This GigaOm Research Reprint Expires Aug 16, 2024

GigaOm Radar for Data Loss Prevention (DLP)v3.0

1. Summary

Data is a precious resource for today’s enterprises, and preventing data loss is of paramount importance. The cost of data loss is significant and its impact wide ranging: it can be technical (with loss of services impacting operations), reputational (impacting relationships and future business opportunity), and/or financial (both loss of business and regulatory fines).

At the same time, organizations can’t just lock their data away. Data needs to be in the right location at the right time. It must be portable and remain available for internal use and external collaboration. However, each location where data must be available are potential vectors for data loss.

The amount of data and the complexity of managing and securing that data pose a major challenge. To effectively reduce the risk of data loss, organizations need to develop comprehensive usage policies, provide awareness training for their employees, and support these procedures with a data loss prevention (DLP) solution.

Data loss impacts the entire business, so finding the right DLP solution to underpin a data security strategy requires business thinking to solve. Important considerations when evaluating solutions include:

  • Data location: Tools should cover the range of locations where data might exist in an organization. These locations include on-premises, in the cloud, in SaaS solutions, at endpoints, and in mobile devices.
  • Contextual awareness: It’s important that tools apply context to how data is used rather than rely solely on classifications and sensitive data types.
  • Insider risk awareness: Many solutions can identify suspicious internal activity, but not all can take action to mitigate the risk of data loss when suspicious behavior is flagged.
  • Audio/video/image data exfiltration: This is an emerging technology but one that’s becoming increasingly important for DLP tools to support to prevent sensitive data from leaving the organization.

This GigaOm Radar report highlights key DLP vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating DLP Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.

This is our third year evaluating the DLP space and presenting the results in our Key Criteria and Radar reports. All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

  • Automatically identify data as sensitive
  • Create custom sensitive data types
  • Data loss mitigation
  • Notifications

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

2. Market Categories and Deployment Types

To better understand the market and vendor positioning (Table 1), we assess how well DLP solutions are positioned to serve specific market segments and deployment models.

For this report, we recognize the following market segments:

  • Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Here, ease of use and deployment are more important than extensive management functionality and feature set.
  • Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category have a strong focus on flexibility, performance, scalability, and the ability to effectively integrate into existing environments.
  • Managed service provider (MSP): Increasingly, organizations across all disciplines of IT are looking to consume managed services to augment in-house capabilities. Here, we assess solutions based on how effective they are in supporting, both technically and commercially, either MSPs or those offering their own managed services.

In addition, we recognize three deployment models for solutions in this report:

  • SaaS: These solutions are available only in the cloud. Designed, deployed, and managed by the service provider, they are available only from that specific provider. The advantages of this type of solution are its simplicity, ease and speed of scaling, and flexible licensing models.
  • On-premises: In these instances, the solution’s primary DLP engine is deployed on-premises. These solutions can exploit SaaS or cloud services, such as threat intelligence, but the primary DLP components are installed within an organization’s own environment. These solutions operate in the same or similar manner as their SaaS equivalents. They are not shared and are specific to a single customer.
  • Cloud native/image: With these solutions, the primary DLP engine can be deployed and is supported as a public cloud-based service. The primary components can be deployed either as a cloud native service or as a public cloud image, usually, although not exclusively, available from a cloud provider’s marketplace. These solutions can exploit SaaS or other cloud services, such as threat intelligence, but the primary DLP components are installed as a cloud image or native service. They are not shared and are specific to a single customer.

Table 1. Vendor Positioning

Market Segment

Deployment Model

SMB Large Enterprise MSP SaaS On-Premises Cloud Native/Image
Broadcom
Code42
CoSoSys
DTEX
Forcepoint
Fortra
Lookout
Microsoft
Next
Nightfall
Proofpoint
Safetica
Trellix
Zscaler
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

For this evaluation, we looked at deployment model in a binary way, rating vendors (++) if they support that deployment model and (-) if they do not.

3. Key Criteria Comparison

Building on the findings from the GigaOm report “Key Criteria for Evaluating DLP Solutions,” Tables 2, 3, and 4 summarize how each vendor included in this research performs in the capabilities we consider differentiating and critical in this sector.

  • Key criteria differentiate solutions based on features and capabilities, outlining the primary criteria to be considered when evaluating a DLP solution.
  • Evaluation metrics provide insight into the non-functional requirements that factor into a purchase decision and determine a solution’s impact on an organization.
  • Emerging technologies show how well each vendor takes advantage of technologies that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months.

The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Key Criteria

Contextual Awareness Service Desk & SIEM Tool Integrations Service integrations Automation & Orchestration Reporting & Analytics Extended User Education Insider Risk Awareness Predictive Analytics
Broadcom 2 3 3 3 2 2 3 3
Code42 2 3 3 2 2 3 2 3
CoSoSys 1 2 2 2 2 2 2 1
DTEX 2 3 3 3 2 1 3 3
Forcepoint 2 3 3 3 2 2 2 3
Fortra 2 3 3 3 2 3 3 2
Lookout 2 3 3 2 2 2 3 3
Microsoft 2 2 3 3 2 3 3 3
Next 2 2 2 3 2 3 2 3
Nightfall 2 3 3 3 2 2 2 3
Proofpoint 2 3 3 3 2 3 3 3
Safetica 2 3 3 2 2 3 3 2
Trellix 2 3 3 3 2 3 2 3
Zscaler 2 3 3 3 2 2 3 3
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 3. Evaluation Metrics Comparison

Evaluation Metrics

Ease of Management Ease of Adoption Flexibility Cost
Broadcom 3 2 3 2
Code42 2 3 3 3
CoSoSys 3 2 2 2
DTEX 3 3 3 3
Forcepoint 3 3 3 3
Fortra 3 3 3 2
Lookout 3 3 3 2
Microsoft 3 3 3 2
Next 3 3 2 3
Nightfall 2 3 2 3
Proofpoint 3 3 3 3
Safetica 2 2 3 2
Trellix 3 3 2 3
Zscaler 3 2 3 3
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 4. Emerging Technologies Comparison

Emerging Tech

Privacy Regulatory Compliance API Integrations Audio/Video/Image Data Exfiltration
Broadcom
Code42
CoSoSys
DTEX
Forcepoint
Fortra
Lookout
Microsoft
Next
Nightfall
Proofpoint
Safetica
Trellix
Zscaler
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for DLP

As data loss prevention remains a high priority for organizations, vendors continue to innovate and develop solutions in this space. This has resulted in movement of vendors, as well as new additions, in this update to our previous reports.

As you can see in Figure 1, most vendors take a platform approach to the DLP challenge, and there is a good mix of mature vendors building within the framework of existing solutions as well as innovative vendors developing new approaches and tools.

Feature Play vendors are those who stop data leaks based on content or risk but don’t offer supporting capabilities around DLP. They may also only support DLP in one area, such as at the endpoint or on cloud apps. Platform Play vendors are those who offer more capabilities that support DLP and will provide DLP coverage across multiple services.

Fortra’s Digital Guardian and Proofpoint continue to show leadership in this sector with broad, capable platforms. Forcepoint and Microsoft also retain leadership positions with continuously evolving and improving technology. The same can be said for Broadcom, although its speed of innovation is slower than that of the other vendors we evaluated.

Both Code42 and DTEX improved positioning in the Leaders circle and also moved to the Platform Play side of this radar, showing continued development and broadening of capabilities. Nightfall moved closer to the Leaders circle and continued a good pace of innovation, moving to the Feature Play side due to its more specific DLP focus. CoSoSys also remains a Challenger, but this is ahead of a major update to its platforms, and it’s designated as an Outperformer as a result. We expect this update will move it much closer to the Leaders circle in a future report.

This year’s report also includes a number of new vendors. Next and Lookout are Leaders on the Innovation half of the Radar, showing both a good range of capabilities and rapid innovation. They are both identified as Outperformers in this report. Zscaler is a Leader, building on its well-established technology, and Trellix provides a comprehensive portfolio alongside its DLP solution, which puts it also in the Leaders circle. Safetica is a strong Challenger with mature technology approaches, and we expect they will continue to move toward the Leaders circle.

This space is competitive and innovative, which should give confidence to prospective buyers.

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights

Broadcom Symantec DLP

Broadcom Symantec DLP is part of a broad portfolio of solutions covering endpoint, network, and email security. Its information security capabilities include ZTNA, encryption, and compliance, as well as DLP. Its solution focus is primarily larger enterprises.

The DLP scanning engine and management platform require the deployment of a unified server either on-premises or in the public cloud. Protection of cloud applications is provided through its separate CloudSOC cloud access security broker (CASB) solution. Licenses are either the Symantec DLP core license for on-premises or the Symantec DLP cloud license for CASB. To ease management, DLP policies can apply controls across both on-premises and cloud services.

Though well established, Broadcom continues to invest in developing its solution. New enhanced contextual views combine user risk, device location, and data sensitivity to enable dynamic DLP policy application. Broadcom has also developed automated policies that can find PII in data sets to simplify the process of data discovery. The solution uses the data and insights in the platform to deliver a detailed risk analysis across a broad range of repositories to provide more accurate DLP detection and mitigation. It also integrates with Microsoft’s Information Protection solution, providing additional security for data regardless of whether it sits within the enterprise’s control.

The solution scored well on a number of our metrics, including:

  • Service integrations: The on-premises version includes service integrations for file servers, databases, enterprise email, collaboration platforms, endpoints, and the network. Cloud DLP extends this further, with integrations covering a number of enterprise SaaS applications.
  • Insider risk awareness: The broad service integrations provide insight into data use across the organization’s entire infrastructure, helping to identify high risk behaviors to which restrictive policies can be applied as needed.
  • Reporting and analytics: There has been investment in improving the solution’s reporting and in providing more helpful incident analytics tools. The “All Channels” report provides a unified view of incidents across all service integrations, reducing the time spent by analysts exploring multiple channels. Customization capabilities enable reports to be tailored for the right audience.

Symantec DLP is typically deployed using on-premises server management infrastructure to control the majority of the solution and to size, scale, and deploy multiple components. While this provides the flexibility that larger organizations seek, it can add to the complexity of the solution build. This on-premises infrastructure follows a traditional release pattern of less regular feature updates, which means development can lag behind some of its cloud based competitors. However, Broadcom has developed cloud hosted management infrastructure to give customers more choice and to support cloud first organizations, allowing for more rapid updates and developments.

Strengths: Symantec DLP’s good service integrations provide comprehensive DLP coverage for the entire organization, enabling the development of good insider risk awareness as well as comprehensive centralized reporting of threats.

Challenges: The nature of the solution’s deployment and its breadth make it complex to implement when compared to SaaS-based solutions.

Code42 Incydr

Code42’s DLP approach centers on threat and risk analysis rather than data classification and sensitivity. It was one of the first vendors to take this approach, which has now become increasingly commonplace. Incydr DLP is targeted at mid-market and large enterprises, and there is a specific FedRAMP-certified version of the product. There is no offering for MSPs.

Code42 Incydr is a SaaS solution with agents deployed on endpoints. It provides a range of API integrations to major SaaS apps, such as Microsoft 365, Google Workspace, and Salesforce. The platform doesn’t use content inspection to look for sensitive data, so it doesn’t require the definition of policies or full system scans to start providing insight into usage and risk. It looks at file and user activity across multiple vectors to apply a risk metric to identify where potential activity may lead to data loss. The solution attempts to reduce the noise generated by tracing these activities by only looking at data when it moves to untrusted or unknown destinations. It then aggregates this information and assigns a risk score, allowing analysts to act or the system to provide an automated response. This can include sending users a notification within the application or via enterprise messaging tools.

In addition to taking basic blocking actions, users can also be guided to short-form video-based training to help educate them on the data loss risk and to change behavior to reduce that risk. The platform offers good integrations with a range of enterprise services, including HR systems, which can help to enrich threat data by ensuring the solution is aware of issues such as employee resignations.

Incydr performed well on several of our evaluation criteria, including:

  • Contextual awareness: The solution’s broad coverage of both file and user activity from endpoints and clouds helps it to provide rich and accurate insights into user risk. It uses this information to prioritize the risk, allowing customers to quickly focus on where the threat lies. It also uses this information to carry out targeted mitigation and education actions.
  • Reporting and analytics: Incydr provides a good dashboard and effective reporting, including business-level reporting that can show trends around threats and risk reduction. The dashboards also help threat analytics and hunters understand and track risks and investigate potential incidents. The ability to create cases that broaden access to interested parties during an investigation is useful.
  • SIEM and SOAR integration: The solution’s ability to integrate into the enterprise security and operational stack will be a strong benefit for customers with these investments, ensuring it can easily become part of the workflow.

The platform’s preventative controls are still rather basic, however, and it does not interrogate content. This means it can’t perform data classifications and discovery, which will be off-putting to those wanting these capabilities.

Strengths: The platform doesn’t look for sensitive data using content inspection, so users don’t need to define policies or perform full system scans to gain insight into usage and risk. This can help reduce implementation times and ease adoption. Its management dashboard allows analysts to quickly investigate incidents and endpoint impact. Its broad service integrations allow it to track data movement across multiple platforms, and the native education capabilities bring additional value.

Challenges: For those wanting a discovery and classification approach to DLP, this solution will not be suitable. Its blocking is limited to user blocking and may require third-party integration to automate more granular controls.

CoSoSys Endpoint Protector

Endpoint Protector by CoSoSys is an advanced multiple-OS DLP solution designed to protect organizational data from insider threats and accidental loss. It targets midsize to large organizations, especially those in industries that need to achieve compliance with regulations such as the GDPR, HIPAA, and NIST.

The solution focuses on three main business areas with four different modules: Device Control, Content Aware Protection, eDiscovery, and Enforced Encryption. Its deployment model is based on endpoint agents, and the solution supports Windows, Linux, and macOS systems, with feature parity across all of the operating systems. Deployment is flexible, with the central management platform available in SaaS, cloud image, and on-premises versions.

CoSoSys allows customers, via centrally managed policies, to restrict how data is used on any managed endpoint. Doing this at the endpoint means it can control data flow through a range of repositories, such as email clients, messaging apps, network and cloud uploads, removable storage, and printers. Because the solution is endpoint-based, it offers continuous protection regardless of user location, even if the device goes offline.

The solution did well in several areas, including:

  • Reporting and analytics: Its dashboard provides a high-level overview that includes highlighting key threats. Each of its component elements have individual dashboards that offer more detailed insight. This includes log reports, content policy reports, and file tracing. It is also possible to integrate with enterprise SIEM platforms for further log data analysis.
  • Insider risk awareness: As an endpoint-based product, Endpoint Protector provides insight into all user-to-user activities, which is helpful for looking at data misuse internally. The platform enables the application of granular settings to meet different departmental requirements by specifying which devices can be used to access data and how they can use data. Policies can be defined per user, computer, or group.

While the singular focus of the product may be attractive to those tackling endpoint DLP, the solution is more basic than some competitors. Its approach to data discovery is more simplistic, with identification based around keywords and regular expressions built into policies. Though this approach is flexible, it lacks some of the context awareness of other solutions, and with its endpoint focus, it does not integrate as well as solutions with tools providing DLP security at the cloud and network layers.

However, this is likely to change with the forthcoming release of its Unify product. This is still in beta, but it’s a complete rewrite of the platform designed to directly address the issues highlighted above. It will include dynamic policy application, using insights gained from its endpoint engine. It will also use behavioral intelligence to better understand risk, and it will supply more developed APIs to better integrate with enterprise platforms. The success of these developments will dictate future success.

Strengths: As an endpoint-specific solution, it doesn’t suffer from the complexity of integration and policies covering multiple repositories. Its Windows/macOS feature parity reduces complexity by providing cross-platform policy creation. In addition, it provides a good range of deployment options for its management platform, and it offers good endpoint controls. The reporting dashboard is also informative and helps in decision making.

Challenges: As an endpoint-only solution, Endpoint Protector won’t appeal to those needing broader coverage. It also lacks some of the integration capabilities organizations may want with key enterprise security components such as CASB, Network DLP, and ZTNA solutions. While these may be addressed in its Unify product, they are not there yet.

DTEX InTERCEPT

DTEX InTERCEPT is a next- generation insider risk management solution in what the company sees as the natural evolution of DLP. Its behavioral DLP capability resides in a module of this wider security platform, which also includes insider risk management and behavioral analytics. The solution is designed primarily for mid-sized and larger organizations.

InTERCEPT relies on a light-weight forwarder installed on endpoints to gather behavioral telemetry from the endpoint as well as from SaaS applications and other data sources. Rather than rely solely on data classification, it also discovers file lineage, which means that it tries to build a holistic picture of user intent by looking at who created the data, how it is used, and by whom. The risk is assessed, scored, and presented in a dashboard that gives security teams the relevant information to make decisions on any specific risk. These can then be dealt with manually or via automated responses. This telemetry can also be enriched with third-party security intelligence to provide further insights about overall risk exposure.

DTEX’s strong platform did well across the majority of our criteria, including:

  • Contextual awareness: As noted above, the solution looks at multiple early warning behavioral indicators to build a detailed picture of user intent. It then applies a scoring framework to build a clear picture of risk.
  • Reporting and analytics: InTERCEPT provides a number of dashboards and reports out of the box, with options to customize them for specific needs. Ad hoc reports can also be created, with an array of visualization and reporting options available. The solution also provides detailed usage timelines that will be extremely useful to analysts who need to consider potential incidents.
  • Service integrations: The platform continuously audits the behavior of data, devices, applications, and people across endpoints, SaaS applications, file servers, NAS devices, and semi-structured repositories like SharePoint. It also has an API model that enables several custom integrations to be built.

The solution is less likely to be a good fit for smaller organizations whose existing IT security approach is less mature. It also likely won’t appeal to those with limited internal security resources. It does, however, provide a managed DLP and insider risk service which may be an attractive option to resource-limited organizations. InTERCEPT is a behavioral DLP insider risk management platform primarily, so it may not serve those looking for a DLP point solution.

Currently, its user education is limited to after-the-fact emails when potentially risky activities are identified; these are not “static” emails but adaptive and tailored based on an individual’s intent. This use of email as user education may not be appropriate for those wishing to provide immediate notifications, but this is likely to be addressed with in-app notifications in upcoming releases.

Strengths: The use of analytics across a broad number of data repositories helps to enable an effective and less obtrusive data loss approach. InTERCEPT’s considerable selection of both prebuilt and API-based integrations means it can be integrated into most organizations’ IT environments. Its flexible deployment options will be helpful for those with specific installation needs.

Challenges: InTERCEPT’s approach may be too complex for smaller organizations, those with less mature technology stacks, or those looking for DLP point solutions. InTERCEPT is designed to deliver detailed insights, but this requires internal resources capable of understanding and using them.

Forcepoint DLP

Forcepoint offers a range of security solutions for secure service edge (SSE), CASB, data classifications, visibility, and DLP. Though a mature vendor, Forcepoint continues to innovate. The solution is accessible to businesses both small and large, and it has developed support for MSPs over the last 12 months.

The solution offers several deployment options. On-premises is supported with its Enterprise DLP solution, which requires the installation of endpoint agents. Forcepoint One is for those looking to apply DLP protection to cloud, web, and private apps. A cloud image option can be installed on AWS, Azure, and GCP. Management is via either the Forcepoint ONE console or the Forcepoint Security Manager. The latter manages Enterprise DLP and can manage its SSE solutions, allowing users to configure policies once and have them deployed everywhere. The solution also allows customers to quickly gain insight into its current data sets with policy-free identification of sensitive information. Using its wide range of predefined sensitive data types, it can rapidly identify sensitive high-risk data across the infrastructure—even before any policy is created. It also integrates well with existing tools such as SIEM, SOAR, and service desk tools via API.

The Forcepoint solution did well in most of our evaluation areas, including:

  • Service integrations: The solution offers prebuilt integrations with leading enterprise applications and services, including SaaS platforms such as Microsoft 365, Google Workspace, and SalesForce. There is also support for SaaS and cloud storage platforms and on-premises and cloud communications tools and databases. This extensive set of prebuilt integrations should meet the needs of most organizations.
  • Contextual awareness: Forcepoint uses real time analysis of user behavior indicators and DLP policy incidents to build a deep understanding of data loss risk. It applies this with adaptive policies that allow an intelligent application of controls. This can help adoption by only deploying controls when necessary, without the need for a large number of policies.
  • Reporting and analytics: The solution’s dashboards allow analysts to quickly investigate potential data loss risks and incidents and build a good understanding of the user behavior and activities carried out on a given set of data. It also provides clear threat scoring for those users to help more quickly identify risks, and the dashboards can be exported into PDF reports for wider inspection.

The solution’s management interface does look a little aged and cluttered in places, and the on-premises build of the solution is somewhat complex. While Forcepoint currently has good scalability, they did point out this was also an area high on its development agenda.

Additionally, while Forcepoint received high scores for most of the emerging technologies we evaluated in this report, it received a low score for audio/video/image data exfiltration. Prospective customers should evaluate whether this feature is important to their purchase decision.

Strengths: Forcepoint is a flexible solution that offers a range of deployment models and a wide array of service integrations. Its contextually aware use of adaptive policies is innovative and enhances its effectiveness. By lessening the number of policies customers must build themselves, it will reduce operational overhead, and the clear, comprehensive reporting and analytics dashboards will aid those investigating behavior.

Challenges: The management interface should be updated with a more modern look, and on-premises installations should be simplified.

Fortra’s Digital Guardian

Fortra, formerly HelpSystems, has a broad security portfolio. Digital Guardian (DG) is its DLP product, but it also offers vulnerability management, email protection, and managed detection and response (MDR). This range of solutions will be attractive to enterprises, while its managed service version of DLP will appeal to both large and smaller customers. There are specific services for MSPs.

The solution can be deployed both as SaaS and on-premises, and it covers endpoints, networks, and cloud applications. Its integration with adjacent products in the portfolio such as Boldon James, Titus, and Vera adds capabilities such as compliance, governance, and native information protection to the DLP solution. The value of this breadth is shown in the development of the Digital Guardian Analytics and Reporting Cloud (ARC), which allows Fortra to centralize data to provide a comprehensive view across an organization, from threat to potential exfiltration. In addition, the development of API integrations with SaaS platforms helped it to extend the channels it covers, which currently includes Teams; Slack and other integrations will be added in the near future. The solution can warn of potential risks to data without predefined rules, which helps with adoption, as does the product’s good user notifications, clear dashboards, and broad platform coverage.

Fortra scored well on most of our key criteria, including:

  • Insider risk awareness: DG collects a wide range of telemetry and correlates these events and alerts to highlight potential insider activity. Analysts can use this to discover the original source of an exfiltration attempt, identifying where the data came from and its original owners. It can also capture copy/paste activity, file movement, file access activities, and more to help analysts determine if the bad actor was acting alone or with others.
  • Reporting and analytics: The correlation of data from both Digital Guardian and the broader Fortra portfolio provides a comprehensive view of what is happening within an organization from threat to potential exfiltration. Its extensive development in this space helps its users effectively highlight high-value targets, allowing them to focus security efforts where needed.
  • Service integrations: DG offers good DLP coverage across network, endpoint, and cloud. Its API integrations allow it to extend its visibility into evolving data repositories such as Amazon S3, as well as to connect with leading gateway products to enhance their DLP capabilities and provide a holistic view of data and threats across an organization’s broad and disparate infrastructure.

As with many broad platforms, setup can be more complex and lead to longer implementation times. Prospective customers should evaluate vendors’ support and training when comparing solutions to ensure Fortra’s services meet their needs in these areas.

While Fortra received high scores for most of the emerging technologies we evaluated in this report, it received a low score for audio/video/image data exfiltration. Prospective customers should evaluate whether this feature is important to their purchase decision.

Strengths: Fortra’s DLP solution is enhanced by strong integrations with its broad portfolio, allowing customers the option of using a consolidated single vendor for data security. DG’s rich data collection enables strong insider risk analysis and reporting capabilities. It also supports an array of integrations into the enterprise software stack.

Challenges: Channel coverage is currently limited to Microsoft Teams. Additionally, it’s limited in audio/video/image data exfiltration.

Lookout

Lookout may be better known as a mobile security vendor, but its acquisition of CipherCloud in 2021 moved it into the DLP space, intending to design next-generation DLP with a focus on advanced capabilities across the entire organizational landscape. The solution is designed primarily for DLP in modern SaaS apps and targets the mid-market to larger enterprises. Although Lookout has a large MSP channel, it has not yet made its DLP solution part of its MSP portfolio.

The Lookout Cloud Security Platform is a SaaS solution that can be deployed in-line for scanning data in transit, or through API connections for data at rest. The solution understands data through support of many structured and unstructured data and document formats and provides DLP with hundreds of built-in data types and rule templates, as well as optical character recognition (OCR), electronic document management (EDM), and fully customizable dictionaries. It also integrates with enterprise document classification (AIP, Titus) and enterprise DLP. It can discover sensitive data and its movement across cloud, SaaS, and enterprise apps, email, shadow IT, and the internet.

The solution also provides an impressive set of integrations, including identity platforms, endpoint management, and SIEM, and its integration with enterprise DLP vendors enables users to leverage the DLP capabilities of both platforms. This feature allows the solution to extend coverage beyond its SaaS target via these on-premises vendors. The platform can handle complex problems, such as finding sensitive data in images, and it provides additional capabilities, like the ability to redact sensitive information from shared data, and native data encryption and rights management.

Lookout delivered well across a number of our criteria, including:

  • Context awareness: The solution can apply context based on a variety of information points, such as users, collaborators, devices, locations, applications, and app context. It adds to this insight from a vast array of endpoints and SaaS apps, using this rich information to apply adaptive policies.
  • Service desk and SIEM integration: Lookout has a broad range of prebuilt integrations with leading enterprise SIEM tools to ensure threat information can be included in enterprise reporting tools. Information can also be accessed via APIs that enable users to build custom integrations. The solution also can report issues via emails and enterprise messaging tools via integration with service desk tools.
  • Reporting and analytics: Lookout’s “discover, monitor, and protect” services allow customers to take a structured approach to building a DLP program. Its discovery and analytics capabilities enable it to report on potential risks and help customers build effective mitigation strategies. It also provides good investigation capabilities that help analysts to work through potential data loss incidents.

The solution does not provide on-premises support for data repositories, instead partnering with vendors to offer this. With its focus on larger organizations, it is likely to be too complex for smaller businesses.

Strengths: Lookout provides a modern SaaS-based tool that can be easily integrated into an existing environment. It has good integrations with other enterprise tools, including existing DLP investments that will be attractive to those looking to augment rather than replace. The solution offers good context awareness and flexible policies to apply controls only when needed.

Challenges: The solution’s lack of strong on-premises repository support will be an issue for those with large amounts of data still in on-premises locations. It may be too complex for SMBs.

Microsoft Purview

Microsoft offers security, detection, and response capabilities across Microsoft 365, endpoints, and third-party apps through its CASB deployment. Its DLP-specific capabilities can be found within Microsoft Purview.

As part of the broader Microsoft 365 platform, Microsoft Purview is wholly SaaS based, although it does offer endpoint protection. Purview is available in a variety of license options. For this report, we evaluated the features in its E5 license.

In addition to DLP, the platform offers compliance, discovery, classification, and information protection capabilities. The solution is administered through a single console that provides a reporting and policy management interface. A single set of DLP policies can be deployed across Microsoft 365 to address the threats posed by users copying sensitive information into newly evolving tools such as generative AI. Microsoft has invested in analytics to ensure its DLP is effective and efficient by using indicators across the full breadth of its service as well as from third-party tools. Microsoft Defender offers an effective tool for both hunting and event investigation for analysts to augment its DLP capabilities.

Its solution scored well on a number of our criteria:

  • Contextual awareness: The breadth of the solution allows it to build an understanding of behavioral context to better identify risk. Rather than relying only on file context, it also evaluates how users behave in other parts of the environment, which includes information on device and location. It uses this to apply adaptive DLP controls to ensure restrictions are commensurate with the risk.
  • Orchestration and automation: The solution allows users to deploy a single set of policies across all Microsoft 365 services and orchestrate and automate responses to threats from a single console. Microsoft’s large partner ecosystem, which includes broad integration with leading SOAR solutions, can enhance orchestration further.
  • Service integrations: The seamless native integration across all of Microsoft 365 is augmented by its ability to provide DLP to endpoints and other cloud apps via its CASB capabilities. The recent introduction of DLP support for PowerBI and web apps extends this coverage further.

Purview’s tight integration with Microsoft 365 means it is likely to appeal only to those already using that platform. To fully benefit from its DLP capabilities requires an E5 license, which may seem too costly to some. The range of capabilities and components the product offers means that full protection requires multiple consoles and an understanding of how the tools interact to be fully effective.

Strengths: The capabilities of Purview are extensive, allowing enterprises to go beyond just DLP easily with the solutions working seamlessly together. The breadth of coverage provides broad contextual understanding and adaptive DLP, allowing organizations to orchestrate more effective and targeted mitigation steps.

Challenges: Microsoft’s management consoles are not as impressive as some of its competitors, and not all features are as intelligent or easy to deploy as would be desired. Access to the full capabilities of these tools requires an E5 license, an added expense for those not already invested. The solution is not likely to appeal to those not using the Microsoft 365 platform.

Next Reveal

Next Reveal is SaaS-based and aimed at MSPs and mid-market companies with 500 to 3,500 endpoints. It is able, however, to scale to support 150,000 endpoints in a single tenant.

The solution consists of a management console and endpoint agents. Endpoint agents are available on Windows and macOS with feature parity. There is a Linux agent, but this is more focused on data visibility only. Once deployed, agents can provide immediate insight into data movement and user activity across all managed endpoints. The solution uses these insights to apply adaptive data loss prevention controls to minimize the impact on performance of user workflows. The solution also looks to aid adoption with the ability to identify sensitive data and user behavior without initial policy definition, as well as by applying content and context classification on the fly, removing the need for pre-scanning of data sets. Its aim is to offer a people-centric DLP solution that balances insider risk management with DLP to provide effective data protection without impacting users.

All DLP operations are done at the endpoint with no reliance on communication with a central intelligence platform. This allows it to operate fully even when offline, and it does not send any data externally for evaluation.

The solution scored well on many of our metrics, including:

  • Contextual awareness: Reveal uses analytics across a wide range of indicators to build a detailed contextual understanding that accurately identifies threats. This includes the ability to determine high-value intellectual property and the origin of the data. It can also, via its agent, understand additional context, such as file location, origin, and device/user geolocation to more accurately assess risk.
  • Extended user education: The solution supports customizable prompts that alert users to potentially risky behavior. These can include details on why the behavior is risky and, where appropriate, corporate-sanctioned means to accomplish the task. User feedback in prompts can also inform policies, highlighting top receivers of prompts and which policies they violated, to help build training plans and identify areas needing improvement.
  • Reporting and analytics: Customizable dashboards allow analysts to quickly build reports and investigate potential data loss risks. The dashboards enable analysts to quickly identify the most serious threats and create cases for further investigation. There is also an executive dashboard that displays cyber hygiene trends and data tracking to show top user and data movements.

There are some aspects of the offering with room for improvement. Smaller organizations with fewer than 250 users are not a focus for Next and will instead be referred to MSSP partners. The solution does not have FedRamp certification, so it is unsuitable for those needing it. Because the service is endpoint-focused, companies wanting DLP across networks, storage, and cloud apps should probably look at other platforms.

Strengths: Its easy deployment model can simplify adoption, and once the solution is deployed on the endpoint, its policy-less ability to scan and identify sensitive data and dangerous or anomalous behavior will help companies identify risk and define appropriate DLP policies. Its extended user education is also flexible and will help companies better inform and prepare their users.

Challenges: Reveal targets larger organizations and is less suitable for smaller companies. Its lack of FedRamp certification makes it unsuitable for those businesses whose work requires this. It is an endpoint-only solution, so those wanting a platform that integrates with more services will need to look elsewhere.

Nightfall AI

Nightfall AI provides DLP protection to SaaS applications, GenAI tools, custom apps, and large language model (LLM) solutions. It was built initially to allow customers to develop and integrate with SaaS apps, but it has matured and now offers a number of prebuilt integrations while retaining the flexibility to develop custom integrations.

The platform is SaaS-based and consists of three offerings: Nightfall for SaaS, Nightfall for ChatGPT, and Nightfall for LLMs. It integrates with applications via API, webhooks, or browser extension, such as its Chrome extension to intercept user input to ChatGPT. Once integrated, those applications can leverage the DLP capabilities of Nightfall without any modification. The Nightfall console allows analysts to identify risks, remediate violations, and dispatch notifications. Notifications and mitigation can be applied natively within the applications via APIs, using its native capability and language. Alerts can also be directed via Slack, email, or a customer’s SIEM of choice. This will be helpful in driving adoption as it allows DLP processes to be delivered within a familiar interface. As the platform uses an application’s native capabilities, it can examine historical data to surface historical as well as current violations. The solution is also able to identify data types and locations that are presenting growing risks, such as Secrets and credentials like API keys and sensitive IP, which can reside anywhere, not just in code repositories.

The solution performed well in our evaluation, especially in the following key areas:

  • Service desk and SIEM tools integration: In addition to offering alerts in their console, Nightfall offers flexible integrations via HTTP headers for webhooks, which allow users to get context-rich notifications about policy violations wherever they work best, whether that’s in Slack, email, or another SIEM. Nightfall also integrates with service desk tools like Jira to escalate sensitive findings in near real-time.
  • Reporting and analytics: The solution’s centralized system provides a record of sensitive data exposure across all native integrations. It can compare trends around violations over time, up to 180 days, as well as aggregated real-time insights into behavior change and sensitive data usage within the organization. It can use this to highlight high-risk users, and it can redact information within its dashboards to protect privacy.
  • Predictive analytics: Nightfall’s ML engine can analyze and learn from data across its integrations, and it can easily inject new telemetry from third-party tools to train its models more effectively, helping to improve accuracy.

There are some areas of the solution with room for improvement. Nightfall is only built to work with SaaS, GenAI, and API-driven apps. It is not an endpoint or network DLP solution and does not provide coverage in these areas. It is unlikely to meet the needs of those with predominantly on-premises software stacks, and its prebuilt service integrations are still not extensive. As a single-focus solution, Nightfall does not provide a range of other products.

Strengths: Nightfall’s SaaS core and API-driven integration help to make initial implementation easy. Its ability to highlight and mitigate risk natively in apps it is integrated with will make end user adoption easier. Its Gen AI capabilities will be attractive to many. Its use of analytics will also be helpful to analysts when evaluating risk and performance.

Challenges: The scope of this solution is very focused, so it does not provide insights at the endpoint or network layer. Nightfall does not move outside of its core functionality, so it won’t be suitable for those seeking a single broad solution vendor. While the number of integrations is growing, it is still limited and may require use of its development platform to integrate more broadly.

Proofpoint Sigma

Proofpoint provides a broad range of data- and people-focused security solutions. Its customer “sweetspot” is a company with 2,500 to 15,000 end users. The solution can still be attractive to mid-market customers in certain sectors, such as legal or technology where the protection of data for regulatory and business purposes is a particularly high priority. Proofpoint also serves a good MSP partner community.

Proofpoint’s DLP solution is part of its Sigma Information Protection Platform, which offers DLP protection across a broad range of data locations, including email, cloud apps, web, and endpoints. The solution provides AI-powered data classification to identify sensitive data across all protected repositories, auto-generates detectors and dictionaries to augment DLP, and integrates with Microsoft Purview security labels. Endpoint data security is covered with a single agent that can be deployed in either endpoint DLP or, via a config change, full insider threat management for high-risk individuals. Other DLP channels are covered by Proofpoint’s email DLP, web security, and CASB offering. Across these channels, it can report on user timeline and file lineage. The solution takes advantage of Proofpoint’s significant investment in AI/ML for predictive analytics, which can pull together indicators from 150 to 200 sources and correlate this information to provide effective coverage.

Proofpoint scored well on many of our key criteria, including:

  • Insider risk awareness: The integration of Proofpoint’s DLP with its Nexus People Risk Explorer provides a unified view of threat across its broad range of protected locations. The solution assesses risk based on users’ vulnerability and privilege and the intelligence in attacks targeting users. People Explorer also ingests data loss and insider threat incidents to fully reflect insider risk. This allows organizations to scope and prioritize security projects to protect people and data.
  • Reporting and analytics: Proofpoint’s cloud-native management platform allows it to provide a consistent DLP experience across all protected repositories. It helps analysts triage alerts, carry out threat hunting activities, and develop investigation workflows across all repositories. The solution provides granular privacy controls to restrict analyst access, and it can anonymize data within the console to maintain privacy and impartiality during investigations.
  • Service desk and SIEM tools integration: The solution integrates with many leading enterprise management tools, including the newly developed DLP incident response service with ServiceNow, which allows it to raise tickets and receive updates directly from the ServiceNow platform. It also integrates with SIEM, identity, EDR, and service edge applications.

While the Proofpoint DLP console unifies sensitive data definition, alerts triage, threat hunting, and investigation workflows into a single console, its broad range of solutions may still require multiple consoles to configure policy rules during the initial deployment. The company’s professional services offerings, broader security integrations, and continued investment in predictive analytics may help lessen this added complexity.

Strengths: Proofpoint has invested in predictive analytics to increase its effectiveness for end users. Its broad coverage should cover potential data loss vectors for most customers. Its good integration with other enterprise security and operational tools will be helpful for those looking to add the solution into existing complex security stacks.

Challenges: This is a solution aimed at the larger and more complex enterprise and is unlikely to be suitable for the mid-market (under 1,000 seats) except in some specific use cases. Its broad portfolio of products may also lead to some issues with rule configuration needed to cover the breadth of its solutions. This is likely to add to some complexity during initial implementation.

Safetica

Safetica provides insights into data usage on the endpoint as well as data movement to and from the endpoint. The Safetica One solution targets midsize businesses and small enterprises (500 to 10,000 users) while Safetica NXT is aimed at small businesses (20 to 500 users).

The Safetica One product requires a central server that provides the admin consoles and DLP engine; it can be deployed on-premises or as a public cloud image. Safetica NXT is a SaaS solution, but it only has a subset of the full solution’s capabilities. Both solutions require agents on all devices to be protected; there are agents for Windows and macOS, but no Linux support. Safetica’s goal is to provide a solution that is easy to use, quick to deploy, and provides rapid results to identify data security risks and insider threats. The endpoint agent gives insights across multiple platforms, allowing it to add valuable context to all data usage, across devices, locations, and users, to more effectively apply controls and protections.

The solution delivered well on a number of our criteria, including:

  • Contextual awareness: Safetica integrates across a number of platforms; via the agent, the endpoint gives it visibility of data movement across many potential data loss vectors. Safetica One’s integration with Microsoft 365 and its CASB offering provide broad insight across many services, and the addition of event and user risk assessment supplies rich context to help more accurately identify potential data loss risk.
  • Service desk and SIEM tools integration: The solution provides good integration with a number of enterprise security tools, including SIEM, EDR/XDR, and broad security fabric providers such as Fortinet. This ensures the solution can interact well with the enterprise operational software stack and does not operate in isolation.
  • Reporting and analytics: The solution natively provides clean dashboards (including the upcoming modernization of Safetica One) and reporting for risk assessment and user and admin alerts into either predefined or custom reports. It integrates with analytics tools such as Power BI and Tableau to further enhance analytics and reporting capabilities.

While Safetica offers a strong solution for the SMB market, its focus on the SMB market means it is unlikely to be attractive to large enterprises, and the vendor states that companies with more than 15,000 users would be unsuitable for a single server deployment. Though it provides broad support for Windows and macOS, there is no support for Linux. It also does not provide native file encryption, and currently, there is no integration with Google Workspace, although this is in development.

Strengths: Safetica provides a simple to deploy and operate solution that can be easily implemented and provides quick results. It offers good integration with enterprise operational tools, which can help with adoption. It also has good service integration and uses the information it acquires to provide a richer context to more accurately identify threats.

Challenges: The solution is aimed at the SMB market and probably not appropriate for larger enterprises. There is no Linux version of its endpoint agent and no integration with Google Workspace at this time.

Trellix DLP

Trellix has a broad portfolio that includes EDR, XDR, and NDR as well as threat intelligence. Its DLP suite covers endpoints, network monitoring, data discovery, and protection via integration with leading web and email gateway products. It sees its main customers as those in regulated industries, with dedicated security teams and over 1,000 employees, though it does not rule out supporting smaller customers.

The Trellix ePolicy Orchestrator (ePO) is a management platform with both SaaS-based and on-premises options. Local monitoring is done via endpoint and network agents. DLP contains four key products: Endpoint, Network Monitor and Prevent with Capture, Discover, and Device Control. Network Monitor and Prevent stores every event. This allows for forensic investigation, regardless of policy triggers, and the development of historical data to help tune future policies. There’s also an innovative database security solution that allows additional granular data loss protection to be applied to a database without modification. The solution can help to ease adoption via its ability to scan and classify data on the fly, without initial policy definition. It can do full data discovery across endpoints, but this is not a prerequisite. The solution natively understands 300 content types and supports the development of customized ones. Classification can be done manually or automatically (using content, context, fingerprints, and EDM), and the solution also supports integration with third-party classification vendors.

While Trellix does not provide native integration with cloud apps, it integrates closely with SkyHigh’s CASB, including the ability to deploy SkyHigh policies via the Trellix management interface to provide this function. It also provides support services for users during the initial deployment. Professional services teams will work with customers to set up a comprehensive data protection program that will help with deployment and adoption. The solution can also provide automated encryption of data at the endpoint.

The solution scored well on several of our criteria, including:

  • Contextual awareness: Trellix provides a rich set of classification capabilities that use traditional context classification, such as keywords and regex, but enhance these via its endpoint agent with context on specific endpoints, endpoint domains, endpoint groups, and file metadata. It can also use context from cloud apps (via integration with third parties), the network, and database servers.
  • Extended user education: The solution provides end user notifications of potential risks that can be configured via HTML and a variety of dynamic variables. User notifications can also be displayed in different languages based on the version of Windows installed on an endpoint system or based on the physical location of a network appliance. Trellix also enables users to provide notification override with appropriate justifications. Data on how users interact with notifications can inform the enterprise of where risks lie and where employees can be better educated.
  • Predictive analytics: The Trellix threat intelligence engine consumes around 100 billion queries daily, which it uses to help predict potential malicious attacks. It also sources additional insight from frontline IR teams, independent vendors, and curated threat intelligence that helps identify malicious threats and categorizes them against its own ML model to better train it and build better accuracy.

The solution provides DLP capabilities but does not offer strong governance and compliance controls for data. While its endpoint agent will offer DLP protection for email and cloud apps, it relies on integrations with other tools for direct DLP in these platforms.

Strengths: Trellix provides a broad suite of tools for protection of data across endpoints and networks. It also offers an innovative approach to the protection of data within a database that will be of interest to those looking specifically at this space. Its end-user notification capabilities are flexible, which can help with adoption.

Challenges: DLP protection for email and cloud applications is available via the endpoint agent. To protect these platforms directly requires integration with third-party tools such as a secure email gateway. It also lacks the governance and compliance features of some of its competitors.

Zscaler Data Protection

Zscaler is well-known in this space, with a broad portfolio of solutions to meet a wide array of data security challenges. DLP is provided via its Data Protection solution, which integrates across multiple channels using what it calls “Zero Trust Exchange.” There are a range of licensing packages available, but the breadth of the Zscaler suite suggests this solution is better pitched at the larger organization.

The Zero Trust Exchange works as a SaaS-based CASB within an organization’s environment. It can be deployed either in-line or as an out-of-band API integration with SaaS and public cloud apps. It covers a wide range of channels, and this continues to grow with new support for email security and endpoints. The endpoint agent supports Windows and macOS (but not Linux), and it will monitor traffic as well as apply DLP controls. The solution offers workflow automation natively after the integration of its Shiftright acquisition, and it uses its broad service integration coverage to apply context to its DLP risk assessment, looking not only at sensitive information but also at user risk to allow the application of dynamic DLP rules. Zscaler provides good integration with a wide range of enterprise security and operational tools as well as APIs for custom integrations, and it integrates with cloud platforms to provide cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM) for its customers to aid with complex cloud security. The solution also simplifies adoption with out-of-the-box zero configuration policies that can identify sensitive data and risky behavior without any policy creation.

The solution scored well on many of our key criteria, including:

  • Service desk and SIEM integration: It has extensive prebuilt integrations with a broad range of leading security and operational technologies. This includes SIEM, SOAR, service desk, and identity solutions. These integrations will aid in easing adoption and making Zscaler a core part of the enterprise stack. In addition, APIs are available to allow further custom integrations if needed.
  • Insider risk awareness: The addition of an endpoint agent has helped improve Zscaler’s ability to identify the internal movement of data. This includes movement from the endpoint to external devices as well as to the cloud, providing a detailed view of internal activity to help identify potential risks. Zscaler’s OCR capabilities enable it to look for sensitive data within image files, and its good threat hunting tools help analysts investigate risks.
  • Orchestration and automation: The integration of Shiftright provides the ability to build automation workflows, including user justification and management escalation processes. Its broad range of integrations with enterprise SOAR solutions will help integrate Zscaler into existing workflows.

Because setup can be more complex and lead to longer implementation times, prospective customers should evaluate vendors’ support and training when comparing solutions to ensure Zscaler’s services meet their needs.

Strengths: Zscaler covers a wide array of data services from public cloud to email. Its extensive integrations with a number of partners will help customers add Zscaler to their existing workflows and ease adoption. The solution’s good insider risk awareness and selection of dynamic controls will help organizations apply appropriate DLP mitigation steps.

Challenges: There is no support for Linux endpoints. Due to the complexity associated with implementing a broad platform, the solution is less likely to appeal to smaller organizations.

6. Analyst’s Take

The threat posed by data loss is significant. The challenge is constantly evolving and continues to grow in complexity. However, this is matched by innovation from vendors, whether they are well-known and established or among the newer solution providers.

Vendors are continuing to work hard to overcome some of the traditional challenges associated with DLP adoption. Many of them now provide the option of initial policy-free identification of sensitive information and risky behavior to help businesses more quickly gain a return on their investment. The move to a risk-based approach to tackling data loss threats also continues. Vendors are increasingly moving away from the need to have large libraries of pre-defined sensitive data types and rules as the primary way to identify data loss threats. Instead, they are beginning to use analytics to spot risky behaviors and unusual activity around data. The use of analytics is also fostering a move to more dynamic application of DLP rules by several vendors, who are using risk-based analysis to apply rules differently based on the level of risk identified. This should help reduce one of the major challenges faced by those looking to adopt DLP tools—overzealous rules application.

Vendors are also trying to ease adoption with the increasing use of SaaS-based DLP solutions, moving away from the more traditional on-premises appliance and server infrastructure. Some vendors, however, continue to offer on-premises options for those who need them.

Vendors are also recognizing the breadth of potential data loss threat vectors and are working on the ability to apply controls to an ever-widening range of data services that includes endpoints, networks, native cloud storage, databases, and SaaS apps.

Prospective buyers should consider the following when evaluating DLP solutions:

  • Build an understanding of where your data resides and ensure your solution can provide that coverage. If your data repositories are all cloud based, consider those that integrate via API with SaaS platforms. However, if endpoint and network coverage is needed, then consider the impact of agent and on-premises “listeners.”
  • Determine what approach is most appropriate for your organization. Those that are more mature and already use classification approaches to data will want a solution that recognizes this. However, for others, solutions based around risk that does not require pre-investigative work into discovery and classification will be more suitable.
  • Consider your existing infrastructure. More mature organizations with existing investments will want tools that integrate effectively into those environments. Vendors with extensive integrations or good API availability may be more appropriate.

This research offers insight into DLP, providing clarity about the challenges involved and the range of solutions available to meet the multiple demands of today’s businesses. Data loss is a risk with potentially significant impact, so ensuring the right DLP tools and approaches are in place is essential.

7. Methodology

For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.

8. About Paul Stringfellow

Paul Stringfellow has more than 25 years of experience in the IT industry helping organizations of all kinds and sizes use technology to deliver strong business outcomes. Today, that work focuses mainly on helping enterprises understand how to manage their data to ensure it is protected, secure, compliant, and available. He is still very much a “hands-on” practitioner and continues to be involved in a diverse range of data projects. Paul has been recognized across the industry and has spoken at many industry, vendor, and community events. He writes for a number of industry publications to share his enthusiasm for technology and to help others realize its value.

Paul hosts his own enterprise technology webcast and writes regularly on his blog.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2023 "GigaOm Radar for Data Loss Prevention (DLP)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.