What is data loss prevention?
Data Loss Prevention (DLP) is the control of access to the data that your company holds. A data loss prevention strategy makes sure end-users aren’t able to intentionally destroy or steal data.
It’s important to have a data loss prevention policy in place at your enterprise. This can cover: data loss prevention tools, intrusion prevention systems, system information, event management, endpoint protection, and anti-malware systems are areas of IT security that overlap.
When you come to tighten up your system protection, you will find that you don’t need one of each of these because just one will take care of many tasks, including blocking access to the system and protecting data simultaneously. With the correct policy and systems in place, you will be able to reduce or eliminate data loss incidents across your business.
Here is our list of the best data loss prevention (DLP) software & tools:
- SolarWinds Data Loss Prevention with ARM EDITOR’S CHOICE Access rights manager can be set up to help shield against accidental or malicious data loss. Can automate user access and activities through policy, respond to suspicious activity and investigate user events that could potentially compromise your systems. Start a 30-day free trial.
- CoSoSys Endpoint Protector (ACCESS DEMO) A choice of onsite or cloud-based data loss prevention systems that protect devices running Windows, macOS, and Linux plus attached storage devices.
- Cyberhaven (ACCESS DEMO) This SaaS package is a data discovery and classification service that examines data flows rather than files and databases and then blocks movements.
- ManageEngine Device Control Plus (FREE TRIAL) This system blocks unauthorized data transfers onto peripheral devices by creating a matrix of allowable devices, actions, and users. Runs on Windows and Windows Server.
- SpinOne (FREE TRIAL) This platform of SaaS data protection services offers risk assessment, ransomware protection, DLP, and compliance auditing from its cloud platform.
- Acronis Cyber Protect Cloud (FREE TRIAL) A SaaS platform of backup and system security protection services that is designed for use by managed service providers.
- ManageEngine Endpoint DLP Plus (FREE TRIAL) This package of on-premises data protection software discovers, tracks, and protects sensitive data. Available for Windows Server.
- Vembu BDR Suite (FREE TRIAL) This backup and disaster recovery package saves data from destruction or accidental loss. Available for Windows Server and Linux or as a SaaS platform. Start a 30-day free trial.
- Symantec Data Loss Prevention This system offers data protection solutions for endpoints, networks, cloud resources, and file servers from a central console. Installs on Windows Server and Linux
- Trustifi Outbound Shield This cloud-based service integrates into your email system to provide transmission protection and sensitive data management. Integrates with a plug-in.
- Fortra’s Clearswift Adaptive DLP A suite of security products for different system services that implement DLP as part of a broader protection strategy. This is a SaaS platform.
- Check Point Data Loss Prevention A suite of security products for different system services that implement DLP as part of a broader protection strategy. This is a SaaS platform.
- ThreatLocker This cloud platform of security services has a combination of modules that helps to protect data against theft. Data corruption is also guarded against.
- CrowdStrike Falcon Device Control This specialized monitor for removable devices is an add-on to the endpoint detection and response systems offered by CrowdStrike. This is a cloud-based system and coordinates with endpoint agents for Windows, macOS, and Linux.
- Teramind DLP This package focuses on user activity profiling to spot changes in behavior that could indicate malicious activity as well as sensitive data discovery. Offered as a SaaS package or a virtual appliance.
- Digital Guardian Endpoint DLP The data protection solution covers devices running Windows, macOS, and Linux. A central coordinating server operates from the cloud.
- Code42 Incydr This cloud-based service specializes in spotting insider threats and includes system preparation processes to recover from loss and destruction.
- Comodo MyDLP This DLP observes activities on the web, mail, printers, removable devices to block all system exits. Runs over Hyper-V or VMWare as a virtual appliance.
The Best Data Loss Prevention Software Tools
You likely won’t get all of your data loss prevention needs fulfilled by the one tool. However, many software providers produce suites of tools that fit together. There is a lot of overlap between data loss prevention, standard compliance, and data backup. You will need all of these to successfully protect and manage your company’s data.
What should you look for in data loss prevention software?
We reviewed the market for data loss protection tools and analyzed the options based on the following criteria:
- A detection system that can interact with access rights managers and firewall to shut down data theft
- Email attachment scanning and logging
- Suitability for use for HIPAA, GDPR, SOX, and PCI DSS
- Variable controls to offer tighter scrutiny of PII usage
- Endpoint identification for both source and destination of data movements
- A free trial or money-back guarantee for a risk-free assessment
- Value for money represented by a trade-off between delivered functions and price
1. SolarWinds Data Loss Prevention with ARM (FREE TRIAL)
SolarWinds is a leading producer of IT infrastructure monitoring tools and its DLP security solution is part of its Access Rights Manager.
Key Features:
- Access rights manager
- Spots suspicious activity
- Automated responses
- Auditing for data protection standards compliance
- 30-day free trial
Why do we recommend it?
The SolarWinds Access Rights Manager focuses on the fact that you probably already have access to your sensitive data protected by credentials, so the biggest for data abuse lies with the inappropriate use of valid accounts. Tighten up your AD entries and then watch how each account is used with this package.
A key starting point in your data loss prevention strategy is to set a company policy on data access control. The SolarWinds Access Rights Manager supports this task by giving you clear reports on current access permissions. You then have an opportunity to set better controls, which can be implemented through the Access Rights Manager.
Ongoing monitoring keeps a constant check on data access and generates alerts whenever copies are made or data is transferred. The manager unifies user monitoring for Active Directory, Windows File Share, SharePoint, and Microsoft Exchange. This enables you to monitor the activities of a user who has displayed unusual or suspicious behavior across many communication channels.
Who is it recommended for?
SolarWinds Access Rights Manager is a comprehensive tool that is aimed at businesses that have a large number of users and devices. Such organizations are susceptible to intrusion because of the large volume of turnover of accounts and there might be insecure abandoned accounts in Active Directory that provide a good way in for data thieves.
Pros:
- Is a robust solution for larger networks, support both DLP and permission monitoring to support multiple compliance standards
- Integrates well into existing Active Directory environments
- Saves times by creating simple visualizations of permissions structures
- Leverages behavior analysis to identify insider threats and policy violations
- Can be paired with automation to save time on remediation, and avoid data recovery completely
Cons:
- Highly detailed solution designed for sysadmins in an enterprise environment – may take time to fully explore and utilize all features
The auditing and reporting function of the Access Rights Manager supports GDPR, HIPAA, and PCI DSS compliance. The interface of the tool is very easy to use, making user access management a much simpler task. The software installs on Windows Server and you can get it on a 30-day free trial.
EDITOR'S CHOICE
SolarWinds Access Rights Manager is our top pick for a data loss prevention tool because it assists you to tighten up Active Directory instances and create more finely tuned device access controls and user permissions. Once you have improved the security provided by AD, you can use the tool to monitor the behavior of each user and spot changes in activity that could signify an account takeover or a newly dissatisfied employee. Alerts and automation features draw your attention to suspicious users and implement account suspension.
Get 30 Day Free Trial: solarwinds.com/access-rights-manager
OS: Windows Server 2008 R2 or higher & AD domain
Related post: File Activity Monitoring Software
2. CoSoSys Endpoint Protector (GET DEMO)
CoSoSys offers a is Endpoint Protector as an onsite solution, as a cloud-based service, and as a standalone software package. The onsite version will protect computers running Windows, Mac OS, and Linux. A central Endpoint Protector Server appliance communicates across the network with client software installed on each endpoint. The Server will also protect attached devices, such as digital cameras and USB sticks. The Endpoint protector system is also available as software that implements a virtual appliance on your own server.
Key Features:
- Endpoint protection platform
- Appliance, on-premises software, or cloud service
- HIPAA, PCI DSS, and GDPR compliant
- Also protects attached devices
- Enforced encryption
Why do we recommend it?
CoSoSys Endpoint Protector operates like an XDR because it operates on each device and then centralizes local intelligence in one server as well. Interactions between these two detection levels spread track actions that could spread around the network while also being able to reach down to physical interfaces on reach computer to block unauthorized data transfers.
The full Endpoint Protector system includes content protection, device control, enforced encryption, network discovery and mobile device management. A standalone version is available to protect just one endpoint per install. This is Endpoint Protector Basic and it includes the content and device protector modules of the Server version.
Those who prefer to subscribe to “software as a service” packages instead of running their own hosts and software can opt for My Endpoint Protector. This includes content protection, device control, and mobile device management. In all implementations, the system is HIPAA, PCI DSS, and GDPR compliant.
The content protection system in Endpoint Protector manages file transfers according to the policies you set. All file transfers can be blocked for specific user groups or sensitive files can be allowed to be moved as long as they meet certain criteria. Similarly, the device control system can either completely block devices from attaching to a protected endpoint or can be allowed for file transfers under specified conditions.
Who is it recommended for?
CoSoSys appeals to a broad audience because it has covered just about every deployment strategy that any business could want. The cloud-based SaaS option will appeal to businesses with multiple sites and remote users, while the on-premises option is good for businesses that don’t want to interact with external systems to protect a LAN.
Pros:
- Flexible multi-platform option for Windows, Linux, and Mac
- Can monitor individual files as well as single machines
- Pre-configured to monitor for HIPAA, PIC, and GDPR compliance
- Easy to implement custom rulesets
Cons:
- Could benefit from a full-featured trial rather than a demo
The online version can be accessed for evaluation on a free demo.
3. Cyberhaven (ACCESS DEMO)
Cyberhaven starts with the fact that all system access, applications that store data, and file servers all require user credentials for access, so data loss is only going to be implemented by authorized users. Ultimately, that means insider threats or account takeover. So, there isn’t any point in protecting data stores, it is unusual account activity that indicates an attack.
Key Features:
- Data transfer monitoring
- Rapid data classification
- Blocks on data movements
Why do we recommend it?
Cyberhaven relies on your user accounts being secure and granular. It focuses on looking for anomalous behavior in data movement activity. This reveals an insider threat or an account takeover and the system blocks those transfers. The strategy is innovative and might worry some administrators who want to protect files instead.
You already have a list of users that are allowed to access specific types of sensitive data. For example, the accounts department staff can’t access HR records and vice versa. So, when you set up Cyberhaven, it knows who is allowed to access what types of data and where they are allowed to send it.
Cyberhaven watches data movements to and from your on-site applications and cloud SaaS accounts and scans for sensitive data. The system is able to detect a wide range of sensitive data formats and if an authorized user suddenly starts to do unauthorized things with one of those types, the system blocks the data transmission.
The Cyberhaven system doesn’t completely block data movements. For example, if one authorized user transfers data to another authorized user, that’s OK. Even if a user transfers data outside of the organization, that could still be allowed. An example of this scenario would be a response to a data subject access request (DSAR). However, a client list or an internal research paper being emailed to a rival business would trigger a blocking action.
The idea of not protecting data stores directly is a little confusing because data usually travels one way or another from a data store to an application or to a user through browser access in order to be viewed or selected for forwarding. So, Cyberhaven does also monitor file and database access.
Who is it recommended for?
The Cyberhaven system is an option for any business that holds sensitive data in digital formats. This doesn’t only relate to the protection of PII but also trade secrets. Although the company’s talk of watching transfers rather than stores might worry you, you should check out the demo before making up your mind.
Pros:
- Tracks the movement of sensitive data
- Assesses each user account’s access needs
- Compares data movement destinations to approved lists
Cons:
- This is an innovative approach, which could worry some administrators
The Cyberhaven system takes a new approach to sensitive data detection and categorization but it actually doesn’t move very far from the traditional approach of scanning files. Access a demo to assess the strategy.
4. ManageEngine Device Control Plus (FREE TRIAL)
You might want to allow staff to copy files onto removable media, such as USB memory sticks. However, this is one of the main ways that employees can steal data. This situation presents a dilemma. You want to keep the system secure without blocking normal and acceptable working practices.
Key Features:
- Whitelist for acceptable devices
- Variable controls on different data types
- Compliance enforcement
Why do we recommend it?
ManageEngine Device Control Plus offers strong protection against the use of peripheral devices such as USB memory sticks as a conduit for malware. The tool also allows you to integrate the control of data movements onto peripheral devices as part o the implementation of your security policy if you have located and defined stores of sensitive data.
The solution to managing the use of peripheral devices for data carriage is to control the access of devices rather than disable them entirely. ManageEngine Device Control Plus offers a way to implement a range of security devices for peripheral devices.
This device management system lets you define a security policy and then it translates those requirements into manageable controls. For example, you can allow a list of approved devices to attach to endpoints and you can also set a file size limit, or a total data transfer limit, to account for acceptable office use of peripheral devices. It is also possible to block the copying of data from some sources while allowing other types of data to be transferred to memory sticks. If you follow data security standards, such as HIPAA or PCI DSS, you need to pay particular attention to personally identifiable information (PII).
The Device Control Plus system is very easy to use and it includes guidance points to assist those who are not security experts. The system also logs all data access events and copying attempts, which is a necessary feature for those following data security standards.
Who is it recommended for?
This tool is a useful block on malware movements from peripheral devices. It can be used as part of a data loss prevention system if you have a sensitive data discovery system in place – in the ManageEngine menu of services, you would need Data Security Plus for that function.
Pros:
- Great user interface – easy to navigate
- Balances visualizations alongside recent event insights nicely
- Supports hardware lockdown options to restrict removable media
- Custom security policies are easy to define
- Can scan systems for PHI content
Cons:
- Could benefit from a full-featured trial rather than a demo
Device Control Plus installs on Windows and Windows Server. ManageEngine offers the system on a 30-day free trial.
5. SpinOne (FREE TRIAL)
SpinOne from Spin.ai is a SaaS service that integrates with three widely-used SaaS business services – Microsoft 365, Google G Suite (Google Workspace), and Salesforce. The tool’s main aim is to provide for SaaS platforms the EDR protection that on-premises resources enjoy. The SpinOne service is offered in editions, each specialized in one of those three productivity platforms.
Key Features:
- Ransomware protection
- Risk assessment
- User behavior tracking
Why do we recommend it?
SpinOne from Spin.AI is a data loss prevention system to protect SaaS packages. If your business operates entirely with cloud-based services, such as Google Workspace, Dropbox, Microsoft 365, and Salesforce, you would need to protect sensitive data within these systems and that is the specialization of SpinOne.
The SpinOne strategy offers three strands of data protection. The first of these is data backup to enable recovery from accidental or intentional destruction of data. The second is sensitive data protection, which tracks user activities around specific files and folders that contain sensitive data, and the third is a risk assessment service that checks on application dependencies, monitoring which third part software attaches to the platform for data access.
The need for data loss protection is particularly important because of the existence of data privacy standards. The SpinOne platform includes compliance auditing and reporting systems so that you can get regulatory benefits from this service.
SpinOne integrates AI-based machine learning techniques in its activity anomaly detection services. The tool watches over access to sensitive data stores and builds up profiles of typical activity for each user account. This baseline of acceptable behavior provides a reference for the anomaly detection system. This enables SpinOne to identify insider threats and account takeover incidences.
The SpinOne detection and response service is intelligent enough to control access to productivity suites and their related data stores without hindering users or generating excessive warnings. The constant AI-based fine-tuning of warning thresholds means that the service gets increasingly accurate during its service life and provides better performance than a system that uses out-of-the-box detection rules.
Who is it recommended for?
SpinOne doesn’t have any components to protect data held on your on-premises servers, so if you use a combination of on-premises and cloud-based systems in a hybrid environment, you would only get partial protection from SpinOne. If you are all SaaS, SpinOne is ideal for your business.
Pros:
- AI-based user behavior analysis
- Application risk assessment
- Data backup and recovery
- Insider threat and account takeover protection
Cons:
- Only protects three specific cloud platforms
Spin.ai doesn’t publish a price list for its SpinOne editions. However, you can begin your contact with the service by accessing a 15-day free trial of SpinOne for G Suite, SpinOne for Microsoft 365, or SpinOne for Salesforce.
6. Acronis Cyber Protect Cloud (FREE TRIAL)
Acronis Cyber Protect Cloud is a package of system protection measures that includes extensive data protection systems. The Acronis system is tailored for use by managed service providers (MSPs) and is delivered from a hosted SaaS platform. The Acronis Cyber Protect Cloud service offers a list of services that can be added to an MSP’s client account. Thus, these are sell-through services that provide extra income streams.
Acronis supplies marketing material and training guides to help MSPs sell the services in the package to their clients. Screens can also be white-labeled and the package includes consultancy and analysis tools to increase earning opportunities.
Acronis Cyber Protect Cloud isn’t an RMM package. It specifically focuses on security services and Acronis has organized integrations with the major RMM and PSA systems so it can be delivered seamlessly from an MSP’s existing operating consoles.
Key Features:
- Backup and recovery
- Antimalware
- Data loss prevention
Why do we recommend it?
Acronis Cyber Protect Cloud is a comprehensive bundle of cybersecurity tools. The core of this package is Acronis Cyber Protect, which is produced in a number of flavors that cater to businesses, home workers, private individuals, and service providers. This bundle includes malware scanning, data backup, file integrity monitoring, threat intelligence, and user behavior analysis.
Services in the Acronis Cyber Protect Cloud package include a backup and recovery service that can operate on both a file-level basis and as a full disk backup option. This allows MSPs to structure custom solutions for their clients, including cloud storage space.
The package offers antimalware that operates on endpoints and also attaches to specific system-wide applications, such as email and data transfer services. The antimalware system also extends to a synching and file sharing service that is built into the Acronis package of services. File infection scans are integrated into both data uploads for backup and data recovery procedures.
Threat detection is organized through an AI-based baselining system for behavior anomaly tracking. Acronis also provides an in-house threat intelligence feed and includes an internal attack logging and tracking system for each account. Event remediation such as recovery from ransomware can be triggered automatically and run as a series of operations through playbooks, which include data recovery.
The intelligence and analysis features in the Acronis platform are useful for security analysts and human threat support technicians. There is also a system security auditing toolbox in the service that enables MSPs to offer high-value services to clients. The package is suitable for use by Security Operations Centers as well as regular system support MSPs.
Who is it recommended for?
The Acronis Cyber Protect Cloud version of Acronis Cyber Protect is specifically designed for use by managed service providers. It contains all of the elements of the base Cyber Protect package but delivered in a SaaS format that has a multi-tenant architecture, suitable for MSPs that are protecting the sites of their clients.
Pros:
- A cloud-based package with storage options
- Multi-tenant architecture for MSPs
- Backup and recovery automation integrated into malware remediation
- Variable controls for on-selling security services
Cons:
- Isn’t a full RMM package
Acronis Cyber Protect Cloud can be assessed with a 30-day free trial.
7. ManageEngine Endpoint DLP Plus (FREE TRIAL)
ManageEngine Endpoint DLP Plus is a complete data protection package that identifies the locations of sensitive data, classifies it, tracks access to it, and blocks its movement. This is a networked service, so you install it on one endpoint and it will reach out to the other computers on the network. The system can also be used to protect multiple sites.
Key Features:
- Data discovery and classification
- Data movement tracking
- Insider threat prevention
Why do we recommend it?
ManageEngine Endpoint DLP Plus is a package of data security tools that operate on workstations, servers, and cloud platforms. It includes data store scanning to discover sensitive data, which can be automatically tuned to specific data protection standards. Those discovered data instances are then categorized and from these definitions, the implementations of your security policies can commence. These controls extend to the monitoring of movements of sensitive data between files, between computers, onto peripheral devices, or out on emails.
Sensitive data discovery is guided by templates. The setup for a DLP can be quite laborious because you need to specify details about the type of data that needs to be tracked and who can do what to each category of data. The template library simplifies that process by tuning the system to conform to a particular data security standard.
Data detection and classification uses a number of identification techniques, including fingerprinting, which can spot combinations of data fields that, individually have no significance, but have importance when stored in proximity.
The insider threat prevention system in the Endpoint DLP Plus package tracks users who access sensitive data stores and logs their activity. Analysis of these records will enable you to spot where access rights are too lax and point to how that should be tightened. The data movement prevention extends to email content scanning and attachment controls plus connected device management and monitors that watch the movements of data between sites and cloud services.
The DLP package includes an interesting approach to data-handling applications. This assesses the risk of each system on an endpoint and its use of sensitive data. The administrator can then nominate specific software for data access and it will then prevent data from being exported from these trusted applications out to unauthorized systems.
The ManageEngine system includes solutions for BYOD because it containerizes data that passes onto user-owned devices. This means that corporate data does not get stored on externally-managed devices and access to it is blocked once the device leaves the company network.
Who is it recommended for?
This package is a bundle of other ManageEngine tools including Device Control Plus (above) and Data Security Plus. This option provides a more complete data protection service than buying individual elements. Any business that needs to implement DLP for standards compliance but has no element already in place should opt for this package. Small businesses can benefit from the Free edition of Endpoint DLP Plus, which will manage data protection on 25 endpoints. One problem with this system is that it is only able to scan endpoints running Windows or Windows Server – it cannot operate on devices running Linux or macOS.
Pros:
- Email controls that block communications to blacklisted domains
- Data containerization for BYOD access
- Trusted software identification
Cons:
- No cloud version
ManageEngine Endpoint DLP Plus is an on-premises package for Windows Server. It is available in two versions: Free and Professional. The Free package is limited to monitoring 25 endpoints. The Professional version will cover an entire network and it can be extended to monitor multiple sites from one location. The Professional edition is offered for a 30-day free trial.
8. Vembu BDR Suite (FREE TRIAL)
Vembu BDR Suite is a backup and disaster recovery service – that’s what BDR stands for. This platform offers disk imaging, file backup, and application data protection. So, this service isn’t a theft or disclosure prevention system, but a data recovery service. The platform offers different editions for different technologies. You pay for each of the types of system that you want to back up.
The choice of services from Vembu are VM backup, Server backup, Endpoint backup, Cloud productivity Suite backup, Cloud VM backup, and Applications backup. All of these packages except for the Server and Apliciatons editions offer a free tier that protects 10 assets.
Key Features:
- Disk imaging, file, and application backup
- Incremental backups
- To local devices and cloud
Why do we recommend it?
While data loss prevention often refers to systems that block the disclosure of data, the corruption or destruction of data also has to be prevented and that process requires preparation. Taking a backup of all sensitive data with Vembu BDR Suite means that unauthorized changes and deletions can be reversed easily.
The Server edition of the package will back up computers running Windows or Linux and the Endpoint edition will back up computers with those operating systems plus macOS. You can take a disk image and store that or opt for file-level backups. The VM edition works with Hyper-V and VMware and the Cloud VM edition backs up AWS or Azure. The cloud application package backs up data on Microsoft 265 and Google Workspace and the Applications edition will back up data from Active Directory, SharePoint, Exchange Server, SQL Server, and MySQL. This edition also takes the log files for those applications.
The BDR Suite packages don’t include cloud storage space for repositories, so you have to provide that yourself. The classic backup strategy is to have a local store for quick recovery and a second, remote location for security against site disasters. You can backup locally to SAN, NAS, or tape and the cloud repositories can be on AWS S3, Azure Blob Storage, Google Cloud, or Wasabi.
Who is it recommended for?
This package is priced per asset, so per host for the Server and Endpoints edition and per VM for the VM edition. This makes the system affordable for businesses of all sizes. You aren’t limited to buying just one edition. You can group together a number of editions that match the technologies that you use.
Pros:
- Choose your own storage location
- Cloud-to-cloud backup for Microsoft 365 and Google Workspace
- Deployment options are self hosting or SaaS platform
- Can be used for migration and replication
Cons:
- Storage space is not included
You can download the software for Vembu onto Windows Server or Linux and there is also a SaaS option. You can buy the on-premises software outright or choose a subscription plan for the software package or the SaaS platform. Access Vembu BDR with a 30-day free trial.
9. Symantec Data Loss Prevention
The Symantec Data Loss Prevention solution from Broadcom is a module platform with protection services that you assemble to get the complete protection service for your system. Whichever of these elements, you choose, you end up with a single console to manage and monitor the security system.
The four elements to the DLP system are:
- Symantec DLP for Endpoint
- Symantec DLP for Network
- Symantec DLP for Storage
- Symantec DLP Cloud Services
Symantec’s DLP solution combines user activity tracking with data risk controls. It can monitor data held on servers, desktops, mobile devices, and in cloud storage. An initial sweep on installation identifies all locations that hold sensitive data and gives you the option to remove it all to a central management server, secure data repository or secure it in place. You receive templates and workflows for compliance with HIPAA, GDPR, and PCI DSS standards.
Key Features:
- User activity tracking
- Encryption protection
- HIPAA, GDPR, and PCI DSS compliant
Why do we recommend it?
Symantec Data Loss Prevention from Broadcom is a well-established DLP system by a strong brand. The service is split into two products. The first of these is Symantec Data Loss Prevention Core Solution for on-premises systems. The second is Symantec Data Loss Prevention Cloud Solution, which operates more like a Zero Trust Access service for cloud-based applications. The on-premises system provides data discovery and classification and also file integrity monitoring and data movement tracking and blocking. That movement tracking involves controls on peripheral devices and emails.
The tool logs all access to sensitive data and tracks those accounts that have raised alerts. Sensitive documents are encrypted and can only be seen by authorized users. The tool also makes sure that discarded copies and retired documents are completely destroyed, leaving no recoverable versions in memory. All copies are tracked and kept secure even when sent out to remote locations or onto user-owned mobile devices.
The Symantec DLP contains documents with sensitive data by using encryption and it identifies the intended recipients by fingerprinting every copy. This encryption and access identification are paired with data movement and copy restrictions. This enables you to block files and data from being attached to emails or transferred over the network or the internet.
The Symantec DLP system is part of its endpoint protection system. This searches for intrusion and malicious software, which could compromise your data privacy. This system includes the monitoring of software that is not authorized by the business but is installed on the same device as sensitive data – a situation that is particularly common in the case of the use of user-owned devices for access to company data.
Who is it recommended for?
Symantec Data Loss Prevention Core Solution is almost identical to ManageEngine Endpoint DLP Plus. However, while the ManageEngine service only operates on endpoints running Windows, the Symantec system is able to manage sensitive data on Windows, macOS, and Linux. The Cloud Solution should be considered more as a SASE or ZTA package and compared with those categories of tools rather than the DLP systems on this list.
Pros:
- Combines DLP with user activity tracking, giving it additional functionality
- Automatic scanning can map out sensitive locations where data is stored
- Offers pre-built temples and works flow for major compliance standards, offering good out of box functionality
- Supports file integrity monitoring through a fingerprinting system
Cons:
- Could integrate better with other Symantec tools
The software for the Symantec DLP suite’s server installs on Windows Server, CentOS, and Oracle Linux. Endpoint agents are available for Windows, macOS, and Linux.
Related post: Symantec Endpoint Protection: Full Review & Rival Comparison
10. Trustifi Outbound Shield
Trustifi Outbound Shield is a secure, hosted file service that focuses on protecting email content. When a user wants to send a secure message, the contents of that message are uploaded to the Trustifi sever. All that gets sent in the email body is a link to access the message. Within the Trustifi environment, recipients get the opportunity to reply and that text is also kept on the Trustifi server. This is like a chat system where responses are all grouped together in a conversation.
Key Features:
- Secure email content storage
- Sensitive data management
Why do we recommend it?
Trustifi Outbound Shield is a proxy service that sites in the cloud and examines all outgoing emails for evidence of data transfers, either in the body of an email or as an attachment. The service provides an optional secure email system that holds the email text on its server and sends a link for access to that content to the recipient instead.
The Trustifi software doesn’t automatically secure all emails – only those that have sensitive data in them. The Trustifi system scans each email before it is sent and identifies sensitive data.
In order to get the system working for your business, you need to configure your Trustifi account, specifying your security policies. These are available as templates to implement specific data protection rules, such as those designated by PCI DSS, HIPAA, or GDPR. There are also templates where you can specify protection for specific types of data without needing to name a data protection standard. It is also possible to define your own protection rules. The Trustifi system is able to protect intellectual property as well as third-party information.
Access controls for email contents can be set by the administrator for sensitive data categories or by the sender per email. These can block the recipient from copying or saving the data. It is also possible to prevent recipients from forwarding emails that contain sensitive data. Access to specific emails can also be revoked for specified recipients.
Administrator tools in the Trustifi platform include a risk analysis feature that shows which user accounts handle more sensitive data than others and also spots users who display risky behavior in data sharing.
Who is it recommended for?
The Trustifi platform offers a number of security services for emails that include Inbound Shield, which scans incoming emails for phishing and impersonation attempts, among other checks. It makes sense to take out subscriptions to both the Inbound Shield and Outbound Shield services because they are both hosted on the same cloud server and require all of your emails in both directions to be channeled through that proxy service.
Pros:
- Selective protection that only applies to email content that includes sensitive data
- A menu of privacy policy templates
- The ability to enforce privileges per data category
- User controls over recipient privileges
- Blocks on recipient actions
Cons:
- Would prefer a free trial
If Trustifi’s email data loss prevention strategy interests you, contact the company to get a quote and access the free demo.
11. Fortra’s Clearswift Adaptive DLP
Fortra’s Clearswift produces a range of data loss prevention tools under the umbrella brand of Adaptive DLP.
Key Features:
- Complete system and data protection suite
- Endpoint protection platform
- Covers email and web server
Why do we recommend it?
Fortra Clearswift Adaptive DLP is a package of Fortra products that work together to implement enterprise-wide data protection. These modules include a secure Web gateway, to monitor Web traffic, the email DLP system, and an endpoint DLP service that watches over data stores. There is also a device control unit in this bundle. An exceptional feature of this package is that it includes a redaction system, which means that some documents that other tools on this list would block from being shared, would be let through by Clearswift, but in a redacted format.
The product line is made up of six packages:
- ARgon for Email: Monitoring of emails for data leaks
- Endpoint Data Loss: For endpoint activity monitoring
- Secure ICAP Gateway: Monitors web apps and file transfers
- Secure Web Gateway: Covers data access on the web
- Secure Email Gateway: Protection for email servers for external mail
- Secure Exchange Gateway: Protection for email servers for internal mail
The whole suite would replace all of the other security management software that you might have because it covers all of the functions that you would usually use anti-malware and firewall systems for. Adaptive DLP protects files from unauthorized copying and keeps ownership traceable through fingerprinting.
The system filters out any malicious code as it tries to enter the network and it spots unauthorized activities both by intruders and malicious insiders.
Who is it recommended for?
The option for redaction makes the Clearswift service a very good tool for managing DSAR requests. Sometimes, you have to release sensitive documents in order to comply with the right to know that is built into many data protection standards, such as GDPR, but you are only allowed to release the contents of that document that relate to the requestor, not third parties. Clearswift accounts for that situation.
Pros:
- Features tools for email security, web interfaces, and endpoint monitoring, offering an umbrella of DLP services
- Can act as an antivirus, detection malware, attempted intrusions, and infected files
- Better suite for smaller environments that have fewer events per day
Cons:
- Not the best option for enterprise-level networks
- Lacks machine learning capabilities
- Would like to see better reporting options in regards to compliance standards
The Endpoint Data Loss unit also include device control features for managing removable storage and other attachable devices. The Clearswift service from Fortra is a SaaS platform. You can access a demo to discover the package.
12. Check Point Data Loss Prevention Software Blade
Check Point is a major provider of cybersecurity systems and it integragtes data loss prevention into its firewall and edge services products. These are:
- Quantum Network Security – a range of hardware appliances
- CloudGuard Cloud Network Security – a cloud-based firewall service to protect sites and cloud resources
- Harmony Connect – a secure access service edge (SASE) that creates a protected virtual network
These three options mean that you don’t install the DLP service as a software package on your server. Instead, it runs on a network appliance or on the Check Point servers.
Key Features:
- Deployment choices
- Integrates with other security packages
- Monitors data movements
Why do we recommend it?
Check Point Data Loss Prevention takes a unique attitude towards notifying about data breaches. While such events are blocked and logged, rather than notifying the security operations center (SOC), the software notifies the user that tried to send the data. This is a form of user education. In the case of an account takeover, it informs the hackers that they are wasting their time trying to steal from this business.
Having an external, network-based viewpoint, the Check Point service doesn’t examine activity on endpoints. Instead, its strategy is to examine every channel for data movement, which includes file transfer systems, chat and messaging service, email, and other Web utilities.
On discovering a potential data leak, the Check Point DLP doesn’t notify the IT Operations team but sends an alert to the user involved in the event. This approach assumes that the user accidentally disclosed the data or that a user account has been hijacked. The ethos here is to educate users to be responsible for their actions. It also makes the system more accessible to smaller businesses that don’t have an IT department.
Who is it recommended for?
As the DLP is either based on a hardware device or in a cloud SaaS package, the notification going to the user instead of a SOC means that this is a good package for businesses that don’t have a SOC. That makes the service attractive to small businesses, cost-conscious MSPs, and large businesses with overloaded IT support departments.
Pros:
- Useful for businesses that want to help educate users as they attempt to access information inappropriately
- Implements email scanning that can automatically block emails from being sent
- Supports major compliance standards
Cons:
- Warns the user directly, which isn’t always an option sysadmins want
- Policies can be difficult to customize
Like most DLP systems, the enforcement rules in this service are called “policies.” These are specifications that identify the types of data that are to be classified as “sensitive” and specifies which users can have access to those data points. Check Point’s DLP tool is shipped with a library of policies, which you can adapt. It is also possible to create your own policies. However, the library is organixzed into sets that categorize data according to the major data protection standards, such as HIPAA, SOX, and PCI DSS.
Your buyer’s journey for the Check Point DLP depends on which Check Point service you think would be most appropriate for your needs because the DLP isn’t sold as a standalone service. You can get a look at how the DLP works with a live demo.
13. ThreatLocker
ThreatLocker is a cloud platform of system security tools that help you to implement Zero Trust Access (ZTA). This strategy involves moving access controls to applications and this strategy also helps to guard data. The ThreatLocker system builds boundaries around resources so that access to them can be controlled individually.
Key Features:
- Protects applications
- Controls access to resources
- Logs activity
Why do we recommend it?
The ThreatLocker system blocks access to files so that they can only be accessed through approved applications. No other application is allowed to run, so you get to control access to both software and data with this system. The applications and data can be hosted anywhere, which is a useful feature for businesses that run hybrid systems.
With ThreatLocker, you start your data loss prevention journey by defining the services to protect. So, the file server where you keep sensitive data should be first on the list. You then block access to files on the server or specific directories. Access to these files can only be implemented through approved applications.
The applications that you allow to access data stores should require credentials for access and log access events. Access to files by the application can also be logged. These data access logs are suitable for use in compliance auditing and reporting for HIPAA, PCI DSS, and GDPR.
You can also block all USB ports on every endpoint on your system. Those endpoints don’t need to be on an office network. They can be in the homes of remote workers or on multiple sites. Endpoints become part of your network when you install the ThreatLocker agent on them.
The Storage Control unit of the ThreatLocker toolset can allow USB memory sticks to attach to a computer for use by a specific user on request. This access, however, should be granted with care and revoked quickly. While a USB device is active, all file movements on or off that device are logged.
Who is it recommended for?
Any business would benefit from the deployment of ThreatLocker’s security tools. However, companies that have many sites and remote workers plus extensive use of cloud-based services, such as Google Drive or Microsoft 365, would particularly need this package.
Pros:
- Extensive activity logging
- Feeds through to a SIEM or a compliance reporting tool
- Controls on USB device usage
Cons:
- Doesn’t include a PII discovery and classification service
It’s worth noting that the ThreatLocker system doesn’t include a PII definition service. In order to know exactly which data files need to be protected, you would have to pair up ThreatLocker with a sensitive data manager tool. You can assess ThreatLocker by booking a demo.
14. CrowdStrike Falcon Device Control
CrowdStrike Falcon Device Control is a cloud-based service that is an add-on to Falcon Prevent or Falcon Insight. Falcon Prevent is a device-resident endpoint detection and response (EDR) service that can be installed on Windows, macOS, and Linux. Falcon Insight is an enterprise-wide coordinator for Falcon Prevent instances.
Key Features:
- Control on data passing onto memory sticks
- Variable security set by policies
- Block or monitor removable storage devices
Why do we recommend it?
CrowdStrike Falcon Device Control is an add-on module for any of the CrowdStrike Falcon bundles. The core unit in CrowdStrike Falcon is an on-device antivirus system, called Falcon Prevent. Coordinating these instances on a site with a central threat hunter creates Falcon Insight XDR. The Device Control add-on enables the security policies defined in the XDR to extend to the monitoring of data movements on peripheral devices.
When you pair Falcon Device Control with Falcon Prevent, the endpoint-resident Prevent communicates with the Device Control service in the cloud. When Falcon Device Control is deployed alongside Falcon Insight, both cloud services communicate with the on-device Prevent modules. In either configuration, the Device Control system reaches through the endpoint to implement data exfiltration controls on peripheral devices.
It is very easy to disable USB ports entirely. However, this approach is not always suitable. For example, USB ports can be used for many features, not just for removable storage. You might want to keep USB ports active but just control what data passes over them.
The question of data movement is not an all-or-nothing decision either. You could allow certain types of data to be moved onto USB devices while blocking more important data collections from being moved. So, the control of USB devices needs to be finely tuned.
With Falcon Device Control you get to specify which types of devices can be connected or, more easily, define which device types are banned. The control extend to user access controls, so you can allow some users or user groups to use USB devices while blocking all others.
The software for Falcon Device Control is able to identify and document all devices as they are connected to a USB port on an endpoint. You can install this software on all of your endpoints and nominate one device to host the server. Thus, you get all activity reports for all devices forwarded to one dashboard for consolidated reporting.
Who is it recommended for?
Any business that handles sensitive data has intellectual property, or needs to protect trade secrets would benefit from the use of CrowdStrike Falcon Device Control. Keep in mind that this module does not operate as a standalone product, so you can only consider this product in connection with the consideration of a CrowdStrike Falcon bundle.
Pros:
- Distributed implementation
- Centralized dashboard
- The possibility to block certain types of devices
- The ability to interface with access rights managers
- Fast local controls
Cons:
- The Falcon family doesn’t include controls over other channels of data exfiltration, such as email attachments.
CrowdStrike Falcon Device Control is an extra service that can be added to a subscription to the Falcon Pro, Falcon Enterprise, Falcon Premium, and Falcon Complete packages. The endpoint agents for this solution install on Windows, macOS, and Linux. You can get a 15-day free trial of the software.
15. Teramind DLP
Teramind DLP will help you to be compliant with GDPR, HIPAA, ISO 27001, and PCI DSS. The tool starts off by searching your entire system for sensitive data. The search follows typical data formats, such as Social Security or credit card numbers. It also uses OCR and natural language processing to scan all documents. It then prioritizes those that contain personally identifiable information, personal financial data, and personal health information. Scans to spot new instances of these data categories continue during the software’s service life.
Key Features:
- System audit
- GDPR, HIPAA, ISO 27001, and PCI DSS compliant
- Ongoing risk assessment
Why do we recommend it?
Teramind DLP provides sensitive data identification with selective redaction that can be applied in the viewer without altering the underlying content. It is also very strong on user activity tracking and has a file integrity monitor. Lower plans of the platform are available without sensitive data management and data governance for businesses that are only interested in user activity tracking and account takeover detection.
The package includes templates for data security policies that will help you set your DLP strategy. This tool has two focuses: insider threats and data security. The user tracking functions cover activities on websites, applications, and on the network. It monitors emails and also includes a keystroke logger for special scrutiny.
Overall system activity is measured to establish a baseline of normal behavior. This is a typical strategy of intrusion detection systems so it will identify external as well as internal threats.
Data protection measures include clipboard monitoring and blocking. A fingerprinting system for files will enable you to trace who leaked a file.
The console for the software includes a Risk Dashboard, which centralizes notifications of all threats and vulnerabilities that require investigation.
Who is it recommended for?
This tool is a good choice for businesses that need to qualify for data protection standards. The platform is offered in several levels and the DLP plan is the third edition up, with two cheaper options and one more expensive plan that adds on stronger security.
Pros:
- Great user interface, simple to navigate and learn
- Highly visual reporting and real-time monitoring
- Built with compliance in mind
- Goes beyond DLP with options for actively monitoring and keylogging
Cons:
- Platform tries to do it all, which can be overwhelming for those who only wish to use DLP features
- Some features like keylogging can be invasive
- Steep learning curve
Termaind DLP is delivered as a SaaS platform. It is also possible to get a software package if you prefer to host the system yourself. The system runs on a hypervisor created by VMWare ESXi or Microsotf Hyper-V. The cloud version requires an agent to be installed on your site. This is available for Windows, Windows Server, macOS, Citrix XenApp, and VMWare Horizon.
16. Digital Guardian Endpoint DLP
The Digital Guardian Endpoint DLP starts its service life by searching through-out your system for sensitive data. The tool logs those locations and tracks all events that occur at them. It is able to communicate with the Windows, Mac OS, and Linux operating systems and its tracking capabilities extend out to cloud resources. This package focuses on endpoint security. Digital Guardian produces a companion tool that hardens networks against data loss events.
Key Features:
- Operates on Windows, macOS, and Linux
- Produces intellectual property as well as PII
- Endpoint-resident element
Why do we recommend it?
Digital Guardian Endpoint DLP is able to discover and categorize sensitive data that is resident on Windows, macOS, Linux, and cloud platforms. The tool then implements data access and movement controls through file integrity monitoring and change tracking, email and peripheral device data movements, and file transfer controls.
The endpoint data protection system can block activities on offline computers as well as monitoring devices over the network. It will automatically block unauthorized user actions, such as the destruction, alteration, copying, or transferring of protected data. This equally prevents both insider and outsider activities.
This system is suitable for the protection of intellectual property as well as personal information. It requires the network administrator to define categories of data and assign specific protection policies to each. Enhancements to the DLP give you the option of adding encryption to data storage and transmissions.
Who is it recommended for?
This is a sensitive data protection package that can be tuned to compliance with data privacy standards or set to protect trade secrets and intellectual property. The tool is able to work with all the major operating systems, which makes it a suitable DLP tool for any organization.
Pros:
- Simple and sleek interface keeps insight easy to read
- Balances simple visualizations with recent events
- Available for Windows, Linux, and Mac
- Agents can still work to stop access, even when offline
- As options to protect compliance data as well as company intellectual property
Cons:
- Plugins can sometimes cause issues, especially the email plugins
- False positives can be excessive
You can assess Digital Guardian Endpoint DLP by requesting a demo.
17. Code42
You will notice from the descriptions of the other tools here that corporate data protection strategies are implemented within the DLP tool by rule bases, called “policies.” Code42 has a different system and doesn’t use policies. Despite not operating on policies, the tool does link detected problems with remediation actions.
Key Features:
- Insider threat protection
- Data file protection
- Tracks user activity
Why do we recommend it?
Code42 Incydr offers file integrity monitoring that performs activity logging and change reversal. It doesn’t include a sensitive data discovery module. This system is able to monitor data stores on Windows, macOS, and Linux and it will watch over file movements on cloud-based email systems and SaaS applications.
Code42 works on data files the way a SIEM tool behaves with log files. It monitors data files, backing them up and restoring the original version should any changes be made. It also tracks every access to those data files and blocks any copy or transfer actions.
All actions on files, including those performed by Code42 are recorded, which generates the audit trail that you need for data security standards. The tool includes an analysis utility that uses event information to present exposure of internal misdeeds or intrusion threats.
Who is it recommended for?
The absence of sensitive data classifications makes this tool a little weak for compliance auditing. However, it includes strong user activity tracking, so it is good for identifying insider threats and account takeovers.
Pros:
- Can automatically restore files to their previous location and state
- Operates more as a SIEM tool, making it a good option for those looking for more advanced coverage and monitoring
- Can audit user access to network files and locations
- Analysis tools can help determine if actions were malicious or accidental
Cons:
- Can be resource-intensive
- Has a steep learning curve than other DLP software
- Expensive, pricing based per computer
There are two opportunities to scope out Code42 Incydr because you can get a demo of the system or access a 4-week free trial.
18. Comodo MyDLP
You receive a license for your entire organization that covers all of your endpoints and sites. This tool will also protect data held on cloud servers. MyDLP will discover all of the sensitive data held by your company, log it, and protect it. Comodo MyDLP is a site-based data protection system that can be tailored to enforce data protection standards compliance.
Key Features:
- Monitors endpoint activity across a network
- Tracks activity on cloud platforms
- File protection strategy
Why do we recommend it?
Comodo MyDLP will perform sensitive data discovery and classification. However, it operates in a different way than most data protection compliance systems. With most of these sensitive data systems, you can select a data standard from a dropdown list in the settings screen to calibrate the search engine for specific types of data to look for. In the case of MyDLP, you select a template for a specific data format, such as credit card numbers or social security numbers. The system will then protect those data locations and block their movements by users without specific high-privilege accounts.
This system focuses on a user permissions service. It lists who can have access to which data and what actions each person is allowed to perform on each bit of data. The data it protects might be trade secrets, development plans, engineering drawings, accounts, or the personal data of employees and customers. It is able to monitor devices running any operating system and the software can be installed on premises or accessed online as a cloud-based service.
Who is it recommended for?
You would have to map any data protection standard to specific data types and then set up MyDLP to work with those specific data formats. So, this is probably not the easiest compliance tool available. However, its data movement controls extend to email systems, peripherals, and even printers.
Pros:
- Designed for the enterprise, features can scale well
- Can automatically discover sensitive data, or be manually pointed to specific permission groups, files, or directories
- Available as an on-premise solution or cloud deployment
Cons:
- Could use better integration options within the Comodo ecosystem
- Steeper learning curve than similar tools
MyDLP installs on a hypervisor and it will operate over VMWare or Hyper-V. You can assess the system by requesting a demo.
Priorities for DLP
The first and most obvious topic to deal with when trying to prevent the data your business stores is to control access to it. However, this is not your only task. In order to prove compliance with data security standards, you are going to need some evidence. So, constant transaction logging is needed, and you are going to need to store those logs for years so that they can be available for spot audits. Constant self-auditing is also necessary to ensure that security procedures are sufficiently strong.
Although failure to protect data is a setback, any leakage should not be covered up. Non-disclosure of data leakage is a big mistake. It will cause you to lose your accreditation. Data protection standards all include protocols for data loss notification and they should be followed.
Surprisingly, most organizations don’t properly track all of the locations on the system where data is stored. Staff might keep notes in documents on their desktop computers and forget to delete them; other local stores, such as contact databases can sometimes be overlooked. It is important to centralize the data storage and track access to it.
The data held by your company is a potential money earner for hackers. So, you have to properly defend your network against intrusion. However, authorized users also present a security risk. They might be tricked into passing on data to outsiders or might be motivated through resentment or greed to steal the company’s data. Preventing the copying of data onto portable devices, or printout, or sending data out through email, or a chat app is another important requirement of your DLP system.
Compliance to a data security standard is also important in order to win contracts. The public sector is very strong about protecting personal data and they ripple that priority through all of the services that they buy. So, if you don’t implement effective data loss prevention you will be locked out of the opportunity for new contracts. The need to comply with the standards of the public sector continues through the supply chain. So, even if you don’t bid for public sector contracts, your ability to do deals with businesses that do work for the public sector will be reduced.
Conclusion
Data loss events were once seen as an unfortunate risk. The IT industry and the legal systems of most advanced economies recognize that no IT system can ever be 100 percent secure. However, the requirements for companies to take all possible steps to prevent data disclosure have become far stricter in recent years.
Many businesses are unable to fully identify all of the locations of data storage and fixing that issue is the first step to a comprehensive data loss prevention strategy. Getting the right DLP tools is very important and you won’t be able to fully comply with the law or data security standards without them. Without standards accreditation, you will be barred from bidding for many contracts and without full data loss protection systems you run the risk of a disclosure event, which could lead to destructive prosecutions.
You run a great risk of your business being destroyed if you don’t have a data protection strategy. Data loss prevention software is no longer optional.
Data Loss Prevention Software FAQs
How can cloud computing prevent data loss?
The data loss risk is no different in cloud computing than it is with onsite infrastructure with the exception of the communication channel between your site and the cloud host.
- Locate all sensitive data
- Categorize data according to security standards requirements
- Track all access to categorized data
- Track changes to device configurations
- Monitor log file records for unexpected user behavior or unauthorized traffic
- Install all updates and patches to firmware, operating systems, and software
- Secure all access channels across the internet
What is a data loss prevention policy?
A data loss prevention policy is a set of rules and workflows laid down by your business to define how to allow access to data and protect the information that you hold. This strategy applies to working procedures, access rights management, activity monitoring procedures, reporting requirements, and disaster recovery measures.
What is a DLP alert?
A DLP alert is a system-generated message. A DLP tool monitors activities, such as data storage access and network traffic. The software will raise an alert if an activity lies outside registered acceptable behavior. The alert does not necessarily mean that a data loss event has occurred. It could identify a potential risk or a system weakness that the actions of intruders have exposed without successfully touching the target data. An alert should instigate an investigation into the necessity of adjusting security standards or taking some other preventative measures or it could indicate a security breach in progress.