Data loss prevention, or DLP, is becoming an essential part of enterprise security software.
While core DLP functionality is available in all DLP tools, key differences separate the vendors featured in this review. For example, some provide cross-platform DLP, whereas others support Windows clients only. Many companies are U.S.-based, but some are headquartered in other countries, such as Russia and Romania, which may pose a problem for certain companies or U.S. government entities required to purchase from U.S.-based suppliers only.
A vendor's background, focus and acquisition activities are important factors to consider as they could indicate what kind of partner your potential supplier will be in the coming years. Security, like most IT infrastructure purchases, is a long-term commitment.
A major decision point is whether to use an agent-based, or endpoint, DLP deployment versus an agentless, or network-based, platform.
Network-based DLPs work hand in hand with a company's firewall to inspect -- and possibly interdict --traffic leaving the internal network. Because no agents are necessary, deploying a network-based DLP can be simpler than an agent-based one. But agent-based DLPs perform a crucial role a network-based alternative doesn't: Only an agent-based system can detect data that might be exfiltrated to local devices, such as USB drives or printers. As a result, it might be difficult for administrators to provide a comprehensive DLP platform while relying on just a network-based deployment.
All the vendors listed below offer agent-based systems; a few also sell network-based options.
Another issue is a product's comprehensiveness. All DLP products can process text files and Excel documents. Data within these documents -- structured data -- is relatively easy to protect. Less structured data, as well as information that resides in image files, poses more of a challenge. If protecting sensitive images within documents is important to you, then look for a DLP vendor that supports optical character recognition (OCR).
Just like with antivirus tools, false positives can be a risk with DLP products that are overly sensitive and detect everyday work as exfiltration threats. These false alarms can frustrate users and overwhelm security staff. Unlike most security methods, there is no standard process for implementing DLP, so the approaches -- and outcomes -- can differ widely across vendors.
Next, consider the product's ease of installation and effectiveness.
Buyers should ensure prospective vendors clearly describe their installation processes and what users can achieve with a newly installed system. If the vendor does not provide data templates, that may indicate that users cannot do anything until they define the data they need to protect.
DLP configuration is challenging because the system must identify the sensitive data to track, so creating templates and configuring data tracking policies are a big part of the installation process. It can speed up the process significantly if the vendor provides prebuilt policy templates that match an organization's needs. If companies need to handcode templates to pinpoint the data they want to track and protect, the rollout process may drag out.
To help avoid potential pitfalls, companies should design a proof of concept, using actual data, to gauge a product's effectiveness. This will help prevent companies from wasting time and money on a system that turns out to be insufficient.
U.K.-based Clearswift is a wholly owned subsidiary of HelpSystems, having been acquired in December 2019. HelpSystems is a Minnesota-based organization that has provided email security, web security and content filtering software for IBM-based environments for over 35 years and, more recently, built up a cybersecurity portfolio with DLP being a more recent area of focus.
Clearswift Endpoint DLP is agent-based and offers only Windows client support. Its adaptive DLP product is capable of taking a variety of actions -- redact, block, delete, encrypt -- when the system finds sensitive data.
The company offers more than six different versions of its adaptive DLP platform, each focused on a specific environment or application, such as email, web apps and social media.
Pricing: Contact company directly.
Based in Romania, CoSoSys was founded in 2004. After going through several rounds of acquisitions, its founding management team took the company back to its stand-alone roots in 2011. The company has a portfolio of offerings, in addition to DLP, that includes enterprise mobility management for both Apple iOS and Android systems.
Its DLP offering, Endpoint Protector, is an agent-based, cross-platform system that also provides device control, enforced encryption and automated discovery capabilities with noted support for Apple iOS and Google Android mobile devices. Its product coverage also extends to thin clients and even printers. Management is available via hardware appliance, virtual appliance or cloud service.
Pricing: Contact company directly.
Digital Guardian, formerly Verdasys, is an American company that focused on data security and encryption from its founding in 2003. Its 2015 purchase of Code Green served as its entry point into the network DLP market.
Digital Guardian offers both agent-based endpoint and agentless networking DLP. It provides content, contextual and user-based classification, as well as OCR support and support for unstructured data.
Automated data classification is a key feature. Digital Guardian's platform can scan and classify data at rest, so admins can avoid manually performing this tedious task. It provides general-purpose and industry-specific policy templates, as well as custom templates. Customers can also determine how they want to protect their data with a variety of options -- among them, prompt, alert, justify and block. The company reports that overall deployment time is 30 days to 90 days. Client support is available for Windows, MacOS, MacOS Catalina and Linux for agent-based offerings.
Pricing: Varies based on deployment options. Contact company directly.
Formally known as Websense, U.S.-based Forcepoint was founded in 1994 and is now owned by Raytheon.
Forcepoint's DLP offering is a modular platform that enables users to start with one area -- usually, endpoints -- and then proceed to other areas, like email or the cloud. The product, which supports more than 50 languages is equipped with OCR capabilities that can be applied to both data at rest and in motion.
In addition to file servers and endpoints, classification also extends to other environments, including Exchange, SharePoint, relational databases and cloud applications, like OneDrive, Google Drive, Box and Salesforce. Templates -- containing an extensive library of policies -- are available for both general and industry-specific use. Users can also customize templates to meet specific cases. It protects local, network and external disk and monitors email, printers, print screens, FTP and HTTP. Deployment is noted to be one to two days.
Pricing: Basic suite is listed as $46.50 per user for one year; 30-day free trial is available.
GTB Technologies is based in the U.S. and was founded in 2005. It provides over a dozen security-oriented products and services.
GTB offers both agent-based and network-based DLP. Its agent-based system supports point-of-sale systems, an important consideration for retail operations. It also supports multiple classification techniques for emails and files, as well as ad hoc, content-based and prompted user classification. It protects unstructured data -- both text and binary file formats. OCR capabilities are available both for discovery and for data in motion. Its client support includes Windows, Mac and Linux. Deployment can be on premises, cloud-based SaaS or hybrid.
Its network appliance, dubbed Content-Aware Reverse Firewall, inspects all inbound and outbound traffic.
More than 3,200 policy templates are available.
Pricing: 30-day trial available; contact company for specific pricing.
Founded in 1997, U.S.-based Somansa Technologies specializes in DLP, offering both agent-based endpoint and agentless products.
The agent-based offerings provide core features, including support for USB devices, Wi-Fi and printing. The company provides cross-platform support, as well as support for Android-powered mobile devices.
Another DLP product, Server-i, focuses on servers and databases and can search structured databases to locate and protect sensitive data. Supported databases include Microsoft SQL Server, Oracle, MySQL and Sybase running on HP-UX, Solaris, AIX and Linux.
DLP Mail-i and Privacy-i focus on endpoints, with both products engineered for either on-premises or cloud-based deployment. Supported data channels include local, network and external disk; email; printers; print screens; FTP; and HTTP, and it can monitor cloud services, web apps, storage platforms, SharePoint, file servers and databases.
Somansa offers predefined and customizable templates.
Pricing: Contact company directly.
As part of its acquisition by Broadcom in late 2019, U.S.-based Symantec is shedding its home user security foundation to focus on enterprise-class security.
The Symantec Data Loss Prevention product supports both structured and unstructured data through six different classification techniques, ranging from described content matching to sensitive image recognition.
Symantec DLP provides both general-purpose and industry-specific policy templates, as well as the option for customers to generate custom templates. Symantec offers 10 different policy tool packs for different industries, including financial, healthcare and energy. It also supports typical apps, like Skype, Webex and LiveMeeting, and has client support for Windows, MacOS and Linux.
Symantec DLP integrates with other Symantec security products -- among them, CASB and Endpoint Protection. Deployment is reported to be about three months to nine months, depending on the number of users and channels.
Pricing: Per user; free trial is available.