Best DLP Tools

What is data loss prevention?

Data Loss Prevention (DLP) is the control of access to the data that your company holds. A data loss prevention strategy makes sure end-users aren’t able to intentionally destroy or steal data.

It’s important to have a data loss prevention policy in place at your enterprise. This can cover: data loss prevention tools, intrusion prevention systems, system information, event management, endpoint protection, and anti-malware systems are areas of IT security that overlap.

Here is our list of the best data loss prevention (DLP) software & tools:

  1. Fortra Digital Guardian EDITOR’S CHOICE This cloud-based DLP protects data on computers running Windows, macOS, and Linux and also on cloud systems. This package is also available as a managed service. Access a free demo.
  2. Guardz (FREE TRIAL) This cloud-based platform scans email systems, endpoints, and cloud data storage accounts to block manual and automated attempts to steal or corrupt data. Get a 14-day free trial.
  3. SolarWinds Data Loss Prevention with ARM (FREE TRIAL) Access rights manager can be set up to help shield against accidental or malicious data loss. Can automate user access and activities through policy, respond to suspicious activity and investigate user events that could potentially compromise your systems. Start a 30-day free trial.
  4. CoSoSys Endpoint Protector (ACCESS DEMO) A choice of onsite or cloud-based data loss prevention systems that protect devices running Windows, macOS, and Linux plus attached storage devices. Get a free demo.
  5. Cyberhaven (ACCESS DEMO) This SaaS package is a data discovery and classification service that examines data flows rather than files and databases and then blocks movements. Get a free demo.
  6. ManageEngine Device Control Plus (FREE TRIAL) This system blocks unauthorized data transfers onto peripheral devices by creating a matrix of allowable devices, actions, and users. Runs on Windows and Windows Server.
  7. Acronis Cyber Protect Cloud (FREE TRIAL) A SaaS platform of backup and system security protection services that is designed for use by managed service providers.
  8. ManageEngine Endpoint DLP Plus (FREE TRIAL) This package of on-premises data protection software discovers, tracks, and protects sensitive data. Available for Windows Server.
  9. Vembu BDR Suite (FREE TRIAL) This backup and disaster recovery package saves data from destruction or accidental loss. Available for Windows Server and Linux or as a SaaS platform. Start a 30-day free trial.
  10. Symantec Data Loss Prevention This system offers data protection solutions for endpoints, networks, cloud resources, and file servers from a central console. Installs on Windows Server and Linux
  11. Trustifi Outbound Shield This cloud-based service integrates into your email system to provide transmission protection and sensitive data management. Integrates with a plug-in.
  12. Trellix XDR Platform This system-wide security package scans endpoints and networks to identify threats before they get a chance to steal or damage data.
  13. Check Point Data Loss Prevention A suite of security products for different system services that implement DLP as part of a broader protection strategy. This is a SaaS platform.
  14. ThreatLocker This cloud platform of security services has a combination of modules that helps to protect data against theft. Data corruption is also guarded against.
  15. SpinOne This platform of SaaS data protection services offers risk assessment, ransomware protection, DLP, and compliance auditing from its cloud platform.
  16. CrowdStrike Falcon Device Control This specialized monitor for removable devices is an add-on to the endpoint detection and response systems offered by CrowdStrike. This is a cloud-based system and coordinates with endpoint agents for Windows, macOS, and Linux.
  17. Teramind DLP This package focuses on user activity profiling to spot changes in behavior that could indicate malicious activity as well as sensitive data discovery. Offered as a SaaS package or a virtual appliance.
  18. Digital Guardian Endpoint DLP The data protection solution covers devices running Windows, macOS, and Linux. A central coordinating server operates from the cloud.
  19. Code42 Incydr This cloud-based service specializes in spotting insider threats and includes system preparation processes to recover from loss and destruction.
  20. Comodo MyDLP This DLP observes activities on the web, mail, printers, removable devices to block all system exits. Runs over Hyper-V or VMWare as a virtual appliance.

When you come to tighten up your system protection, you will find that you don’t need one of each of these because just one will take care of many tasks, including blocking access to the system and protecting data simultaneously. With the correct policy and systems in place, you will be able to reduce or eliminate data loss incidents across your business.

You might want to allow staff to copy files onto removable media, such as USB memory sticks. However, this is one of the main ways that employees can steal data. This situation presents a dilemma. You want to keep the system secure without blocking normal and acceptable working practices.

The Best Data Loss Prevention Software Tools

You likely won’t get all of your data loss prevention needs fulfilled by the one tool. However, many software providers produce suites of tools that fit together. There is a lot of overlap between data loss prevention, standard compliance, and data backup. You will need all of these to successfully protect and manage your company’s data.

What should you look for in data loss prevention software?

We reviewed the market for data loss protection tools and analyzed the options based on the following criteria:

  • A detection system that can interact with access rights managers and firewall to shut down data theft
  • Email attachment scanning and logging
  • Suitability for use for HIPAA, GDPR, SOX, and PCI DSS
  • Variable controls to offer tighter scrutiny of PII usage
  • Endpoint identification for both source and destination of data movements
  • A free trial or money-back guarantee for a risk-free assessment
  • Value for money represented by a trade-off between delivered functions and price

1. Fortra Digital Guardian (GET DEMO)

Fortra Digital Guardian Incidents
Fortra Digital Guardian is a SaaS package that is hosted on AWS. This tool will protect sensitive data on-premises, on cloud platforms, and in SaaS packages.

Key Features:

  • Data discovery and classification
  • Standards compliance
  • Endpoint protection on Windows, macOS, and Linux
  • Protects Google Workspace and Microsoft 365
  • Operates on AWS, GCP, and Azure

Why do we recommend it?

Fortra Digital Guardian is a cloud-based system and it can simultaneously protect data on premises and on cloud systems. This is a well-established package that has a service history protecting PII and intellectual property. The system is able to implement HIPAA, PCI DSS, and GDPR among other data security standards.

The package uses Active Directory for its access rights manager, so you need to make sure that you have your user groups correctly set up before you implement Digital Guardian. The service controls file movements as well as file access and on cloud editors, it will manage which users can be given permission to share a sensitive document.

The tool implements sensitive data discovery and classification. This process is tailored towards the requirements of a specific data security standard, such as PCI DSS, HIPAA, or GDPR. The scanner implements data fingerprinting to create context-aware field groupings that collectively denote personally identifiable information.

Who is it recommended for?

This SaaS platform is a good choice for businesses that have both on-premises and cloud systems in operation. The service can protect data in Microsoft 365 and Google Workspace as well as data held on AWS, GCP, and Azure. On-premises data can be protected if it is held on computers running Windows, macOS, or Linux.

Pros:

  • Builds on access rights stored in Active Directory
  • Logs all discoveries and actions
  • Provides compliance reports
  • Tracks and encrypts data in motion
  • Malware defense

Cons:

  • You need to inquire about the price based on your needs

There isn’t a free trial of Fortra Fortra Digital Guardian, however, you can examine the system by requesting a free demo.

EDITOR'S CHOICE

Fortra Digital Guardian is our top pick for data loss prevention software because includes a sensitive data discovery and classification system as well as a data protection service. The Digital Guardian package is hosted in the cloud on AWS servers and it will protect data held on the major cloud platform, SaaS productivity suites, and on premises. The package is a good choice for companies that operate a hybrid environment. Fortra offers a managed service version of Digital Guardian, which is ideal for companies that don’t have their own cybersecurity experts on staff.

Official Site: https://www.digitalguardian.com/demo

OS: Cloud-based

2. Guardz (FREE TRIAL)

Guardz Email Security Software

Guardz is a package of IT system protection measures that is delivered from the cloud. The service shields data from attack and it operates on endpoints and cloud data accounts. The package is particularly strong at protecting the OneDrive and Google Drive services. The system scans emails coming into Exchange Server/Outlook and Gmail system to identify threats that can lead to data theft.

Key Features:

  • Email scanning
  • Cloud data protection
  • Endpoint security monitoring

Why do we recommend it?

Guardz protects endpoints by scanning for intrusion and malware. It also guards cloud data stores. The package is particularly strong at blocking the email-based methods that hackers use to trick their way into the system. It addresses account takeover attempts that are usually implemented through phishing and also scans attachments for malware.

Account takeover represents a major threat to data security and it is usually implemented through credentials theft, which occurs in phishing emails. The Guardz platform includes a number of tools to protect email accounts against phishing. The first is its malicious email detection system and the second is a Dark Web scanner that looks for signs that company email account details are up for sale on hacker forums.

The package also includes a phishing simulator that can be used for system testing and user education. There is a much bigger employee awareness training resource in the Guardz plans, however. This is a library of courses that are implemented as a series of videos that explain to users how to spot fake emails and what do do about them.

Who is it recommended for?

This system is delivered as a subscription package with a rate per user per month. There is no minimum team size for an account and so the service is suitable for all sizes of businesses. Guardz insists that its service should be administered by a managed service provider. However, companies that don’t have an MSP partner can take out a managed service plan, which will be run by Guardz itself.

Pros:

  • Protects systems by blocking hacker access
  • Scans endpoints and cloud data services for malicious behavior
  • Provides user education to reduce the risk of account takeover

Cons:

  • Requires a managed service provider

As it is based in the cloud, the Guardz service is not constrained by the boundaries of one network. It can monitor endpoints on multiple sites and even those used by remote workers.  You can examine the Guardz package with a 14-day free trial.

Guardz Access a 14-day FREE Trial

3. SolarWinds Data Loss Prevention with ARM (FREE TRIAL)

Tested on: Windows Server 2008 R2 or higher & AD domain

SolarWinds Access Rights Manager

SolarWinds is a leading producer of IT infrastructure monitoring tools and its DLP security solution is part of its Access Rights Manager.

Key Features:

  • Access rights manager
  • Spots suspicious activity
  • Automated responses
  • Auditing for data protection standards compliance
  • 30-day free trial

Why do we recommend it?

The SolarWinds Access Rights Manager focuses on the fact that you probably already have access to your sensitive data protected by credentials, so the biggest for data abuse lies with the inappropriate use of valid accounts. Tighten up your AD entries and then watch how each account is used with this package.

A key starting point in your data loss prevention strategy is to set a company policy on data access control. The SolarWinds Access Rights Manager supports this task by giving you clear reports on current access permissions. You then have an opportunity to set better controls, which can be implemented through the Access Rights Manager.

Ongoing monitoring keeps a constant check on data access and generates alerts whenever copies are made or data is transferred. The manager unifies user monitoring for Active Directory, Windows File Share, SharePoint, and Microsoft Exchange. This enables you to monitor the activities of a user who has displayed unusual or suspicious behavior across many communication channels.

Overall, SolarWinds Access Rights Manager assists you to tighten up Active Directory instances and create more finely tuned device access controls and user permissions. Once you have improved the security provided by AD, you can use the tool to monitor the behavior of each user and spot changes in activity that could signify an account takeover or a newly dissatisfied employee. Alerts and automation features draw your attention to suspicious users and implement account suspension.

Who is it recommended for?

SolarWinds Access Rights Manager is a comprehensive tool that is aimed at businesses that have a large number of users and devices. Such organizations are susceptible to intrusion because of the large volume of turnover of accounts and there might be insecure abandoned accounts in Active Directory that provide a good way in for data thieves.

Pros:

  • Is a robust solution for larger networks, support both DLP and permission monitoring to support multiple compliance standards
  • Integrates well into existing Active Directory environments
  • Saves times by creating simple visualizations of permissions structures
  • Leverages behavior analysis to identify insider threats and policy violations
  • Can be paired with automation to save time on remediation, and avoid data recovery completely

Cons:

  • Highly detailed solution designed for sysadmins in an enterprise environment – may take time to fully explore and utilize all features

The auditing and reporting function of the Access Rights Manager supports GDPR, HIPAA, and PCI DSS compliance. The interface of the tool is very easy to use, making user access management a much simpler task. The software installs on Windows Server and you can get it on a 30-day free trial.

SolarWinds Access Rights Manager Get a 30-day FREE Trial

EDITOR'S CHOICE

OS: Windows Server 2008 R2 or higher & AD domain

Related post: File Activity Monitoring Software

4. CoSoSys Endpoint Protector (GET DEMO)

Endpoint Protector Dash Image

CoSoSys offers a is Endpoint Protector as an onsite solution, as a cloud-based service, and as a standalone software package. The onsite version will protect computers running Windows, Mac OS, and Linux. A central Endpoint Protector Server appliance communicates across the network with client software installed on each endpoint. The Server will also protect attached devices, such as digital cameras and USB sticks. The Endpoint protector system is also available as software that implements a virtual appliance on your own server.

Key Features:

  • Endpoint protection platform
  • Appliance, on-premises software, or cloud service
  • HIPAA, PCI DSS, and GDPR compliant
  • Also protects attached devices
  • Enforced encryption

Why do we recommend it?

CoSoSys Endpoint Protector operates like an XDR because it operates on each device and then centralizes local intelligence in one server as well. Interactions between these two detection levels spread track actions that could spread around the network while also being able to reach down to physical interfaces on reach computer to block unauthorized data transfers.

The full Endpoint Protector system includes content protection, device control, enforced encryption, network discovery and mobile device management. A standalone version is available to protect just one endpoint per install. This is Endpoint Protector Basic and it includes the content and device protector modules of the Server version.

Those who prefer to subscribe to “software as a service” packages instead of running their own hosts and software can opt for My Endpoint Protector. This includes content protection, device control, and mobile device management. In all implementations, the system is HIPAA, PCI DSS, and GDPR compliant.

The content protection system in Endpoint Protector manages file transfers according to the policies you set. All file transfers can be blocked for specific user groups or sensitive files can be allowed to be moved as long as they meet certain criteria. Similarly, the device control system can either completely block devices from attaching to a protected endpoint or can be allowed for file transfers under specified conditions.

Who is it recommended for?

CoSoSys appeals to a broad audience because it has covered just about every deployment strategy that any business could want. The cloud-based SaaS option will appeal to businesses with multiple sites and remote users, while the on-premises option is good for businesses that don’t want to interact with external systems to protect a LAN.

Pros:

  • Flexible multi-platform option for Windows, Linux, and Mac
  • Can monitor individual files as well as single machines
  • Pre-configured to monitor for HIPAA, PIC, and GDPR compliance
  • Easy to implement custom rulesets

Cons:

  • Could benefit from a full-featured trial rather than a demo

The online version can be accessed for evaluation on a free demo.

CoSoSys Endpoint Protector Register for a FREE Demo

5. Cyberhaven (ACCESS DEMO)

Cyberhaven

Cyberhaven starts with the fact that all system access, applications that store data, and file servers all require user credentials for access, so data loss is only going to be implemented by authorized users. Ultimately, that means insider threats or account takeover. So, there isn’t any point in protecting data stores, it is unusual account activity that indicates an attack.

Key Features:

  • Data transfer monitoring
  • Rapid data classification
  • Blocks on data movements

Why do we recommend it?

Cyberhaven relies on your user accounts being secure and granular. It focuses on looking for anomalous behavior in data movement activity. This reveals an insider threat or an account takeover and the system blocks those transfers. The strategy is innovative and might worry some administrators who want to protect files instead.

You already have a list of users that are allowed to access specific types of sensitive data. For example, the accounts department staff can’t access HR records and vice versa. So, when you set up Cyberhaven, it knows who is allowed to access what types of data and where they are allowed to send it.

Cyberhaven watches data movements to and from your on-site applications and cloud SaaS accounts and scans for sensitive data. The system is able to detect a wide range of sensitive data formats and if an authorized user suddenly starts to do unauthorized things with one of those types, the system blocks the data transmission.

The Cyberhaven system doesn’t completely block data movements. For example, if one authorized user transfers data to another authorized user, that’s OK. Even if a user transfers data outside of the organization, that could still be allowed. An example of this scenario would be a response to a data subject access request (DSAR). However, a client list or an internal research paper being emailed to a rival business would trigger a blocking action.

The idea of not protecting data stores directly is a little confusing because data usually travels one way or another from a data store to an application or to a user through browser access in order to be viewed or selected for forwarding. So, Cyberhaven does also monitor file and database access.

Who is it recommended for?

The Cyberhaven system is an option for any business that holds sensitive data in digital formats. This doesn’t only relate to the protection of PII but also trade secrets. Although the company’s talk of watching transfers rather than stores might worry you, you should check out the demo before making up your mind.

Pros:

  • Tracks the movement of sensitive data
  • Assesses each user account’s access needs
  • Compares data movement destinations to approved lists

Cons:

  • This is an innovative approach, which could worry some administrators

The Cyberhaven system takes a new approach to sensitive data detection and categorization but it actually doesn’t move very far from the traditional approach of scanning files. Access a demo to assess the strategy.

Cyberhaven Get FREE Demo

6. ManageEngine Device Control Plus (FREE TRIAL)

ManageEngine Device Control Plus

ManageEngine Device Control Plus offers strong protection against the use of peripheral devices such as USB memory sticks as a conduit for malware. The tool also allows you to integrate the control of data movements onto peripheral devices as part o the implementation of your security policy if you have located and defined stores of sensitive data.

Key Features:

  • Whitelist for acceptable devices
  • Variable controls on different data types
  • Compliance enforcement

Why do we recommend it?

The solution to managing the use of peripheral devices for data carriage is to control the access of devices rather than disable them entirely. ManageEngine Device Control Plus offers a way to implement a range of security devices for peripheral devices.

This device management system lets you define a security policy and then it translates those requirements into manageable controls. For example, you can allow a list of approved devices to attach to endpoints and you can also set a file size limit, or a total data transfer limit, to account for acceptable office use of peripheral devices. It is also possible to block the copying of data from some sources while allowing other types of data to be transferred to memory sticks. If you follow data security standards, such as HIPAA or PCI DSS, you need to pay particular attention to personally identifiable information (PII).

The Device Control Plus system is very easy to use and it includes guidance points to assist those who are not security experts. The system also logs all data access events and copying attempts, which is a necessary feature for those following data security standards.

Who is it recommended for?

This tool is a useful block on malware movements from peripheral devices. It can be used as part of a data loss prevention system if you have a sensitive data discovery system in place – in the ManageEngine menu of services, you would need Data Security Plus for that function.

Pros:

  • Great user interface – easy to navigate
  • Balances visualizations alongside recent event insights nicely
  • Supports hardware lockdown options to restrict removable media
  • Custom security policies are easy to define
  • Can scan systems for PHI content

Cons:

  • Could benefit from a full-featured trial rather than a demo

Device Control Plus installs on Windows and Windows Server. ManageEngine offers the system on a 30-day free trial.

ManageEngine Device Control Plus Download 30-day FREE Trial

7. Acronis Cyber Protect Cloud (FREE TRIAL)

Acronis Cyber Protect Cloud

Acronis Cyber Protect Cloud is a package of system protection measures that includes extensive data protection systems. The Acronis system is tailored for use by managed service providers (MSPs) and is delivered from a hosted SaaS platform. The Acronis Cyber Protect Cloud service offers a list of services that can be added to an MSP’s client account. Thus, these are sell-through services that provide extra income streams.

Acronis supplies marketing material and training guides to help MSPs sell the services in the package to their clients. Screens can also be white-labeled and the package includes consultancy and analysis tools to increase earning opportunities.

Acronis Cyber Protect Cloud isn’t an RMM package. It specifically focuses on security services and Acronis has organized integrations with the major RMM and PSA systems so it can be delivered seamlessly from an MSP’s existing operating consoles.

Key Features:

  • Backup and recovery
  • Antimalware
  • Data loss prevention

Why do we recommend it?

Acronis Cyber Protect Cloud is a comprehensive bundle of cybersecurity tools. The core of this package is Acronis Cyber Protect, which is produced in a number of flavors that cater to businesses, home workers, private individuals, and service providers. This bundle includes malware scanning, data backup, file integrity monitoring, threat intelligence, and user behavior analysis.

Services in the Acronis Cyber Protect Cloud package include a backup and recovery service that can operate on both a file-level basis and as a full disk backup option. This allows MSPs to structure custom solutions for their clients, including cloud storage space.

The package offers antimalware that operates on endpoints and also attaches to specific system-wide applications, such as email and data transfer services. The antimalware system also extends to a synching and file sharing service that is built into the Acronis package of services. File infection scans are integrated into both data uploads for backup and data recovery procedures.

Threat detection is organized through an AI-based baselining system for behavior anomaly tracking. Acronis also provides an in-house threat intelligence feed and includes an internal attack logging and tracking system for each account. Event remediation such as recovery from ransomware can be triggered automatically and run as a series of operations through playbooks, which include data recovery.

The intelligence and analysis features in the Acronis platform are useful for security analysts and human threat support technicians. There is also a system security auditing toolbox in the service that enables MSPs to offer high-value services to clients. The package is suitable for use by Security Operations Centers as well as regular system support MSPs.

Who is it recommended for?

The Acronis Cyber Protect Cloud version of Acronis Cyber Protect is specifically designed for use by managed service providers. It contains all of the elements of the base Cyber Protect package but delivered in a SaaS format that has a multi-tenant architecture, suitable for MSPs that are protecting the sites of their clients.

Pros:

  • A cloud-based package with storage options
  • Multi-tenant architecture for MSPs
  • Backup and recovery automation integrated into malware remediation
  • Variable controls for on-selling security services

Cons:

  • Isn’t a full RMM package

Acronis Cyber Protect Cloud can be assessed with a 30-day free trial.

Acronis Cyber Protect Cloud Start 30-day FREE Trial

8. ManageEngine Endpoint DLP Plus (FREE TRIAL)

ManageEngine Endpoint DLP Plus

ManageEngine Endpoint DLP Plus is a complete data protection package that identifies the locations of sensitive data, classifies it, tracks access to it, and blocks its movement. This is a networked service, so you install it on one endpoint and it will reach out to the other computers on the network. The system can also be used to protect multiple sites.

Key Features:

  • Data discovery and classification
  • Data movement tracking
  • Insider threat prevention

Why do we recommend it?

ManageEngine Endpoint DLP Plus is a package of data security tools that operate on workstations, servers, and cloud platforms. It includes data store scanning to discover sensitive data, which can be automatically tuned to specific data protection standards. Those discovered data instances are then categorized and from these definitions, the implementations of your security policies can commence. These controls extend to the monitoring of movements of sensitive data between files, between computers, onto peripheral devices, or out on emails.

Sensitive data discovery is guided by templates. The setup for a DLP can be quite laborious because you need to specify details about the type of data that needs to be tracked and who can do what to each category of data. The template library simplifies that process by tuning the system to conform to a particular data security standard.

Data detection and classification uses a number of identification techniques, including fingerprinting, which can spot combinations of data fields that, individually have no significance, but have importance when stored in proximity.

The insider threat prevention system in the Endpoint DLP Plus package tracks users who access sensitive data stores and logs their activity. Analysis of these records will enable you to spot where access rights are too lax and point to how that should be tightened. The data movement prevention extends to email content scanning and attachment controls plus connected device management and monitors that watch the movements of data between sites and cloud services.

The DLP package includes an interesting approach to data-handling applications. This assesses the risk of each system on an endpoint and its use of sensitive data. The administrator can then nominate specific software for data access and it will then prevent data from being exported from these trusted applications out to unauthorized systems.

The ManageEngine system includes solutions for BYOD because it containerizes data that passes onto user-owned devices. This means that corporate data does not get stored on externally-managed devices and access to it is blocked once the device leaves the company network.

Who is it recommended for?

This package is a bundle of other ManageEngine tools including Device Control Plus (above) and Data Security Plus. This option provides a more complete data protection service than buying individual elements. Any business that needs to implement DLP for standards compliance but has no element already in place should opt for this package. Small businesses can benefit from the Free edition of Endpoint DLP Plus, which will manage data protection on 25 endpoints. One problem with this system is that it is only able to scan endpoints running Windows or Windows Server – it cannot operate on devices running Linux or macOS.

Pros:

  • Email controls that block communications to blacklisted domains
  • Data containerization for BYOD access
  • Trusted software identification

Cons:

  • No cloud version

ManageEngine Endpoint DLP Plus is an on-premises package for Windows Server. It is available in two versions: Free and Professional. The Free package is limited to monitoring 25 endpoints. The Professional version will cover an entire network and it can be extended to monitor multiple sites from one location. The Professional edition is offered for a 30-day free trial.

ManageEngine Endpoint DLP Plus Start 30-day FREE Trial

9. Vembu BDR Suite (FREE TRIAL)

vembu dashboard screenshot

Vembu BDR Suite is a backup and disaster recovery service – that’s what BDR stands for. This platform offers disk imaging, file backup, and application data protection. So, this service isn’t a theft or disclosure prevention system, but a data recovery service. The platform offers different editions for different technologies. You pay for each of the types of system that you want to back up.

The choice of services from Vembu are VM backup, Server backup, Endpoint backup, Cloud productivity Suite backup, Cloud VM backup, and Applications backup. All of these packages except for the Server and Apliciatons editions offer a free tier that protects 10 assets.

Key Features:

  • Disk imaging, file, and application backup
  • Incremental backups
  • To local devices and cloud

Why do we recommend it?

While data loss prevention often refers to systems that block the disclosure of data, the corruption or destruction of data also has to be prevented and that process requires preparation. Taking a backup of all sensitive data with Vembu BDR Suite means that unauthorized changes and deletions can be reversed easily.

The Server edition of the package will back up computers running Windows or Linux and the Endpoint edition will back up computers with those operating systems plus macOS. You can take a disk image and store that or opt for file-level backups. The VM edition works with Hyper-V and VMware and the Cloud VM edition backs up AWS or Azure. The cloud application package backs up data on Microsoft 265 and Google Workspace and the Applications edition will back up data from Active Directory, SharePoint, Exchange Server, SQL Server, and MySQL. This edition also takes the log files for those applications.

The BDR Suite packages don’t include cloud storage space for repositories, so you have to provide that yourself. The classic backup strategy is to have a local store for quick recovery and a second, remote location for security against site disasters. You can backup locally to SAN, NAS, or tape and the cloud repositories can be on AWS S3, Azure Blob Storage, Google Cloud, or Wasabi.

Who is it recommended for?

This package is priced per asset, so per host for the Server and Endpoints edition and per VM for the VM edition. This makes the system affordable for businesses of all sizes. You aren’t limited to buying just one edition. You can group together a number of editions that match the technologies that you use.

Pros:

  • Choose your own storage location
  • Cloud-to-cloud backup for Microsoft 365 and Google Workspace
  • Deployment options are self hosting or SaaS platform
  • Can be used for migration and replication

Cons:

  • Storage space is not included

You can download the software for Vembu onto  Windows Server or Linux and there is also a SaaS option. You can buy the on-premises software outright or choose a subscription plan for the software package or the SaaS platform. Access Vembu BDR with a 30-day free trial.

Vembu BDR Suite Start 30-day FREE Trial

10. Symantec Data Loss Prevention

Symantec Data Loss Prevention

The Symantec Data Loss Prevention solution from Broadcom is a module platform with protection services that you assemble to get the complete protection service for your system. Whichever of these elements, you choose, you end up with a single console to manage and monitor the security system.

The four elements to the DLP system are:

  • Symantec DLP for Endpoint
  • Symantec DLP for Network
  • Symantec DLP for Storage
  • Symantec DLP Cloud Services

Symantec’s DLP solution combines user activity tracking with data risk controls. It can monitor data held on servers, desktops, mobile devices, and in cloud storage. An initial sweep on installation identifies all locations that hold sensitive data and gives you the option to remove it all to a central management server, secure data repository or secure it in place. You receive templates and workflows for compliance with HIPAA, GDPR, and PCI DSS standards.

Key Features:

  • User activity tracking
  • Encryption protection
  • HIPAA, GDPR, and PCI DSS compliant

Why do we recommend it?

Symantec Data Loss Prevention from Broadcom is a well-established DLP system by a strong brand. The service is split into two products. The first of these is Symantec Data Loss Prevention Core Solution for on-premises systems. The second is Symantec Data Loss Prevention Cloud Solution, which operates more like a Zero Trust Access service for cloud-based applications. The on-premises system provides data discovery and classification and also file integrity monitoring and data movement tracking and blocking. That movement tracking involves controls on peripheral devices and emails.

The tool logs all access to sensitive data and tracks those accounts that have raised alerts. Sensitive documents are encrypted and can only be seen by authorized users. The tool also makes sure that discarded copies and retired documents are completely destroyed, leaving no recoverable versions in memory. All copies are tracked and kept secure even when sent out to remote locations or onto user-owned mobile devices.

The Symantec DLP contains documents with sensitive data by using encryption and it identifies the intended recipients by fingerprinting every copy. This encryption and access identification are paired with data movement and copy restrictions. This enables you to block files and data from being attached to emails or transferred over the network or the internet.

The Symantec DLP system is part of its endpoint protection system. This searches for intrusion and malicious software, which could compromise your data privacy. This system includes the monitoring of software that is not authorized by the business but is installed on the same device as sensitive data – a situation that is particularly common in the case of the use of user-owned devices for access to company data.

Who is it recommended for?

Symantec Data Loss Prevention Core Solution is almost identical to ManageEngine Endpoint DLP Plus. However, while the ManageEngine service only operates on endpoints running Windows, the Symantec system is able to manage sensitive data on Windows, macOS, and Linux. The Cloud Solution should be considered more as a SASE or ZTA package and compared with those categories of tools rather than the DLP systems on this list.

Pros:

  • Combines DLP with user activity tracking, giving it additional functionality
  • Automatic scanning can map out sensitive locations where data is stored
  • Offers pre-built temples and works flow for major compliance standards, offering good out of box functionality
  • Supports file integrity monitoring through a fingerprinting system

Cons:

  • Could integrate better with other Symantec tools

The software for the Symantec DLP suite’s server installs on Windows Server, CentOS, and Oracle Linux. Endpoint agents are available for Windows, macOS, and Linux.

Related post: Symantec Endpoint Protection: Full Review & Rival Comparison

11. Trustifi Outbound Shield

Trustifi

Trustifi Outbound Shield is a secure, hosted file service that focuses on protecting email content. When a user wants to send a secure message, the contents of that message are uploaded to the Trustifi sever. All that gets sent in the email body is a link to access the message. Within the Trustifi environment, recipients get the opportunity to reply and that text is also kept on the Trustifi server. This is like a chat system where responses are all grouped together in a conversation.

Key Features:

  • Secure email content storage
  • Sensitive data management

Why do we recommend it?

Trustifi Outbound Shield is a proxy service that sites in the cloud and examines all outgoing emails for evidence of data transfers, either in the body of an email or as an attachment. The service provides an optional secure email system that holds the email text on its server and sends a link for access to that content to the recipient instead.

The Trustifi software doesn’t automatically secure all emails – only those that have sensitive data in them. The Trustifi system scans each email before it is sent and identifies sensitive data.

In order to get the system working for your business, you need to configure your Trustifi account, specifying your security policies. These are available as templates to implement specific data protection rules, such as those designated by PCI DSS, HIPAA, or GDPR. There are also templates where you can specify protection for specific types of data without needing to name a data protection standard. It is also possible to define your own protection rules. The Trustifi system is able to protect intellectual property as well as third-party information.

Access controls for email contents can be set by the administrator for sensitive data categories or by the sender per email. These can block the recipient from copying or saving the data. It is also possible to prevent recipients from forwarding emails that contain sensitive data. Access to specific emails can also be revoked for specified recipients.

Administrator tools in the Trustifi platform include a risk analysis feature that shows which user accounts handle more sensitive data than others and also spots users who display risky behavior in data sharing.

Who is it recommended for?

The Trustifi platform offers a number of security services for emails that include Inbound Shield, which scans incoming emails for phishing and impersonation attempts, among other checks. It makes sense to take out subscriptions to both the Inbound Shield and Outbound Shield services because they are both hosted on the same cloud server and require all of your emails in both directions to be channeled through that proxy service.

Pros:

  • Selective protection that only applies to email content that includes sensitive data
  • A menu of privacy policy templates
  • The ability to enforce privileges per data category
  • User controls over recipient privileges
  • Blocks on recipient actions

Cons:

  • Would prefer a free trial

If Trustifi’s email data loss prevention strategy interests you, contact the company to get a quote and access the free demo.

12. Trellix XDR Platform

Trellix XDR Platform

Trellix XDR Platform provides scanning for threats on endpoints and networks. This means that the tool can identify malware, such as ransomware, kill it, and remove it before it damages data. It can also spot insider threats and account takeovers that might target your data. This system is delivered from the cloud and provides constant system-wide security.

Key Features:

  • Insider threat detection
  • Intrusion prevention
  • Automated responses

Why do we recommend it?

The Trellix XDR Platform is an intrusion prevention system and an endpoint protection platform that also scans cloud systems. This means that it also prevents data theft. The package works with anomaly detection, which involves tracking the regular activity of each user account and flagging accounts that suddenly implement different behavior.

A change in user behavior could indicate that an intruder has got hold of the account and the Trellix system will shut it down to prevent data loss. Similarly, software that starts to process data files will be killed immediately before it tries to encrypt or move data.

The Trellix system isn’t a typical DLP because it doesn’t scan emails for data movements. However, it is just as effective because it removes the threat of outsiders getting onto the system and trying to gain access to data.

The logic behind this approach is that, if outsiders can get to sensitive data, they can’t steal it. Similarly, a disgruntled employee would be blocked from accessing data that isn’t normally needed for work. Even if a user regularly access specific data stores, attempts to transfer those files elsewhere would trigger an alert and the movement would be blocked.

This system provides data loss prevention as a consequence of its service that blocks intrusion and malware. The system can also prevent other activities often implemented by intruders, such as using the company network as a proxy system to mask illegal activities on other networks or resource consumption through crypto-mining.

Who is it recommended for?

The Trellix system is suitable for mid-sized businesses and large companies. It is particularly useful for businesses that need to prove compliance to a specific data protection standard because Trellix records its discoveries and the actions taken to block intruders and malware. This documentation forms a part of compliance reporting. The package is a little too expensive for small businesses.

Pros:

  • Preventative security that block data thieves
  • System-wide protection against all types of threats
  • Documentation for compliance reporting

Cons:

  • Small business setups may want to start with cheaper or free alternatives

The Trellix system isn’t available for a free trial. However you can investigate the Trellix XDR Platform further by requesting a demo.

13. Check Point Data Loss Prevention Software Blade

Check Polint Data Loss Prevention Software Blade

Check Point is a major provider of cybersecurity systems and it integragtes data loss prevention into its firewall and edge services products. These are:

  • Quantum Network Security – a range of hardware appliances
  • CloudGuard Cloud Network Security – a cloud-based firewall service to protect sites and cloud resources
  • Harmony Connect – a secure access service edge (SASE) that creates a protected virtual network

These three options mean that you don’t install the DLP service as a software package on your server. Instead, it runs on a network appliance or on the Check Point servers.

Key Features:

  • Deployment choices
  • Integrates with other security packages
  • Monitors data movements

Why do we recommend it?

Check Point Data Loss Prevention takes a unique attitude towards notifying about data breaches. While such events are blocked and logged, rather than notifying the security operations center (SOC), the software notifies the user that tried to send the data. This is a form of user education. In the case of an account takeover, it informs the hackers that they are wasting their time trying to steal from this business.

Having an external, network-based viewpoint, the Check Point service doesn’t examine activity on endpoints. Instead, its strategy is to examine every channel for data movement, which includes file transfer systems, chat and messaging service, email, and other Web utilities.

On discovering a potential data leak, the Check Point DLP doesn’t notify the IT Operations team but sends an alert to the user involved in the event. This approach assumes that the user accidentally disclosed the data or that a user account has been hijacked. The ethos here is to educate users to be responsible for their actions. It also makes the system more accessible to smaller businesses that don’t have an IT department.

Who is it recommended for?

As the DLP is either based on a hardware device or in a cloud SaaS package, the notification going to the user instead of a SOC means that this is a good package for businesses that don’t have a SOC. That makes the service attractive to small businesses, cost-conscious MSPs, and large businesses with overloaded IT support departments.

Pros:

  • Useful for businesses that want to help educate users as they attempt to access information inappropriately
  • Implements email scanning that can automatically block emails from being sent
  • Supports major compliance standards

Cons:

  • Warns the user directly, which isn’t always an option sysadmins want
  • Policies can be difficult to customize

Like most DLP systems, the enforcement rules in this service are called “policies.” These are specifications that identify the types of data that are to be classified as “sensitive” and specifies which users can have access to those data points. Check Point’s DLP tool is shipped with a library of policies, which you can adapt. It is also possible to create your own policies. However, the library is organixzed into sets that categorize data according to the major data protection standards, such as HIPAA, SOX, and PCI DSS.

Your buyer’s journey for the Check Point DLP depends on which Check Point service you think would be most appropriate for your needs because the DLP isn’t sold as a standalone service. You can get a look at how the DLP works with a live demo.

14. ThreatLocker

ThreatLocker

ThreatLocker is a cloud platform of system security tools that help you to implement Zero Trust Access (ZTA). This strategy involves moving access controls to applications and this strategy also helps to guard data. The ThreatLocker system builds boundaries around resources so that access to them can be controlled individually.

Key Features:

  • Protects applications
  • Controls access to resources
  • Logs activity

Why do we recommend it?

The ThreatLocker system blocks access to files so that they can only be accessed through approved applications. No other application is allowed to run, so you get to control access to both software and data with this system. The applications and data can be hosted anywhere, which is a useful feature for businesses that run hybrid systems.

With ThreatLocker, you start your data loss prevention journey by defining the services to protect. So, the file server where you keep sensitive data should be first on the list. You then block access to files on the server or specific directories. Access to these files can only be implemented through approved applications.

The applications that you allow to access data stores should require credentials for access and log access events. Access to files by the application can also be logged. These data access logs are suitable for use in compliance auditing and reporting for HIPAA, PCI DSS, and GDPR.

You can also block all USB ports on every endpoint on your system. Those endpoints don’t need to be on an office network. They can be in the homes of remote workers or on multiple sites. Endpoints become part of your network when you install the ThreatLocker agent on them.

The Storage Control unit of the ThreatLocker toolset can allow USB memory sticks to attach to a computer for use by a specific user on request. This access, however, should be granted with care and revoked quickly. While a USB device is active, all file movements on or off that device are logged.

Who is it recommended for?

Any business would benefit from the deployment of ThreatLocker’s security tools. However, companies that have many sites and remote workers plus extensive use of cloud-based services, such as Google Drive or Microsoft 365, would particularly need this package.

Pros:

  • Extensive activity logging
  • Feeds through to a SIEM or a compliance reporting tool
  • Controls on USB device usage

Cons:

  • Doesn’t include a PII discovery and classification service

It’s worth noting that the ThreatLocker system doesn’t include a PII definition service. In order to know exactly which data files need to be protected, you would have to pair up ThreatLocker with a sensitive data manager tool. You can assess ThreatLocker by booking a demo.

15. SpinOne

SpinOne Data Loss Prevention

SpinOne from Spin.ai is a SaaS service that integrates with three widely-used SaaS business services – Microsoft 365, Google G Suite (Google Workspace), and Salesforce. The tool’s main aim is to provide for SaaS platforms the EDR protection that on-premises resources enjoy. The SpinOne service is offered in editions, each specialized in one of those three productivity platforms.

Key Features:

  • Ransomware protection
  • Risk assessment
  • User behavior tracking

Why do we recommend it?

SpinOne from Spin.AI is a data loss prevention system to protect SaaS packages. If your business operates entirely with cloud-based services, such as Google Workspace, Dropbox, Microsoft 365, and Salesforce, you would need to protect sensitive data within these systems and that is the specialization of SpinOne.

The SpinOne strategy offers three strands of data protection. The first of these is data backup to enable recovery from accidental or intentional destruction of data. The second is sensitive data protection, which tracks user activities around specific files and folders that contain sensitive data, and the third is a risk assessment service that checks on application dependencies, monitoring which third part software attaches to the platform for data access.

The need for data loss protection is particularly important because of the existence of data privacy standards. The SpinOne platform includes compliance auditing and reporting systems so that you can get regulatory benefits from this service.

SpinOne integrates AI-based machine learning techniques in its activity anomaly detection services. The tool watches over access to sensitive data stores and builds up profiles of typical activity for each user account. This baseline of acceptable behavior provides a reference for the anomaly detection system. This enables SpinOne to identify insider threats and account takeover incidences.

The SpinOne detection and response service is intelligent enough to control access to productivity suites and their related data stores without hindering users or generating excessive warnings. The constant AI-based fine-tuning of warning thresholds means that the service gets increasingly accurate during its service life and provides better performance than a system that uses out-of-the-box detection rules.

Who is it recommended for?

SpinOne doesn’t have any components to protect data held on your on-premises servers, so if you use a combination of on-premises and cloud-based systems in a hybrid environment, you would only get partial protection from SpinOne. If you are all SaaS, SpinOne is ideal for your business.

Pros:

  • AI-based user behavior analysis
  • Application risk assessment
  • Data backup and recovery
  • Insider threat and account takeover protection

Cons:

  • Only protects three specific cloud platforms

Spin.ai doesn’t publish a price list for its SpinOne editions. However, you can begin your contact with the service by accessing a 15-day free trial of SpinOne for G Suite, SpinOne for Microsoft 365, or SpinOne for Salesforce.

16. CrowdStrike Falcon Device Control

CrowdStrike Falcon Device Control

CrowdStrike Falcon Device Control is a cloud-based service that is an add-on to Falcon Prevent or Falcon Insight. Falcon Prevent is a device-resident endpoint detection and response (EDR) service that can be installed on Windows, macOS, and Linux. Falcon Insight is an enterprise-wide coordinator for Falcon Prevent instances.

Key Features:

  • Control on data passing onto memory sticks
  • Variable security set by policies
  • Block or monitor removable storage devices

Why do we recommend it?

CrowdStrike Falcon Device Control is an add-on module for any of the CrowdStrike Falcon bundles. The core unit in CrowdStrike Falcon is an on-device antivirus system, called Falcon Prevent. Coordinating these instances on a site with a central threat hunter creates Falcon Insight XDR. The Device Control add-on enables the security policies defined in the XDR to extend to the monitoring of data movements on peripheral devices.

When you pair Falcon Device Control with Falcon Prevent, the endpoint-resident Prevent communicates with the Device Control service in the cloud. When Falcon Device Control is deployed alongside Falcon Insight, both cloud services communicate with the on-device Prevent modules. In either configuration, the Device Control system reaches through the endpoint to implement data exfiltration controls on peripheral devices.

It is very easy to disable USB ports entirely. However, this approach is not always suitable. For example, USB ports can be used for many features, not just for removable storage. You might want to keep USB ports active but just control what data passes over them.

The question of data movement is not an all-or-nothing decision either. You could allow certain types of data to be moved onto USB devices while blocking more important data collections from being moved. So, the control of USB devices needs to be finely tuned.

With Falcon Device Control you get to specify which types of devices can be connected or, more easily, define which device types are banned. The control extend to user access controls, so you can allow some users or user groups to use USB devices while blocking all others.

The software for Falcon Device Control is able to identify and document all devices as they are connected to a USB port on an endpoint. You can install this software on all of your endpoints and nominate one device to host the server. Thus, you get all activity reports for all devices forwarded to one dashboard for consolidated reporting.

Who is it recommended for?

Any business that handles sensitive data has intellectual property, or needs to protect trade secrets would benefit from the use of CrowdStrike Falcon Device Control. Keep in mind that this module does not operate as a standalone product, so you can only consider this product in connection with the consideration of a CrowdStrike Falcon bundle.

Pros:

  • Distributed implementation
  • Centralized dashboard
  • The possibility to block certain types of devices
  • The ability to interface with access rights managers
  • Fast local controls

Cons:

  • The Falcon family doesn’t include controls over other channels of data exfiltration, such as email attachments.

CrowdStrike Falcon Device Control is an extra service that can be added to a subscription to the Falcon Pro, Falcon Enterprise, Falcon Premium, and Falcon Complete packages. The endpoint agents for this solution install on Windows, macOS, and Linux. You can get a 15-day free trial of the software.

17. Teramind DLP

Teramind DLP

Teramind DLP will help you to be compliant with GDPR, HIPAA, ISO 27001, and PCI DSS. The tool starts off by searching your entire system for sensitive data. The search follows typical data formats, such as Social Security or credit card numbers. It also uses OCR and natural language processing to scan all documents. It then prioritizes those that contain personally identifiable information, personal financial data, and personal health information. Scans to spot new instances of these data categories continue during the software’s service life.

Key Features:

  • System audit
  • GDPR, HIPAA, ISO 27001, and PCI DSS compliant
  • Ongoing risk assessment

Why do we recommend it?

Teramind DLP provides sensitive data identification with selective redaction that can be applied in the viewer without altering the underlying content. It is also very strong on user activity tracking and has a file integrity monitor. Lower plans of the platform are available without sensitive data management and data governance for businesses that are only interested in user activity tracking and account takeover detection.

The package includes templates for data security policies that will help you set your DLP strategy. This tool has two focuses: insider threats and data security. The user tracking functions cover activities on websites, applications, and on the network. It monitors emails and also includes a keystroke logger for special scrutiny.

Overall system activity is measured to establish a baseline of normal behavior. This is a typical strategy of intrusion detection systems so it will identify external as well as internal threats.

Data protection measures include clipboard monitoring and blocking. A fingerprinting system for files will enable you to trace who leaked a file.

The console for the software includes a Risk Dashboard, which centralizes notifications of all threats and vulnerabilities that require investigation.

Who is it recommended for?

This tool is a good choice for businesses that need to qualify for data protection standards. The platform is offered in several levels and the DLP plan is the third edition up, with two cheaper options and one more expensive plan that adds on stronger security.

Pros:

  • Great user interface, simple to navigate and learn
  • Highly visual reporting and real-time monitoring
  • Built with compliance in mind
  • Goes beyond DLP with options for actively monitoring and keylogging

Cons:

  • Platform tries to do it all, which can be overwhelming for those who only wish to use DLP features
  • Some features like keylogging can be invasive
  • Steep learning curve

Termaind DLP is delivered as a SaaS platform. It is also possible to get a software package if you prefer to host the system yourself. The system runs on a hypervisor created by VMWare ESXi or Microsotf Hyper-V. The cloud version requires an agent to be installed on your site. This is available for Windows, Windows Server, macOS, Citrix XenApp, and VMWare Horizon.

18. Digital Guardian Endpoint DLP

Digital Guardian Endpoint DLP

The Digital Guardian Endpoint DLP starts its service life by searching through-out your system for sensitive data. The tool logs those locations and tracks all events that occur at them. It is able to communicate with the Windows, Mac OS, and Linux operating systems and its tracking capabilities extend out to cloud resources. This package focuses on endpoint security. Digital Guardian produces a companion tool that hardens networks against data loss events.

Key Features:

  • Operates on Windows, macOS, and Linux
  • Produces intellectual property as well as PII
  • Endpoint-resident element

Why do we recommend it?

Digital Guardian Endpoint DLP is able to discover and categorize sensitive data that is resident on Windows, macOS, Linux, and cloud platforms. The tool then implements data access and movement controls through file integrity monitoring and change tracking, email and peripheral device data movements, and file transfer controls.

The endpoint data protection system can block activities on offline computers as well as monitoring devices over the network. It will automatically block unauthorized user actions, such as the destruction, alteration, copying, or transferring of protected data. This equally prevents both insider and outsider activities.

This system is suitable for the protection of intellectual property as well as personal information. It requires the network administrator to define categories of data and assign specific protection policies to each. Enhancements to the DLP give you the option of adding encryption to data storage and transmissions.

Who is it recommended for?

This is a sensitive data protection package that can be tuned to compliance with data privacy standards or set to protect trade secrets and intellectual property. The tool is able to work with all the major operating systems, which makes it a suitable DLP tool for any organization.

Pros:

  • Simple and sleek interface keeps insight easy to read
  • Balances simple visualizations with recent events
  • Available for Windows, Linux, and Mac
  • Agents can still work to stop access, even when offline
  • As options to protect compliance data as well as company intellectual property

Cons:

  • Plugins can sometimes cause issues, especially the email plugins
  • False positives can be excessive

You can assess Digital Guardian Endpoint DLP by requesting a demo.

19. Code42

Code42

You will notice from the descriptions of the other tools here that corporate data protection strategies are implemented within the DLP tool by rule bases, called “policies.” Code42 has a different system and doesn’t use policies. Despite not operating on policies, the tool does link detected problems with remediation actions.

Key Features:

  • Insider threat protection
  • Data file protection
  • Tracks user activity

Why do we recommend it?

Code42 Incydr offers file integrity monitoring that performs activity logging and change reversal. It doesn’t include a sensitive data discovery module. This system is able to monitor data stores on Windows, macOS, and Linux and it will watch over file movements on cloud-based email systems and SaaS applications.

Code42 works on data files the way a SIEM tool behaves with log files. It monitors data files, backing them up and restoring the original version should any changes be made. It also tracks every access to those data files and blocks any copy or transfer actions.

All actions on files, including those performed by Code42 are recorded, which generates the audit trail that you need for data security standards. The tool includes an analysis utility that uses event information to present exposure of internal misdeeds or intrusion threats.

Who is it recommended for?

The absence of sensitive data classifications makes this tool a little weak for compliance auditing. However, it includes strong user activity tracking, so it is good for identifying insider threats and account takeovers.

Pros:

  • Can automatically restore files to their previous location and state
  • Operates more as a SIEM tool, making it a good option for those looking for more advanced coverage and monitoring
  • Can audit user access to network files and locations
  • Analysis tools can help determine if actions were malicious or accidental

Cons:

  • Can be resource-intensive
  • Has a steep learning curve than other DLP software
  • Expensive, pricing based per computer

There are two opportunities to scope out Code42 Incydr because you can get a demo of the system or access a 4-week free trial.

20. Comodo MyDLP

Comodo MyDLP

You receive a license for your entire organization that covers all of your endpoints and sites. This tool will also protect data held on cloud servers. MyDLP will discover all of the sensitive data held by your company, log it, and protect it. Comodo MyDLP is a site-based data protection system that can be tailored to enforce data protection standards compliance.

Key Features:

  • Monitors endpoint activity across a network
  • Tracks activity on cloud platforms
  • File protection strategy

Why do we recommend it?

Comodo MyDLP will perform sensitive data discovery and classification. However, it operates in a different way than most data protection compliance systems. With most of these sensitive data systems, you can select a data standard from a dropdown list in the settings screen to calibrate the search engine for specific types of data to look for. In the case of MyDLP, you select a template for a specific data format, such as credit card numbers or social security numbers. The system will then protect those data locations and block their movements by users without specific high-privilege accounts.

This system focuses on a user permissions service. It lists who can have access to which data and what actions each person is allowed to perform on each bit of data. The data it protects might be trade secrets, development plans, engineering drawings, accounts, or the personal data of employees and customers. It is able to monitor devices running any operating system and the software can be installed on premises or accessed online as a cloud-based service.

Who is it recommended for?

You would have to map any data protection standard to specific data types and then set up MyDLP to work with those specific data formats. So, this is probably not the easiest compliance tool available. However, its data movement controls extend to email systems, peripherals, and even printers.

Pros:

  • Designed for the enterprise, features can scale well
  • Can automatically discover sensitive data, or be manually pointed to specific permission groups, files, or directories
  • Available as an on-premise solution or cloud deployment

Cons:

  • Could use better integration options within the Comodo ecosystem
  • Steeper learning curve than similar tools

MyDLP installs on a hypervisor and it will operate over VMWare or Hyper-V. You can assess the system by requesting a demo.

Priorities for DLP

The first and most obvious topic to deal with when trying to prevent the data your business stores is to control access to it. However, this is not your only task. In order to prove compliance with data security standards, you are going to need some evidence. So, constant transaction logging is needed, and you are going to need to store those logs for years so that they can be available for spot audits. Constant self-auditing is also necessary to ensure that security procedures are sufficiently strong.

Although failure to protect data is a setback, any leakage should not be covered up. Non-disclosure of data leakage is a big mistake. It will cause you to lose your accreditation. Data protection standards all include protocols for data loss notification and they should be followed.

Surprisingly, most organizations don’t properly track all of the locations on the system where data is stored. Staff might keep notes in documents on their desktop computers and forget to delete them; other local stores, such as contact databases can sometimes be overlooked. It is important to centralize the data storage and track access to it.

The data held by your company is a potential money earner for hackers. So, you have to properly defend your network against intrusion. However, authorized users also present a security risk. They might be tricked into passing on data to outsiders or might be motivated through resentment or greed to steal the company’s data. Preventing the copying of data onto portable devices, or printout, or sending data out through email, or a chat app is another important requirement of your DLP system.

Compliance to a data security standard is also important in order to win contracts. The public sector is very strong about protecting personal data and they ripple that priority through all of the services that they buy. So, if you don’t implement effective data loss prevention you will be locked out of the opportunity for new contracts. The need to comply with the standards of the public sector continues through the supply chain. So, even if you don’t bid for public sector contracts, your ability to do deals with businesses that do work for the public sector will be reduced.

Conclusion

Data loss events were once seen as an unfortunate risk. The IT industry and the legal systems of most advanced economies recognize that no IT system can ever be 100 percent secure. However, the requirements for companies to take all possible steps to prevent data disclosure have become far stricter in recent years.

Many businesses are unable to fully identify all of the locations of data storage and fixing that issue is the first step to a comprehensive data loss prevention strategy. Getting the right DLP tools is very important and you won’t be able to fully comply with the law or data security standards without them. Without standards accreditation, you will be barred from bidding for many contracts and without full data loss protection systems you run the risk of a disclosure event, which could lead to destructive prosecutions.

You run a great risk of your business being destroyed if you don’t have a data protection strategy. Data loss prevention software is no longer optional.

Data Loss Prevention Software FAQs

How can cloud computing prevent data loss?

The data loss risk is no different in cloud computing than it is with onsite infrastructure with the exception of the communication channel between your site and the cloud host.

  1. Locate all sensitive data
  2. Categorize data according to security standards requirements
  3. Track all access to categorized data
  4. Track changes to device configurations
  5. Monitor log file records for unexpected user behavior or unauthorized traffic
  6. Install all updates and patches to firmware, operating systems, and software
  7. Secure all access channels across the internet

What is a data loss prevention policy?

A data loss prevention policy is a set of rules and workflows laid down by your business to define how to allow access to data and protect the information that you hold. This strategy applies to working procedures, access rights management, activity monitoring procedures, reporting requirements, and disaster recovery measures.

What is a DLP alert?

A DLP alert is a system-generated message. A DLP tool monitors activities, such as data storage access and network traffic. The software will raise an alert if an activity lies outside registered acceptable behavior. The alert does not necessarily mean that a data loss event has occurred. It could identify a potential risk or a system weakness that the actions of intruders have exposed without successfully touching the target data. An alert should instigate an investigation into the necessity of adjusting security standards or taking some other preventative measures or it could indicate a security breach in progress.