Linux is no longer confined to servers in the data centre. In many organisations, it has become the primary endpoint platform for software engineers, DevOps teams, and data scientists.
That shift creates a practical security challenge: sensitive engineering data such as source code, design documents, and CAD files now lives on Linux workstations that often sit outside traditional endpoint DLP and device control programs.
In many enterprises, Windows and macOS endpoints are already covered by DLP policies, while Linux developer machines remain largely unmonitored. As engineering teams migrate to Linux at scale, that gap becomes difficult to ignore.
Linux in the enterprise today
If you only look at general desktop market share, Linux still appears small. StatCounter’s worldwide desktop OS snapshot for February 2026 reports Linux at 2.88%, while Windows remains dominant (and there is also a sizeable “Unknown” category in the dataset). [1] This kind of metric is useful as a broad directional signal, but it undercounts many corporate realities: locked-down employee portals, VDI, developer devices, and machines that don’t browse the public web like consumer PCs.
When you look at where modern compute actually runs – cloud platforms, web infrastructure, and high-performance computing, Linux’s footprint is dramatically larger.
Microsoft, for example, has been explicit about Linux’s growth on Azure. In an October 2024 update, Microsoft stated that over 60% of Azure customer cores run Linux-based workloads. [2] A few months later, Microsoft reiterated that momentum, noting over 65% of Azure workloads running Linux – in a discussion explicitly framed around “cloud computing and AI”. [3]
On the public web, W3Techs reports that Linux is used by 60.8% of websites where the operating system is known (March 2026). [4] If you broaden to Unix-like systems overall, W3Techs reports Unix at 91.1% of websites where the OS is known (March 2026). [5] (This is not a perfect proxy for “all enterprise servers”, but it is a strong indicator of what the internet-facing world standardises on.)
And in the most performance-demanding environments, Linux is effectively the default. The Linux Foundation has highlighted that Linux runs all of the world’s fastest supercomputers, based on TOP500-era reporting. [6] Independent coverage has also noted Linux’s dominance in supercomputing and its role in pushing forward AI/ML and other research workloads. [7]
The headline takeaway is simple: even if Linux desktop share looks modest globally, Linux is foundational to how most modern enterprise computing is delivered—and that includes scenarios where sensitive data exists and moves.
Who uses Linux endpoints and why
A helpful way to understand Linux endpoint adoption is to follow the people who create and move high-value data: developers, engineers, and technical power users.
The Stack Overflow Developer Survey is one of the clearest public datasets for this. In the 2025 survey results, developers reported professional use of Ubuntu (27.7%), Linux (non‑WSL) (16.7%), Debian (10.4%), and WSL (16.8%)—alongside Windows and macOS. [8] The 2024 survey similarly showed substantial professional Linux usage (for example, Ubuntu at 27.7% professional use and WSL at 16.8%). [9] These figures are not “enterprise asset inventory”, but they are a strong signal that in work environments where IP is created (code, models, designs), Linux is common.
Large-scale organisations also run Linux on employee desktops at meaningful scale. Google has publicly described its internal Linux desktop journey, including moving from an Ubuntu-LTS-based internal distribution to a Debian-based rolling model, specifically to support productivity and reduce upgrade toil. [10]
In practice, organisations choose Linux endpoints because they map well to today’s engineering workflows: modern toolchains, containers, predictable automation, and a strong security model when configured properly. The same drivers show up even more strongly in data centres and cloud environments – especially as AI workloads grow. Microsoft’s own commentary about Linux on Azure explicitly places Linux growth in the context of cloud and AI demand. [3]
Industry-wise, Linux endpoints cluster wherever development and engineering are core to the business model: software and SaaS, financial services, telecoms, research, and advanced manufacturing. In customer conversations (including within automotive), a common pattern is engineering teams moving to Linux workstations and wanting stronger protection for source code and large CAD/engineering file sets – exactly the kinds of assets that are valuable, portable, and easy to exfiltrate if endpoint controls are inconsistent.
What is driving Linux DLP adoption right now
In many organisations, the push for Linux endpoint protection is not theoretical. It is triggered by specific engineering initiatives.
For example, several large enterprises are currently migrating thousands of software engineers to Ubuntu-based development environments. In these environments, sensitive intellectual property such as source code repositories, CAD drawings, and product designs are handled daily on Linux workstations.
Security teams often discover that their existing DLP platform protects Windows and macOS devices but provides little or no coverage for Linux desktops. The result is a significant protection gap for some of the most valuable data in the organisation.
Linux security reality: strong foundations, real-world gaps
Linux has many security strengths, but the honest answer to “Are Linux systems secure?” is: they can be very secure—if you manage them deliberately.
Linux supports modern mandatory access control approaches. On Ubuntu, AppArmor is documented as an easy-to-use Linux Security Module that applies mandatory access control profiles per program. [11] On Red Hat platforms, SELinux provides mandatory access control in the Linux kernel and can enforce a customisable security policy on running processes and their actions. [12]
For endpoint device risk, Linux has native mechanisms too. USBGuard, for instance, is designed to enforce allow/deny policies for USB devices using the Linux kernel’s USB device authorisation feature, providing a basic whitelisting/blacklisting model based on device attributes. [13]
So where does the “gap” come from?
It usually isn’t that Linux cannot be secured.
In practice, this gap often appears when engineering teams standardise on Linux workstations while security tooling remains focused on Windows and macOS. Organisations may deploy EDR or vulnerability management agents on Linux, but still lack controls to monitor or block data transfers such as copying source code to USB drives, uploading sensitive files through browsers, or syncing files to cloud storage.
It’s that enterprise security programmes often struggle to deliver uniform, centrally-auditable enforcement across a mixed environment—especially for the specific controls that matter for data exfiltration: removable media, peripheral ports, browser uploads, cloud sync tools, and application-specific transfer paths.
Compliance frameworks make it very clear that removable media use is a first-class risk. NIST SP 800‑171 includes the explicit requirement “Control the use of removable media on system components” (3.8.7) and explains that organisations may restrict or prohibit devices like flash drives and external hard disks using technical and nontechnical controls. [14] NIST SP 800‑53 Rev. 5 similarly defines MP‑7 (Media Use): restrict or prohibit defined types of system media, and prohibit portable storage devices when they have no identifiable owner. [15]
In other words: from a governance perspective, “we’re secure on Windows” is not an acceptable answer if sensitive data is being handled on Linux endpoints too.
Another nuance: many well-known endpoint security vendors absolutely treat Linux seriously for EDR/anti-malware and visibility—Microsoft Defender for Endpoint explicitly supports Linux (alongside Windows and macOS) for many core capabilities. [16] But broad “endpoint security” does not automatically equal “device control and DLP parity”. Microsoft’s own platform capability matrix shows Device Control = No on Linux, even though many other capabilities are supported. [17] That’s not a criticism—just a reminder that Linux DLP and Linux device control are specialised problems, and not every mainstream endpoint stack solves them equally.
What Linux DLP and Device Control options actually look
When a company says “we need Linux DLP and device control”, it usually means protecting high-value engineering data on developer workstations. This often includes source code repositories, CAD designs, engineering documentation, financial data, or regulated information such as PII.
In practice, organisations typically need three capabilities at once:
- First, you need a way to control devices and ports (USB mass storage, MTP/PTP phones, Bluetooth transfers, printers, and more) with centrally managed policies and logs—because the risk is not theoretical. NIST explicitly calls out restricting flash drives and external drives as part of media protection. [18]
- Second, you need to identify and stop sensitive data movement at the point where the user interacts with it: copying files to removable media, uploading via browser, sending via email client, or syncing to cloud storage.
- Third, you need proof: audit trails, reporting, and the ability to show consistent enforcement (not just “we have a Linux security policy document”).
In the current market, organisations tend to consider four practical approaches, often combined:
Native Linux controls (good for local hardening, weak for enterprise consistency). Tools like USBGuard can implement allow/deny policies for USB devices at the Linux level. [13] AppArmor/SELinux can significantly strengthen application confinement. [19] But these controls typically require significant engineering effort to deploy consistently across distributions, maintain over time, and integrate into the reporting and exception workflows that large organisations actually need.
“Endpoint security” platforms (strong for threat detection, mixed for data exfiltration controls). Many organisations standardise on EDR/XDR and vulnerability management agents for Linux, which is good practice. [16] But Linux device control and Linux endpoint DLP are not universally available as first-class features; for example, Microsoft’s own capability matrix indicates Device Control is not supported on Linux. [17]
Network/cloud DLP controls (useful, but not sufficient for endpoints). Network DLP, email security, and cloud app controls can reduce some exfiltration paths—but they won’t reliably stop “offline” and local exits like copying to USB, and they can’t see every endpoint action if the device is remote, encrypted, or using unsanctioned tooling.
Dedicated endpoint DLP platforms with Linux support (the deciding factor is depth and parity). Some enterprise DLP vendors do support Linux agents, but often with constraints or reduced capability. Broadcom’s Symantec DLP documentation, for example, includes explicit Linux endpoint OS requirements (e.g., specific supported RHEL and Ubuntu versions). [20] Digital Guardian also publishes Linux agent release notes, including feature limitations such as Microsoft Information Protection labelling support being limited to reading existing labels (not writing/modifying them) on Linux. [21] Other products may be Windows-only at the endpoint level; Trellix documentation, for instance, states Trellix DLP Endpoint client and Device Control run on Windows/Windows Server. [22] Forcepoint support content also indicates Linux endpoint visibility has changed over time, with a note that the Linux endpoint is missing from modern releases in its support matrix context. [23]
The hard truth is that many organisations don’t discover these differences until late in a project – when Linux engineering teams are already live and the security programme is trying to “retrofit” controls.
Endpoint Protector’s Linux approach: long-standing support and parity as the goal
Endpoint Protector’s story is relevant here because Linux support isn’t something that was bolted on last year, it has been part of the product’s history for well over a decade. This capability becomes particularly important in engineering-heavy environments where thousands of Linux developer workstations handle proprietary source code, design files, and research data.
Endpoint Protector release history documents Linux Debian server/client builds as far back as 2009 (for example, “Endpoint Protector 2009 (for Linux Debian)” entries with server and client versions in 2009). [24] That matters because “supporting Linux” in a real enterprise sense is not a checkbox; it requires long-term engineering investment across distributions, desktop environments, and evolving OS security models.
On the feature side, Endpoint Protector positions itself as a cross-platform DLP and device control solution with feature parity across operating systems. Its DLP for Linux page explicitly states the solution provides “feature parity between Linux, Windows and macOS computers” and highlights support for multiple Linux distributions (including Ubuntu, openSUSE, Red Hat, and CentOS). [25] Its Content Aware Protection page goes further, stating Endpoint Protector is the only DLP solution to offer full feature parity across Windows, macOS, and Linux endpoints. [26]
The product documentation also shows practical Linux-focused capability delivery. In an Endpoint Protector product update from 2016, the release notes describe Content Aware Protection enhancements for popular Linux versions/distributions (including monitoring and controlling file transfers across exit points such as emails, web browsers, cloud services, and file sharing services) and list policy mechanisms such as predefined content, custom content, regex, file type filters, thresholds, and allow/deny lists. [27]
On the device control side, Endpoint Protector’s own materials describe Device Control as cross-platform across Windows, macOS, and Linux, enabling control and monitoring of portable devices connected to endpoints. [28]
If your Linux endpoints handle high-value IP—like source code repositories, build artefacts, product designs, and CAD/engineering files – the practical value of parity is straightforward: you can enforce the same policy intent everywhere, rather than creating a “Windows rule set” and a separate, weaker Linux workaround.
Compliance and audit implications for Linux device control and DLP
Even when the business motivation is protecting IP, compliance pressure is usually what forces consistency.
NIST frameworks are blunt about removable media controls. SP 800‑171 requires organisations to control the use of removable media on system components and discusses restricting or prohibiting flash drives/external drives through controls. [14] SP 800‑53’s MP‑7 similarly calls for restricting/prohibiting types of media and prohibiting portable storage devices without an identifiable owner. [15]
Those requirements don’t specify “Windows-only”. If Linux endpoints are in-scope (because they touch regulated data, controlled unclassified information, customer data, or sensitive IP), then the organisation’s technical controls and audit evidence need to cover Linux too.
This is also where well-run device control programmes pay off beyond security. Centrally managed policies and logs become operational evidence: who connected what device, when it happened, and what data transfer actions were blocked, allowed, or exception-approved – particularly important in engineering-heavy environments where business needs sometimes demand controlled exceptions.
Endpoint Protector’s own DLP positioning explicitly ties endpoint protection to meeting data protection regulation requirements (it references regulations such as GDPR, PCI DSS, HIPAA, and CCPA in its general DLP messaging). [29] While the specific compliance mapping always depends on your environment, the principle is consistent: you cannot credibly claim coverage if one of your main engineering endpoint platforms is outside the control plane.
Conclusion: Linux endpoints deserve first-class data protection
Linux use in enterprises is not slowing down – it is expanding alongside cloud adoption, developer workflows, and AI-heavy compute. Microsoft’s own numbers on Azure (over 60% of customer cores and over 65% of workloads running Linux) underscore how mainstream Linux has become in modern infrastructure. [30]
Developer ecosystem data also shows that Linux (and Linux-adjacent workflows like WSL) is a normal professional environment for a large share of technical users. [31]
From a security and compliance viewpoint, the requirement doesn’t change by operating system: frameworks like NIST call for explicit control of removable media use and related restrictions. [18] The difference is whether your tooling can actually enforce those requirements on Linux endpoints with the same depth, visibility, and workflow controls you expect on Windows and macOS.
If your organisation needs real Linux DLP and Linux device control, especially to protect high-value engineering data like source code and CAD files – focus on solutions that treat Linux as a first-class platform, not an afterthought. Endpoint Protector’s long-standing Linux support (documented going back to 2009) and its explicit parity positioning across Windows, macOS, and Linux are designed to address exactly that gap. [32]
In several enterprise deployments, security teams only discover the Linux coverage gap after engineering teams have already migrated to Linux environments. At that point, the priority becomes closing the gap quickly without disrupting development workflows.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.
