Of all the security techniques aimed at ensuring data security and combating data breaches, data loss prevention tools are far and away the most common. DLP tools constantly monitor and analyze data to identify potential violations of security policies and, if appropriate, stop them from continuing. DLP tools run the gamut, from those focusing on a single part of an organization, such as email services or laptops, to ones specializing in data backup, archival and restoration.
Some DLP tools encompass the entire organization -- and these are the focus of this article. First, let's discuss some must-have features and capabilities. Then, take a close look at seven enterprise DLP tools for the information needed when evaluating the best product for your company's needs.
Must-have DLP tool features and capabilities
Enterprise DLP tools contain a wide range of features and capabilities. The following are the most essential:
- The ability to automatically discover, inventory and classify sensitive data and its metadata. Data is constantly being created and changed, so a DLP tool unable to keep pace with potential data leaks is always missing things.
- The ability to analyze data in the following circumstances:
- In any state -- in use, at rest or in transit.
- In any location, including user endpoints, on-premises servers, networks and cloud services.
- In any application, such as email, web, messaging platforms, social media and file sharing.
- The ability to use several types of analyses to accurately find problems. All analysis should take into consideration the context of the communication because activity that's completely normal in one context could be highly suspicious in another. Examples of analysis include the following:
- Looking for suspicious values -- e.g., "confidential."
- Doing complex pattern-matching -- e.g., to find credit card numbers.
- Finding copies of known sensitive data.
- Performing statistical analysis of data activity.
- Studying user behavior.
- The ability to act in one of several ways when the DLP software discovers a potential policy violation. For example, in one situation, you might want the tool to log a possible violation and alert an administrator. In another, you might want the tool to stop a data transfer, initiate an incident report through your SIEM system and immediately involve your incident response team in handling the attempted breach. Tools might also be able to proactively fix basic policy violations, such as encrypting sensitive stored data.
Now, let's look at several popular enterprise DLP tools marketed to security teams. This is just an overview of what's offered today. Many other DLP tools are available, each with its own unique combination of features and capabilities.
The author selected these organization-wide DLP tools based on market research and prioritized offerings that have sizable customer bases; are under active development; and have publicly available user reviews contributed by verified purchasers of DLP products and services. This list is organized alphabetically.
This article is part of
1. Digital Guardian DLP by Fortra
- SaaS DLP with automated data discovery and data classification capabilities for both known and unknown data types.
- Granular policies available to protect sensitive data and restrict its movement.
- APIs and integration with several major technology vendors.
- Supports managed services.
- Offers excellent customer support and on-demand training.
- Configuring and managing policies can be challenging for some users.
- Can reportedly cause blue screen issues on some endpoints, according to users.
- Analytics & Reporting Cloud.
- Endpoint DLP.
- Network DLP.
- Management Console.
2. Forcepoint DLP
- Performs several types of analyses, including optical character recognition.
- Uses a single analysis engine for data in motion, at rest and in use, ensuring consistency.
- Provides policy templates for major security and privacy regulations around the world.
- Provides broad, highly effective monitoring and analysis capabilities.
- Consumes minimal resources on endpoints.
- According to users, the learning curve for deployment can be steep.
- Some users have found support lacking.
- Forcepoint DLP Endpoint for user endpoints.
- Forcepoint One CASB (cloud access security broker) for popular SaaS applications.
- Forcepoint One SWG (secure web gateway) for web browsing and downloads.
- Forcepoint One ZTNA (zero-trust network access) for zero-trust remote access.
- Forcepoint DLP -- Discover for sensitive data discovery, inventory and classification.
- Forcepoint DLP -- Network for data being sent over networks through email and web activity.
- Forcepoint DLP for Cloud Email for data being sent through outbound emails.
- Forcepoint DLP App Data Security API for data in custom applications and services.
3. Palo Alto Networks Enterprise DLP
- Delivered through the cloud using Palo Alto next-generation firewalls and management console.
- Single policy engine for all DLP components.
- Offers built-in policies for compliance with numerous laws and regulations.
- Designed to accommodate mobile and hybrid workforces and SaaS application usage.
- Users report that setup is quick and easy.
- Assumes use of existing Palo Alto Networks systems.
- Some users don't find the documentation sufficiently detailed.
- Enterprise DLP modules for physical and virtual firewalls.
- Enterprise DLP module for SaaS applications.
- Enterprise DLP modules in Palo Alto's Prisma Cloud and Access offerings.
- Email DLP module for outbound email in Palo Alto's CASB offering.
4. Proofpoint Enterprise DLP
- Supports integration with Proofpoint's data discovery and classification solution to improve Enterprise DLP's efficiency.
- Takes a people-centric approach to identifying and preventing data loss, emphasizing context such as content, behavior and threats.
- Can share customized policies and other configurations across Proofpoint DLP modules.
- Highly customizable rules and dictionaries.
- Relatively easy to implement compared to other DLP products, according to many users.
- Standalone email DLP requires separate dashboards for other DLP use cases, although Enterprise DLP offers a single, multichannel dashboard.
- Legacy UI in need of a refresh, according to some users.
- Enterprise DLP, which includes endpoint DLP, cloud DLP and email DLP capabilities.
- Endpoint DLP.
- Email DLP.
- Cloud DLP in Proofpoint's CASB offering.
5. Symantec Data Loss Prevention by Broadcom
- Provides a single console for monitoring and managing all DLP components.
- Uses a single policy mechanism for all its detection and enforcement capabilities.
- Offers a variety of enforcement capabilities, including integration with Microsoft Purview Information Protection.
- Many users find the UI flexible and easy to use.
- Fast data discovery and strong detection of policy violations reported.
- Considered more expensive than most other DLP tools.
- Some users have found technical support lacking. Also, integrations might be challenging and require extra support or professional services.
- DLP Core Solution, a suite of nine on-premises components, including DLP Endpoint Discover, DLP Network Protect and DLP Sensitive Image Recognition.
- DLP Cloud Solution, a bundle of six cloud-based components with two add-ons.
6. Trellix Data Security (formerly McAfee)
- Offers several methods for protecting sensitive information, including options to block data from the following:
- Being saved to USB drives and other media.
- Being recorded via screen captures.
- Being sent to printers.
- Being posted to websites.
- Offers integrations with third-party tools for data classification, orchestration and incident response.
- Provides strong, flexible options for data classification.
- Many users consider the data protection methods highly effective.
- Users like the management console's UI.
- Some users have reported configuration difficulties and a steep learning curve.
- Agents sometimes run slowly or interfere with other applications.
- Trellix DLP Discover.
- Trellix DLP Network Prevent.
- Trellix DLP Network Monitor.
- Trellix DLP Endpoint Complete.
- Trellix DLP Device Control.
7. Zscaler Data Protection
- A cloud-based security service edge suite of products and services that includes cloud, email and endpoint DLP.
- Provides protection and monitoring for endpoints whether or not they're internet-connected.
- Does not need to route any user traffic through on-premises networks for monitoring or enforcement purposes.
- Generally easy to deploy and manage, according to users.
- Requires no on-premises appliances or other hardware; highly scalable.
- Service largely depends on internet connectivity, with lags reported.
- Some customers found documentation on configurations underwhelming.
- Zscaler Exact Data Match for fingerprinting sensitive data.
- Zscaler Index Document Match for fingerprinting sensitive documents.
- Zscaler Optical Character Recognition for classifying data in images.
Karen Scarfone is principal consultant at Scarfone Cybersecurity in Clifton, Va. She provides cybersecurity publication consulting to organizations and was formerly a senior computer scientist for NIST.