems and its tracking capabilities extend out to cloud resources. This package focuses on endpoint security. Digital Guardian produces a companion tool that hardens networks against data loss events.
- Operates on Windows, macOS, and Linux
- Produces intellectual property as well as PII
- Endpoint-resident element
The endpoint data protection system can block activities on offline computers as well as monitoring devices over the network. It will automatically block unauthorized user actions, such as the destruction, alteration, copying, or transferring of protected data. This equally prevents both insider and outsider activities.
This system is suitable for the protection of intellectual property as well as personal information. It requires the network administrator to define categories of data and assign specific protection policies to each. Enhancements to the DLP give you the option of adding encryption to data storage and transmissions.
- Simple and sleek interface keeps insight easy to read
- Balances simple visualizations with recent events
- Available for Windows, Linux, and Mac
- Agents can still work to stop access, even when offline
- As options to protect compliance data as well as company intellectual property
- Plugins can sometimes cause issues, especially the email plugins
- False positives can be excessive
You can assess Digital Guardian Endpoint DLP by requesting a demo.
You will notice from the descriptions of the other tools here that corporate data protection strategies are implemented within the DLP tool by rule bases, called “policies.” Code42 has a different system and doesn’t use policies. Despite not operating on policies, the tool does link detected problems with remediation actions.
- Insider threat protection
- Data file protection
- Tracks user activity
Code42 works on data files the way a SIEM tool behaves with log files. It monitors data files, backing them up and restoring the original version should any changes be made. It also tracks every access to those data files and blocks any copy or transfer actions.
All actions on files, including those performed by Code42 are recorded, which generates the audit trail that you need for data security standards. The tool includes an analysis utility that uses event information to present exposure of internal misdeeds or intrusion threats.
- Can automatically restore files to their previous location and state
- Operates more as a SIEM tool, making it a good option for those looking for more advanced coverage and monitoring
- Can audit user access to network files and locations
- Analysis tools can help determine if actions were malicious or accidental
- Can be resource-intensive
- Has a steep learning curve than other DLP software
- Expensive, pricing based per computer
CA Data Protection controls all of your sensitive data in order to protect it. This process involves three main tasks: locating sensitive data, protecting it, and reporting on unauthorized attempts against it. This straightforward strategy is effective at preventing intruder threats, accidental damage, or internal data theft.
- Data discovery and classification
- Compliance management
- Storage-based protection
The CA Data Protection system is composed of two models. The first of these is CA Data Content Discovery – a sensitive data discovery and classification system. The definition of sensitive data depends on the data protection standard that you have to follow. This definition is government by the second CA unit that you are going to need – the CA Compliance Event Manager.
The CA Compliance Event Manager tool helps you define your protection strategy through pre-written policies. The reach of this system has no boundaries – it will protect data at all of your sites and also cloud storage.
A reporting and auditing module helps you review the success of your security strategy and confirm compliance with data confidentiality standards.
- Can protect local servers as well as files located on cloud services
- Reporting feature is easy to set up
- The platform is straightforward and easy to learn
- Lacks machine learning capabilities and behavior analysis
The CA DLP solution offers file integrity monitoring, intrusion protection, and insider threat detection.
You receive a license for your entire organization that covers all of your endpoints and sites. This tool will also protect data held on cloud servers. MyDLP will discover all of the sensitive data held by your company, log it, and protect it. Comodo MyDLP is a site-based data protection system that can be tailored to enforce data protection standards compliance.
- Monitors endpoint activity across a network
- Tracks activity on cloud platforms
- File protection strategy
This system focuses on a user permissions service. It lists who can have access to which data and what actions each person is allowed to perform on each bit of data. The data it protects might be trade secrets, development plans, engineering drawings, accounts, or the personal data of employees and customers. It is able to monitor devices running any operating system and the software can be installed on premises or accessed online as a cloud-based service.
- Designed for the enterprise, features can scale well
- Can automatically discover sensitive data, or be manually pointed to specific permission groups, files, or directories
- Available as an on-premise solution or cloud deployment
- Could use better integration options within the Comodo ecosystem
- Steeper learning curve than similar tools
MyDLP installs on a hypervisor and it will operate over VMWare or Hyper-V. You can assess the system by requesting a demo.
Priorities for DLP
The first and most obvious topic to deal with when trying to prevent the data your business stores is to control access to it. However, this is not your only task. In order to prove compliance with data security standards, you are going to need some evidence. So, constant transaction logging is needed, and you are going to need to store those logs for years so that they can be available for spot audits. Constant self-auditing is also necessary to ensure that security procedures are sufficiently strong.
Although failure to protect data is a setback, any leakage should not be covered up. Non-disclosure of data leakage is a big mistake. It will cause you to lose your accreditation. Data protection standards all include protocols for data loss notification and they should be followed.
Surprisingly, most organizations don’t properly track all of the locations on the system where data is stored. Staff might keep notes in documents on their desktop computers and forget to delete them; other local stores, such as contact databases can sometimes be overlooked. It is important to centralize the data storage and track access to it.
The data held by your company is a potential money earner for hackers. So, you have to properly defend your network against intrusion. However, authorized users also present a security risk. They might be tricked into passing on data to outsiders or might be motivated through resentment or greed to steal the company’s data. Preventing the copying of data onto portable devices, or printout, or sending data out through email, or a chat app is another important requirement of your DLP system.
Compliance to a data security standard is also important in order to win contracts. The public sector is very strong about protecting personal data and they ripple that priority through all of the services that they buy. So, if you don’t implement effective data loss prevention you will be locked out of the opportunity for new contracts. The need to comply with the standards of the public sector continues through the supply chain. So, even if you don’t bid for public sector contracts, your ability to do deals with businesses that do work for the public sector will be reduced.
Data loss events were once seen as an unfortunate risk. The IT industry and the legal systems of most advanced economies recognize that no IT system can ever be 100 percent secure. However, the requirements for companies to take all possible steps to prevent data disclosure have become far stricter in recent years.
Many businesses are unable to fully identify all of the locations of data storage and fixing that issue is the first step to a comprehensive data loss prevention strategy. Getting the right DLP tools is very important and you won’t be able to fully comply with the law or data security standards without them. Without standards accreditation, you will be barred from bidding for many contracts and without full data loss protection systems you run the risk of a disclosure event, which could lead to destructive prosecutions.
You run a great risk of your business being destroyed if you don’t have a data protection strategy. Data loss prevention software is no longer optional.
Data Loss Prevention Software FAQs
How can cloud computing prevent data loss?
The data loss risk is no different in cloud computing than it is with onsite infrastructure with the exception of the communication channel between your site and the cloud host.
- Locate all sensitive data
- Categorize data according to security standards requirements
- Track all access to categorized data
- Track changes to device configurations
- Monitor log file records for unexpected user behavior or unauthorized traffic
- Install all updates and patches to firmware, operating systems, and software
- Secure all access channels across the internet
What is a data loss prevention policy?
A data loss prevention policy is a set of rules and workflows laid down by your business to define how to allow access to data and protect the information that you hold. This strategy applies to working procedures, access rights management, activity monitoring procedures, reporting requirements, and disaster recovery measures.
What is a DLP alert?
A DLP alert is a system-generated message. A DLP tool monitors activities, such as data storage access and network traffic. The software will raise an alert if an activity lies outside registered acceptable behavior. The alert does not necessarily mean that a data loss event has occurred. It could identify a potential risk or a system weakness that the actions of intruders have exposed without successfully touching the target data. An alert should instigate an investigation into the necessity of adjusting security standards or taking some other preventative measures or it could indicate a security breach in progress.