Zscaler DLP review including alternatives

Zscaler offers a data loss prevention service that is called Zscaler Cloud DLP. As the name suggests, this system is delivered from the cloud as a SaaS platform. However, it isn’t limited to monitoring cloud services. It will also watch over sensitive data resident on any network. In addition, this system can group together the monitoring of sensitive data on several sites and cloud systems.

Data loss prevention (DLP) is important for all businesses but it is particularly essential for companies that handle information about private individuals. Hackers can cause a lot of damage through identity theft that can ruin lives. An extensive customer database full of personally identifiable information (PII) is a valuable target for these criminals.

To counter the high amount of value that hackers can gain from a corporate system, governments have brought in legislation that heavily penalizes businesses that don’t sufficiently protect PII.

This is a wake-up call for companies that would rather focus on selling their products at competitive prices and see cyber security as an unnecessary overhead. If you fail to protect the PII in your system, the fines you face will wipe out your profits. Other companies will also stop doing business with you and the publicity the data loss will attract will ruin your company’s reputation in the eyes of the general public. You cannot afford to overlook data loss prevention.

About Zscaler

Zscaler is headquartered in San Jose, California in the USA. Jay Chaudhry and K. Kailash started up the company in 2007. Chaudhry is still the business’s CEO 14 years later.  Zscaler went public with a listing on Nasdaq in March 2018 and now has a market capitalization of $16 billion and employs more than 10,000 people.

Zscaler focuses all of its development on its cloud platform. This is a proxy service that works as both a firewall and a reverse firewall. It is an edge service as well because it acts as a content delivery network for company apps and data stores.

Zscaler data protection

The Zscaler DLP comprises several Zscaler services on its cloud platform that deliver secure apps and web services together with an onsite data encryption service. The Zscaler approach focuses access controls on applications, and data access is a secondary consideration.

In the Zscaler system, all access to software is through a Zscaler-resident portal. So, even if your users are on-site, connected to your network, and in the exact location as the file server, they will open a Web browser and get to their software through that. Even though a file explorer, data access pings back to your onsite servers and only operates through the Zscaler system.

The Zscaler system treats all users the same no matter where they are located. So, there is no concept of local and remote users because everyone is remote. This is similar to the mobile application management and mobile content management procedures of mobile device management services. In short, Zscaler operates a unified endpoint management service by treating all endpoints like mobile devices.

The IT industry assumes that sooner or later, everything is going to end up on the cloud. You might already be operating a partial cloud service for your office-based users by providing the Microsoft 365 or G Suite productivity tools. Other applications, such as your customer service system, could still be running on your site. However, you probably have a website for both sales and contacts, and your email server could very well already be cloud-based.

If you still have data stores on site and sign up for the Zscaler service, those stores get enrolled into the cloud system. The system doesn’t need to rescan your local endpoints for new data instances because once those directories and databases are registered, the only way any unused data will be added to them is through an app delivered by Zscaler and updating a data store that Zscaler controls.

Cloud storage systems, such as Google Drive, OneDrive, or Dropbox, entirely encrypt data at rest and control access through credentials. As well as controlling access to the file space, individual directories and files can be further maintained by granting access only to specific users. Zscaler works through those native security systems on cloud platforms rather than trying to replace them.

By hosting the applications and controlling access, Zscaler can also control access to data held in databased and unstructured formats. Thus, the issue of control over movement onto removable storage, such as USB memory sticks, is taken care of because data doesn’t even get onto the local device to which that USB stick will be attached. Similarly, print requests can be controlled and monitored, or blocked.

Under the Zscaler system, intrusion detection is an issue, but it is less critical. For example, an interloper might be able to trick an authorized user into disclosing a privileged account’s credentials for access to the system. However, this only enables the hacker to view data – as no user is allowed to move data, the chances of a mass copy of all PII held on the system is slight.

Zscaler terminology

When you delve into how the Zscaler system works, you bump into cloud technology insider jargon. Here are some essential terms that you should know.

SASE – Secure Access Service Edge

This concept combines virtual networking and security. The security applies both to users and devices, which are grouped under the termed “identities.” This is similar to the approach of Active Directory, which deals with both user credentials and device and target object access permissions.

The SASE imposes a unified network structure over a collection of sites and cloud platforms, integrating internet connections into the system. In addition, all connections are protected by encryption.

CASB – Cloud Access Security Brokers

CASB is pronounced “cas-be.” It is a secure mediator between users and applications. All transactions that pass between the user and the application are recorded and optionally limited or blocked. CASB is specifically used for access to cloud resources. In the Zscaler system, any on-premises servers are integrated into the cloud network and treated as cloud resources.

Zscaler operates with two types of CASB – out-of-band CASB and inline CASB. Out-of-band CASB interacts with the native security system of cloud platforms. Those platforms usually implement this through the encryption of data at rest. The Zscaler service acquires control over those access-managing encryption systems through the use of APIs.

Zscaler doesn’t encrypt data at rest on your site. That could provide a security weakness if hackers or malware can get into the operating system and gain direct access to data stores. The Zscaler inline CASB service assumes that the security service controls access to onsite data. It only needs to encrypt it in motion from the data store to the app and, therefore, is available to the user.

CSPM – Cloud Security Posture Management

This strategy addresses possible attack vectors that could infiltrate cloud resources. It provides a cloud equivalent of threat management – both external and insider threats. The system also implements a vulnerability management service that examines the configuration of cloud accounts and recommends, or implements, tighter configurations.

SSPM – SaaS Security Posture Management

SSPM is CSPM applied to SaaS packages that combine both software and storage space. Examples of these services are Microsoft 365 and Google G Suite. This looks at issues such as the security of admin accounts, and it also enforces more robust access controls, such as multi-factor authentication (MFA). But, again, this is an issue of examining current settings and updating them.

SSL – Secure Socket Layer

SSL is the most widely used security protocol for protecting Web traffic. However, it is a generic term because the implementation of SSL uses Transport Layer Security (TLS). The Zscaler system inspects all traffic and ensures that TLS protects payloads.

SIEM – Security Information and Event Management

SIEM is a system security service that identifies intruders and other malicious activity. The system works by examining log files and so is usually combined with a log management package. The preservation and accessibility of log messages is an essential requirement of data protection standards compliance auditing. Zscaler DLP omits a SIEM, but it can channel log messages to one.

Zscaler DLP price

Zscaler doesn’t publish a price list for its DLP service. To discover more about the product and start a conversation about acquiring it, you should request a system demo.

Zscaler DLP strengths and weaknesses

We have assessed Zscaler DLP’s good and bad points and made a list of them.


  • Provides a unified cloud-based view of all sites for an organization
  • Controls access to data on-site and on the cloud by treating all on-premises data stores as cloud resources
  • Mediates access to all software run by the business as well as its data
  • Creates a flexible, secure IT service delivery mechanism that caters to roaming and telecommuting staff
  • Offloads all security management to external servers


  • Not suitable for small businesses that only operate IT services on-premises

Zscaler DLP alternatives

You might be looking for several competing candidates that similarly perform the same DLP service to Zscaler, or you might want an alternative because you don’t think that the Zscaler DLP strategy suits your current IT services delivery model.

Our methodology for selecting a Zscaler DLP alternative

We reviewed the market for data loss prevention systems and analyzed the options based on the following criteria:

  • A protection mechanism that discovers and guards sensitive data
  • Variable treatment of data according to sensitivity ranking
  • A service that can be easily tuned to serve a specific data protection standard
  • Controls overall potential data exit points
  • Logging of all data-related activity
  • A free trial or a demo system for a no-cost assessment opportunity
  • Good value for money from a tool that provides sufficient data protection

With this set of criteria in mind, we have defined a suitable range of DLP services that substitute for Scaler DLP.

Here is our list of the five best alternatives to Scaler DLP:

  1. ManageEngine DataSecurity Plus A DLP and vulnerability scanner bundle includes data discovery and classification, file integrity monitoring, access rights assessment, and data movement monitoring, such as the control of USB ports and the tracking of print jobs. DataSecurity Plus is an on-premises package that installs on Windows Server, and it is available for a 30-day free trial.
  2. Endpoint Protector A DLP system has a discovery and classification system for PII, credit card data, PHI, and IP. Other features include file activity tracking and data movement control. This service is available as a SaaS platform, as a service on AWS, GCP, or Azure, or as a virtual appliance on site. The service deploys endpoint agents on Windows, macOS, and Linux. Assess Endpoint Protector through a demo system.
  3. Digital Guardian DLP A SaaS platform with data discovery and classification service for PII and intellectual property. The DLP controls peripheral devices, printers, faxes, file transfer systems, messaging services, and emails. While data processing is performed in the cloud, the package installs endpoint agents on Windows, macOS, and Linux. Access a demo account to assess this DLP.
  4. Teramind DLP A SaaS package scans multiple sites and cloud platforms for sensitive data stores and unifies their protection. This package includes user and entity behavior analysis, peripheral controls, and OCR scanning for electronic documents and images. Teramind DLP is offered a 14-day free trial.
  5. Rapid7 InsightIDR Use this SIEM to give you data loss prevention services as well. It covers multiple sites and cloud platforms, unifying their management. What makes this SIEM a DLP are its sensitive data discovery and file integrity monitoring services. It also includes a vulnerability scanner. The package is a SaaS platform with endpoint agents on site.  You can get a 30-day free trial.