The best data loss prevention software to protect your storage

Data loss prevention is important for all types of business data, but it is critical for the personally identifiable information of private individuals. We explore DLP solutions.

There are valuable assets in your IT system and, though you might not realize it, the data you hold is one of them. Details of the user accounts on your system, particularly usernames paired with passwords, are very useful for hackers. Identity thieves would like to get a dump of all of the personally identifiable information (PII) that you hold about private individuals; and your rivals would like to get hold of your intellectual properties and trade secrets.

Here is our list of the best data loss prevention software packages:

1. Guardz (FREE TRIAL): This SaaS platform scans email systems, endpoints, and cloud data storage accounts to identify vulnerabilities, block hacker tricks, and prevent malware attacks. Get a 14-day free trial.
2. CoSoSys Endpoint Protector (ACCESS DEMO): This cloud-based system discovers and protects sensitive data with a device control unit that manages USB sticks and memory cards. Get a free demo.
3. ManageEngine Endpoint DLP Plus (FREE TRIAL): This large on-premises package includes sensitive data discovery, control over data movement channels, and automated responses to block theft. Available for Windows Server. Get a 30-day free trial. 
4. Comodo MyDLP: This package discovers sensitive data and tracks its usage, optionally blocking access and movement. Runs as a virtual appliance over Hyper-V or VMWare.
5. ManageEngine DataSecurity Plus: This super pack of four modules includes a Data Risk Assessment service and a Data Leak Prevention unit. Runs on Windows Server.
6. SpinOne: This SaaS package provides data loss prevention alongside data backup, risk assessments, cloud security posture management, and ransomware protection. 

Data privacy standards 

You have plenty of data that you need to protect and its exact nature may depend on the industry that you operate in. If you experience a data breach in the EU or the UK, you will be fined, so you need to pay attention to GDPR rules. 

If you take payment by debit or credit card, you will be dropped by your payment processor if hackers steal cardholder and card details from you. In this case, you need to follow PCI DSS to show that you have taken all possible steps to protect payment card data. There are many other standards available and you should check which of them relate to your business. 

Data loss prevention strategies

Data loss prevention (DLP) is an increasingly important sector of the cybersecurity industry. There are a number of ways that DLP systems can operate. The important factors to look at are:

• Sensitive data location
• Sensitive data types
• File protection
• User behavior 
• Data access controls
• Data movement examination

File protection can be implemented by encryption, which will only decrypt for approved users. This strategy is also known as file integrity monitoring (FIM) because each access attempt, including those that are unsuccessful, are logged. Some FIM systems back up any changes made to the contents of a file and record exactly what a user did. This enables changes to be reversed. 

User behavior analytics (UBA) is implemented to guard against insider threats. This term means a user who is allowed to access a file but only for certain actions. However, if that user becomes disgruntled, that access could be used to destroy, alter, or steal data. UBA systems record the standard actions of each user and then raise an alert if activity deviates from that pattern.

Some other data protection strategies are becoming increasingly popular:

• Application allowlisting and Zero Trust Access (ZTA)
• Dark Web scanning
• Email scanning

Allowlisting involves preventing all software from running on each endpoint and then allowing specific packages to execute. This strategy was specifically designed to block malware. However, an evolution of the package connects specific files to specific applications. The access rights management system for the application then also protects the files that the specific application is allowed to access. As all other software is blocked, there is no way that an outsider can access the file – even to transfer it with FTP. 

Dark Web scanning looks on the Dark Web for the identities or data from a subscribing company. Usually, data thieves sell their ill-gotten information to identity thieves through message boards on the Dark Web.

Email security systems can scan incoming emails to spot phishing attempts and weed them out so they don’t even reach the target user. Reverse monitors will scan outgoing emails for attached files or data copied into the body of the email.   

The best data loss prevention software  

Not all DLP systems implement all of the methods that we listed in the previous section. You may need to buy several packages to get full protection. Some cybersecurity tools can fulfill multiple functions. For example, allowlisting is an anti-malware measure that also protects data. Another combination service: SIEM tools and XDRs can spot all types of threats; they can suspend user accounts and block traffic from specific IP addresses to stop data theft.

There are a few basic attributes that you need from a data loss prevention system. 

What should you look for in data loss prevention software?

We reviewed the market for data loss protection systems and analyzed the options based on the following criteria:

• A sensitive data detection and classification service
• Variable controls that only apply to specific data types when accessed by specific users
• Tailoring for data privacy standards that alters the sensitive data categorization
• Scanning for email phishing attacks
• Encryption for data files
• A free trial or a demo that enables the tool to be tested before paying
• Value for money from a tool that combines functions or offers one technique really well for a fair price

With these criteria in mind, we chose a shortlist of tools that will contribute towards a full DLP strategy. We made sure to select examples from the cloud and software packages that you can run on your site.  

You can read more about each of these options in the following sections.

1. Guardz (FREE TRIAL)

Guardz is a SaaS platform that provides a range of cybersecurity services that include malware protection and phishing detection as well as data loss prevention. Guardz offers a Cyber Insurance policy as an extra service and policies can be included in the top plan of the service, which is a custom package, called the Ultimate edition.

Key features:

• Cloud-hosted: This is a SaaS platform that installs local agents
• External attack surface monitoring: Recommends security hardening and provides constant security checks
• Cloud data protection: Implements DLP on cloud data storage

Why do we recommend it?

The Guardz package provides a combination of services that cuts down the time a buyer has to spend researching multiple cybersecurity systems from different providers. You don’t have to worry about service coverage or unit compatibility because the Guardz technicians have already worked all of that out.                      

The Guarz platform focuses on preventative measures more than active protection. For example, the package includes vulnerability scanning and anti-malware features. Phishing detection and browser/website scanning guard against infected websites and fileless malware attacks. The system includes services for user-awareness training with a phishing simulator. 

Who is it recommended for?

This package is marketed to managed service providers. Other than setting up accounts, the MSP doesn’t need to do anything to look after the security services because the Guardz technicians do that. So, it is a pass-through service. The pricing is scaleable and levied per end user per month. There is a discounted rate for MSPs that sign up clients with a total user count of more than 100. 

Pros:

• Email scanning: Detects threats in inbound emails but doesn’t scan outbound mails for data transfers
• Dark Web scanning: Identifies gathering attack campaigns and looks for data breaches
• Access rights auditing: Scans user accounts and recommends permissions tightening

Cons:

• Doesn’t cover insider threats: The platform focuses on preventative measures rather than live security monitoring

This system is full of preventative measures to block threats and focuses on malware, particularly ransomware threats. It doesn’t include any sensitive data discovery, file movement controls, or user activity tracking. Get a 14-day free trial.

2. CoSoSys Endpoint Protector (ACCESS DEMO)

CoSoSys Endpoint Protector is available as a software package or as a SaaS platform. The system provides a central server and satellite endpoint units. This multi-level architecture provides local controls with centralized direction and coordination. The package includes a device control unit that can ban all peripheral devices and then allow permitted devices to attach.

Key features:

• Device discovery: The server scans a network and installs a remote agent on each discovered endpoint
• Data discovery: The system identifies and categorizes sensitive data
• Compliance management: Suitable for GDPR, HIPAA, PCI DSS, SOX, and NIST
• Transfer controls: Prevents the movement of sensitive data

Why do we recommend it?

CoSoSys Endpoint Protector will locate all instances of sensitive data. The system categorizes the data that it finds and maps it as relevant for specific data protection standards, such as GDPR, PCI DSS, and HIPAA. The service can also protect intellectual property and trade secrets. The tool bans or protects peripheral devices.

The central console shows the live reports of each endpoint agent, detailing activities and attempts to move protected data files. Controls are imposed on user accounts according to the user groups that you define in your access rights manager or directly in the Endpoint Protector system. Peripheral devices are all blocked by default but the administrator can set up allow permissions for specific devices by serial number.

Who is it recommended for?

This is an easy-to-understand system, which means that you don’t need cybersecurity expertise to administer the package. The service could be run by a small business but it is particularly effective at scale. Protected endpoints don’t all have to be on a single network and can include the computers used by work-from-home employees.

Pros:

• Deployment options: On-site virtual appliance, cloud service, or SaaS platform
• Central controls: One administrator can manage devices connecting to all endpoints
• USB memory stick protection: Encrypt USB drives to safely transport data
• Protect all endpoints: Protected computers can be running Windows, macOS, or Linux

Cons:

• No free trial: You can access a demo instead

It is possible to host the Endpoint Protector software as a virtual appliance or you can access it as a service on the marketplaces of AWS, GCP, or Azure. CoSoSys also provides a SaaS version on their own cloud servers. Get a free demo.

3. ManageEngine Endpoint DLP Plus (FREE TRIAL)

ManageEngine Endpoint DLP Plus provides sensitive data discovery and classification and protection methods that automatically shut down data theft attempts. This is an on-premises package that will reach across the network to identify all computers. The system scans each workstation and server for data storage; it then reads through all files to find sensitive data examples. The package provides a list of these locations in the console.

Key features:

• Device inventory: Scans the network to find endpoints
• Data discovery: Provides categorization
• Compliance management: Detects PII, PHI, and payment card data
• Data fingerprinting: Can group data fields for sensitive data definition
• Data movement tracking: Includes email scanning and device controls

Why do we recommend it?

ManageEngine Endpoint DLP Plus is a system that detects and protects sensitive data. The service uses a containerization mechanism to block access to files and then allows in users according to records in your access rights manager, such as Active Directory. The tool examines emails and watches file movements onto peripheral devices.

The protection mechanism of containerization stays with the file, so if a user accesses a protected file remotely from a private device, there is no possibility of a shadow copy being stored to the device’s operating system. The tool creates blanket protection per file rather than per data instance. 

The service looks at peripheral devices, such as USB memory sticks and printers, and blocks the transfer of protected data onto them. The system blocks all devices from attaching to all endpoints and then selectively approves specific USBs by serial number. That approval can be restricted to a specific device or user.

ManageEngine Endpoint DLP Plus provides sensitive data discovery as well as protection systems and alerts for inappropriate data access or use. Many excellent DLP systems lack a data discovery module. That means you would have to find a separate tool, struggling to find one that is compatible with the data loss prevention system. With this package, you get a flow through from discovery to protection, and on to automated remediation. This system includes a device discovery process, so you don’t have to spend time entering all of the details about your endpoints into the console in order to get the package running. It will catalog all existing files and scan all new files as they are saved. 

Who is it recommended for?

This package is a good choice for mid-sized and large enterprises. The system is particularly good for companies that allow users to bring in their own devices for work. Until recently, ManageEngine offered this package in a free edition for small businesses that monitored data on up to 25 endpoints but that option has now disappeared.

Pros:

• On-premises package: Installs on Windows Server
• Email security: Includes destination blacklisting and whitelisting
• File containerization: Protects files across platforms
• User activity tracking: Blocks insider threats
• Scanning for new files: Once operational, the tool checks every new file for sensitive data

Cons:

• No SaaS option: This tool is only available as a software package

This ManageEngine system is delivered as a software package that will run on Windows Server. You can examine Endpoint DLP Plus with a 30-day free trial.

4. Comodo MyDLP

Comodo MyDLP is an on-premises package that runs as a virtual appliance. The system is able to protect data held on your endpoints and also on cloud platforms. This package discovers sensitive data and then tracks its usage and movements, preventing it from leaving the organization.

Key features:

• Data discovery: Scans all endpoints, discovers files, and searches them
• Categorizes data: Identifies sensitive data by type
• Run as a search engine: The data discovery process is easy to run from the central console

Why do we recommend it?

Comodo MyDLP is an easy-to-use data protection system that provides all phases of DLP – discovery, protection, and remediation. The system can reveal shadow copies of files that productivity tools generate to aid their own document recovery processes. The system identifies duplications that can be deleted and documents that can be archived because of lack of recent access.

This system helps you tidy up your data by identifying opportunities for deletion and archiving. You might also choose to centralize all files for easier protection. The service tracks all file access events and optionally allows them to be moved. The tool will block files from being sent outside the network.

Who is it recommended for?

Comodo issues a site-wide license for this tool on an annual subscription. Longer subscription periods are possible, which brings the price down per year. The price is levied according to the number of end users that will be protected by the tool, so it is scaleable and suitable for businesses of all sizes. 

Pros:

• File cleanup: Discovers old and duplicate files
• Activity tracking: logs data access events
• Scans emails, websites, peripherals, and primer queues: Monitors channel for data theft

Cons:

• Not much background information: The PDF user guide is just about the only knowledge source available

Comodo doesn’t publish its price list for MyDLP, so you have to contact the Sales Department. You can download the software to run it on VMware or Hyper-V during a free trial.

5. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is an on-premises software package that is delivered as four modules. The four units are:

• File Server Auditing – A file integrity monitor that logs file changes and alerts for unusual activity such as ransomware encryption
• File Analysis – Assesses files by age and content, recommending the removal or archiving where appropriate
• Data Risk Analysis – Sensitive data discovery, classification, and compliance management 
• Data Leak Prevention – Blocks copying, implements application controls, scans data exfiltration channels

While most businesses will need the entire pack to implement data protection, these modules are priced individually and you don’t have to buy the whole pack. This service will protect intellectual property and trade secrets as well as PII, PHI, and payment card data.  

Key features:

• Cross-platform protection: Guard data that is held on-premises and on cloud servers
• Blocks software: Scans endpoints for unauthorized software
• Compliance management: For GDPR, HIPAA, PCI DSS, and others

Why do we recommend it?

The DataSecurity Plus package is very comprehensive. It helps you to tidy up your files servers and assess file access permissions as well as guarding against tampering and theft. The package provides activity tracking that will alert if a user changes behavior patterns – protection against insider threats and account takeovers.

Features of this package include the tracking of file movements to USB sticks and printers. The service also scans outgoing emails and Web browsers to prevent file transfers. It is possible to block the movement of files that contain sensitive data or allow it if carried out by specific users. The package will raise an alert for any suspicious activity and can be set up to automatically block file access.

Who is it recommended for?

This system is suitable for businesses of all sizes, although there isn’t a Free edition, so small businesses might worry about the cost. The software package runs on Windows Server but it can scan endpoints running Windows, macOS, or Linux, plus the major cloud platforms. The package includes compliance auditing and reporting for GDPR, PCI DSS, and HIPAA.

Pros:

• Granular controls: Allows some file movements
• Blocks copying: This even applies to saving copies on the same endpoint
• Browser scanning: Prevents uploads and downloads over the Web

Cons:

• No SaaS option: Only available for on-premises hosting

This package will identify malware activity as well as scanning for potential data theft events. For example, it is a solution to protect against ransomware attacks with its file integrity monitoring service. You can assess ManageEngine DataSecurity Plus with a 30-day free trial.

6. SpinOne

Spin.ai defines two meanings for DLP – data loss prevention and data leak prevention. The company proposes its SpinOne package for data loss prevention through the SpinBackup module. It offers data leak prevention through an add-on module, called SpinDLP. All of the Spin.ai products are designed to protect the data held by SaaS applications and cloud services. Specifically, it watches over Microsoft 365, Google Workspace, Slack, and Salesforce. 

Key features:

• Data backup: Makes a copy of the data you hold on the cloud
• Sensitive data discovery: Looks for file containing PII
• User behavior tracking: Watches file access events on Google Drive and OneDrive

Why do we recommend it?

The SpinOne suite and its SpinDLP add on implement cloud platform vulnerability assessments through its SpinSPM module, thus you can head off attacks through system hardening. The SpinBackup service takes care of the consequences of accidental or malicious data corruption or deletion, and the SpinRDR unit defends against ransomware, which represents a major risk to data files.

Sensitive data protection features in the SpinDLP unit implement user activity tracking to block insider threats and account takeovers. The package will raise an alert if it detects suspicious behavior. Alerts will appear in the administrator console but you can set up the service to forward those warnings by Slack, Microsoft Teams, Jira, ServiceNow, or email. 

The data stores in Microsoft 365 (OneDrive) and Google Workspace (Google Drive) are particularly vulnerable to attack because access to them is not limited to their associated productivity suites. Users can choose to open these files in third-party tools, which can loosen security SpinDLP implements an allowlisting system that, by default, blocks all applications from accessing files. The administrator can then device to create an approved applications list that will selectively loosen that control. 

Who is it recommended for?

The SpinOne package is only available for Google Workspace, Microsoft 365, Slack, and Salesforce and the SpinDLP add-on will only work with Google Drive and OneDrive. So, there isn’t a data leak prevention service for data that you might hold in Salesforce or contact information and session recordings held by Microsoft Teams.

Pros:

• Compliance features: Auditing and reporting
• Data usage analysis: Reports for file sharing, data access events, and file movements
• Application risk assessments: Access by third-party applications is possible but only after an assessment and only with administrator approval

Cons:

• Only protects specific cloud applications: You only get the full protection service for One Drive and Google Drive

You can start an assessment of SpinOne with a 15-day free trial of SpinOne for a specific cloud SaaS suite.