With governments around the world implementing strict data privacy laws, data loss prevention (DLP) technology is becoming a critically important IT security tool for protecting sensitive data.
Every organization stores sensitive data. Sensitive data can include personally identifiable information (PII) that can impact user privacy. Sensitive data also includes payment and financial information that could lead to identity theft and fraud if the data is lost or stolen and winds up in the wrong hands. Intellectual property is another type of sensitive data that DLP tools typically monitor and protect.
DLP tools automate data classification and protection, typically after an initial assessment of an organization’s data types and where that data is located. DLP tools then monitor that data to look for potential exposure or leaks.
Below are our top picks for data loss prevention solutions, their features, use cases, functionality and customer support, followed by considerations for buyers in the market for DLP solutions.
- Forcepoint DLP: Best overall
- Digital Guardian Endpoint DLP: Best for small or inexperienced security teams
- Symantec DLP: Best for protecting large networks
- Clumio Protect and Discover: Best for AWS business environments
- Proofpoint Enterprise DLP: Best for standalone email protection
- Trellix DLP: Best for distributed enterprises
- Key Features of DLP Solutions
- How to Choose the Best DLP Solution for Your Business
- How We Evaluated DLP Solutions
- Frequently Asked Questions (FAQs)
- Bottom Line: Use DLP Tools to Protect Sensitive Data
Top DLP Solutions Compared
This table provides a brief overview of our top products and their feature availability. Read our full product reviews below for more detail on each.
| Support for regulatory compliance | Encryption | Network monitoring | Free trial | |
|---|---|---|---|---|
| Forcepoint DLP |  | |  | |
| Digital Guardian Endpoint DLP | | | | |
| Symantec DLP | | | | |
| Clumio Protect and Discover | | | | |
| Proofpoint Enterprise DLP |  | | | |
| Trellix DLP | | | | |
= yes; = unclear; = no
Forcepoint DLP
Best overall
Forcepoint DLP offers tools to manage global policies across every major channel, including endpoint, network, cloud, web, or email. Predefined templates, policies, and streamlined incident management enable organizations to address risk by adding visibility and control where people work and data resides.
Forcepoint’s compliance features are a particular highlight — they help teams meet standards with more than 1,500 predefined templates, policies, and classifiers applicable to the regulatory demands of 83 countries. If you’re a large enterprise with significant regulatory demands, consider Forcepoint. We rated it best overall for its comprehensive feature coverage.
Pricing
- Forcepoint offers a 30-day free trial of DLP.
- Contact Forcepoint’s sales team for detailed pricing information specific to your organization’s needs.
Features
- Employee security coaching through messages that guide user actions, educate employees on policy, and validate user intent when interacting with critical data
- Automated data labeling and classification through integrations with third-party data classification tools
- Risk-based policy enforcement
- Intellectual property protection
| Pros | Cons |
|---|---|
| Forcepoint ONE DLP, the cloud security platform for DLP, is available as a managed service | Lacks file transfer protection or quarantining |
| Forcepoint offers training videos | Recent user complaints about customer support’s slow responses |
| Technical account manager available for enterprise support plans |
Digital Guardian Endpoint DLP
Best for small or inexperienced security teams
Digital Guardian Data Loss Prevention, offered by Fortra, performs DLP on traditional endpoints, across the corporate network, and on cloud applications. Our analysis focuses on Endpoint DLP, but Digital Guardian also has a Network DLP product for teams focused on network traffic monitoring and security. Your enterprise can combine both if needed.
Digital Guardian receives its high rating from us particularly for its functionality and management features like training videos and support for multiple operating systems. Additionally, Digital Guardian DLP is available either as software-as-a-service (SaaS) or a managed service deployment. While Digital Guardian DLP is a strong choice for large enterprises, SMBs should consider it too for ease of use through the managed service.
Pricing
- Contact Digital Guardian for a pricing quote request.
Features
- Automated blocking and encryption of sensitive data in emails and files on removable drives
- Dashboards
- Classification and tagging of intellectual property and regulated data
- Data-centric events collected are reported up to Digital Guardian’s Analytics & Reporting Cloud, part of the vendor’s overall data protection platform
| Pros | Cons |
|---|---|
| Available as a fully managed security service program (MSSP) with a 24/7 global analyst team | Some users find the UI confusing and initial setup difficult |
| Supports multiple operating systems |
Symantec DLP
Best for protecting large networks
Symantec Data Loss Prevention, now owned by Broadcom, is a two-product protective platform for enterprises. We mainly looked at Symantec DLP Core, but DLP Cloud is also available and offers cloud connectors to web gateways and cloud access security broker (CASB) controls.
DLP Core offers features like encryption and network monitoring; consider it for sprawling business networks, especially storage area networks that pool data from multiple storage systems. And if your team is looking for data protection for cloud environments, DLP Cloud can help monitor cloud-based applications and storage systems.
Pricing
- For pricing information, you can contact Broadcom’s sales team, or you can contact a reseller like CDW or SHI for pricing. Depending on the reseller, you may still need to request a quote. SHI reports a starting list price of $96 a year per license with support, with volume discounts.
Features
- One pane of glass for policy management
- Microsoft Information Protection integration for encryption and rights management
- Network monitoring
- Information Centric Analytics, a form of UEBA
| Pros | Cons |
|---|---|
| Full-featured Core product for on-premises environments | Symantec DLP is built on Oracle, so customers must have an Oracle database to use it |
| Good choice for teams protecting intellectual property data | No free trial |
Clumio Protect and Discover
Best for AWS business environments
While designed more as a backup solution, Clumio has enough DLP features to earn it a place on this list. The Protect and Discover products offer backup and recovery for AWS and Microsoft 365. It simplifies and automates AWS data protection for Amazon S3, EC2, EBS, and RDS; SQL Server on EC2; and other products.
Don’t count Clumio out if you’re a Microsoft customer, either: it helps teams develop policies for all their 365 products and stores data in an immutable environment to protect it from ransomware.
Pricing
- Clumio has a pay-per-use structure, with pricing specified for different AWS products and backup type and frequency. Check out the pricing page for a complete list of backup costs. For S3, Clumio offers SecureVault Standard and SecureVault Archive, so you can back up your less frequently accessed data, too.
Features
- Air-gapped backups for SQL Server data, stored outside user accounts
- Search, recovery, and restoration for EC2 files, volumes, and instances
- Encryption for data in motion and at rest
- Policy creation for AWS, including specified backup frequency and retention
| Pros | Cons |
|---|---|
| Available as a managed service | Limited training videos |
| 14-day free trial | Data discovery capabilities are unclear — Clumio is more backup-focused, so it won’t meet all enterprise-level DLP requirements |
| Developer hub available for engineers and dev teams |
Proofpoint Enterprise DLP
Best standalone email protection
Proofpoint’s broader Enterprise DLP platform provides both Endpoint DLP and Email DLP products. Proofpoint Endpoint DLP takes a people-centric approach to protecting data. It provides integrated content awareness in addition to behavioral and threat awareness, which gives granular visibility into user interactions with sensitive data. Proofpoint Endpoint DLP also offers the ability to detect, prevent, and respond to data loss incidents in real time.
Email DLP helps identify when sensitive data is being leaked through an email. It allows teams to create dictionaries with data formats specific to their organization for exact data matching. If your team is particularly interested in a comprehensive endpoint and email protection solution, consider Proofpoint.
Pricing
- Proofpoint doesn’t give public pricing information for its DLP products. Contact the sales team for pricing specific to your business.
Features
- Encryption for email data with Email DLP
- Custom dictionaries for specific data formats and exact data matching with Email DLP
- Out-of-the-box detection and prevention engine to halt data exfiltration with Endpoint DLP
- Access policies based on your team’s security goals with Endpoint DLP
| Pros | Cons |
|---|---|
| Built on the same platform as Proofpoint Insider Threat Management and can draw user data from it | Lacks training videos for users |
| Part of the Managed Information Protection service for businesses seeking a broader managed data security platform | Not as full-featured as some of the other products on our list |
Read more about email security:
Trellix DLP
Best for distributed enterprises
Trellix — an XDR-focused security company formed from the merger of McAfee Enterprise and FireEye — remains tightly coupled with its former cloud business, Skyhigh Security, in DLP. Composed of DLP Discover, DLP Endpoint, DLP Monitor, and DLP Prevent, Trellix’s data loss prevention platform is a good choice for both on-premises and hybrid environments, particularly combined with the Skyhigh’s SASE capabilities. Of course, that also makes Skyhigh a good choice for organizations looking for a cloud DLP option.
We focused on DLP Discover in our review; this product inventories data, searches for sensitive information, and helps develop data protection rules through fingerprinting. But the entire Trellix suite is a good choice for teams focused on threat monitoring and prevention. The one downside is it requires four DLP products to get all the DLP capabilities that Trellix offers, but for enterprises seeking a feature-rich DLP platform, Trellix is a strong contender.
Pricing
- Trellix doesn’t provide public pricing details. Contact Trellix to speak with a salesperson about products and pricing information. Some pricing can be found online in places like AWS and Connection.
Features
- Network monitoring through DLP Monitor
- Encryption and quarantining after a policy violation through DLP Prevent
- Statistical analysis for data pattern matches within documents and files
- Rule construction engine that helps your team create data protection rules for simple and complex data
| Pros | Cons |
|---|---|
| Network monitoring product available | Lacks user training videos |
| Comprehensive enterprise solution | Not available as a managed service |
| Might require multiple solutions to cover all your needs |
Key Features of DLP Solutions
Data loss prevention helps storage, data, and security teams wrangle large volumes of information that might be scattered throughout multiple systems and locations. Look for the following features in the products you consider — while they will vary between solutions, you’ll at least want the majority in any DLP solution.
Data Discovery
DLP tools should enable users to identify what types of data should be protected. It’s easy to lose track of data in enterprise storage systems and applications, but your team should keep tabs on all that information. You can only protect it if you know it’s there. Data discovery is one of the core building blocks of DLP.
Data Classification
DLP tools should enable users to identify what types of data should be protected. Some data is more sensitive, and if it were stolen or exposed it would be a critical risk. Data should not only be grouped into appropriate categories but also prioritized according to its sensitivity.
Compliance Assistance
DLP has become a useful tool for helping organizations protect customer privacy and comply with privacy regulations like GDPR and CCPA. Many DLP products have built-in functionality for identifying whether data protection practices are actually compliant with regulatory standards.
Policy Creation
Many DLP tools offer a policy creation feature that allows you to develop data protection rules specific to your business. Some businesses may want more sophisticated policy-making tools, so if you’re a larger enterprise with experienced data or security teams, look for highly customizable policies. Conversely, if you want out-of-the-box policies, ask for a demo when shopping for a DLP product.
Network Monitoring
Not all DLP products offer network monitoring, but we particularly recommend it for teams that have a lot of sensitive data traveling across their network. Monitoring is also useful for businesses with large storage area networks, as data from multiple systems could be compromised if the network is breached.
How to Choose the Best DLP Solution for Your Business
When choosing a DLP technology or service, there are several key considerations organizations must take into account, including budget and team size but not limited to those. Also consider where your business data resides and any compliance assistance you’ll need.
Scope
Where is the data that needs to be protected? Have you inventoried every storage system or database containing sensitive data? And does the solution you’re looking at have full visibility into those deployments? These are the questions you should ask before choosing a data loss prevention product so you know whether it supports all the file types, unstructured data, or other information your team needs to protect.
Compliance
If the DLP service is being used to help enable regulatory compliance, look for integration with governance, risk, and compliance (GRC) tools. Not all DLP products will have the GRC capabilities you’re looking for, and a smooth integration could be critical for facilitating your team’s regulatory compliance operations.
Reporting
It’s important for many organizations to have visibility and reporting into what data is protected and how it is being accessed, particularly for compliance purposes. Businesses in the healthcare, financial services, and government sectors will especially benefit from strong built-in reporting tools.
Team expertise and business size
You’ll need to weigh a product’s interface and capabilities against the skills of your security, IT, and data teams. While you shouldn’t choose a product only for ease of use, it’s important to consider how long it’ll take for your teams to learn and how complex it is. Additionally, smaller businesses will need a product appropriate for their size; likewise for large enterprises.
Budget
While budget certainly isn’t an unimportant consideration, it shouldn’t be the only one. Your business should invest in a product that will last you many years, and if that requires spending some money for a platform with the right features, see if your team can afford a suitable product that will serve you well.
How We Evaluated DLP Solutions
We evaluated these DLP solutions using a product scoring rubric. In our rubric, we weighted criteria and features according to the percentages listed for each below, and that weighting factors into the total score for each product. The six products that scored highest in the rubric made our list. However, that doesn’t mean that one of these is automatically the best pick for you, nor that a good option can’t be found outside this list.
A note on ratings: The scores are not a reflection of the product’s overall quality but rather a representation of how the product met the criteria in our evaluation rubric. All these products are successful in this category, and their score here is not an overall measure of their value. Rather, it analyzes how well they met our specific criteria.
Pricing Transparency & Trials | 10 Percent
We evaluated whether the vendor was transparent about pricing and whether the product had a free trial, including how long the trial lasted.
Core Features | 35 Percent
We evaluated the most important DLP features, like data discovery, data classification, and policy creation.
Additional Features | 20 Percent
We considered some nice-to-have features, including digital rights management, behavioral analytics, and risk-based policy enforcement.
Functionality & Management | 20 Percent
We evaluated availability of knowledge bases and training videos, as well as the option to buy the product as a managed service.
Customer Support | 15 Percent
We looked at technical support phone and email availability, as well as whether the vendor offers a demo and a 24/7 support plan.
Frequently Asked Questions (FAQs)
People frequently ask the following questions about data loss prevention and its role in enterprises and security systems.
What Is an Example of a DLP Policy?
Data loss prevention policies can either be pre-made or customized specifically for your organization. For example, your IT team might set a DLP policy that permits only encrypted files to be sent from the Chief Information Officer’s email account. DLP policies specify what can happen to what data.
What Triggers a DLP Incident?
Your business’s set policies trigger a DLP incident. When someone goes against a policy — for example, when the aforementioned CIO attempts to email an unencrypted file — the DLP product triggers an alert, flagging the incident. Some DLP products have prevention features that will block the unencrypted file from sending.
Is There a Difference Between DLP and EDR?
DLP and endpoint detection and response (EDR) differ in intent, but they do serve similar purposes. DLP is focused on data, on its safety at rest and in motion. EDR is focused on endpoints and protecting systems starting at the endpoint, detecting and halting attacks on laptops and servers. While they may perform some of the same tasks, businesses will likely implement them for different reasons.
Bottom Line: Use DLP Tools to Protect Sensitive Data
DLP technology provides a mechanism to help protect against sensitive data loss and thus can also help mitigate interactions with compliance agencies in the wake of a data breach.
By classifying data and users and identifying or blocking anomalous behavior, DLP tools give enterprises the visibility and reporting needed to protect sensitive data and satisfy compliance reporting requirements. It’s likely that your DLP product won’t function in a vacuum — you’ll probably need other tools, too. But data loss prevention focuses on one of your business’s most important assets: its sensitive, secret and regulated information. The stakes for securing data continue to rise, and DLP is one strategy to help achieve your team’s data protection goals.
Read our tips to prevent data breaches next
The post Top 6 Data Loss Prevention (DLP) Solutions (Full Comparison) appeared first on eSecurity Planet.