I've heard methods such as
- obviously hosts contacted by the client machine
- using software to detect if information has been exported via USB
Can you name any others?
1) DLP solutions for email and cloud storage: Office 365 and GSuite both have a bundled DLP solution. 3rd party solutions are also fairly comprehensive.
2) DLP solutions for workstations. This can range from sharing being disabled via MDM to DLP monitoring software (sometimes bundled in anti-virus) to some type of Desktop as a service solution (See techjuice's answer for more info on the last choice).
3) DLP server solutions, these can monitor for and disable certain sharing protocols. Most of the solutions are commercial (opendlp being an exception) and relatively rare out in the wild.
4) Network-based DLP. This can be a MITM proxy which all traffic goes through, common in financial firms. This can also include more basic solutions like firewalls blocking certain types of traffic or websites
5) Security monitoring solutions. This can be a SIEM solution which aggregates logs and looks for suspicious activity. Similar solutions are user behavior analytics systems which correlate historic user history, user roles and system information to look for suspicious activity. This type of system is essentially what Google's BeyondCorp Proxy is doing in the background.
6)Audit logs. This is primarily for tracking down who leaked data, but can serve as a preventive measure
Is it really spying if employees are leaking data they are not supposed to? To me, leak implies unsanctioned or illicit.
In terms of loss protection most companies use DLP (Digital Loss Prevention) technology and the system logs any activity of information leaving the system or entering a system (use of smartcards, usb drives (auto encrypting usb drives)) logging all contents burned to a disc, all emails going in/out of the system, etc.
With VDI normally there is a zero client with a keyboard and mouse and that is it. There is no local storage and everything the user interacts with is streamed to their desktop. If they need to upload something they will normally send it to the systems engineers for processing, this insures their requests only goes one way and they cannot download anything off the system.
If they need to send something they normally do it from their zero client and the server they are connected to processes their request. Normally with these setups the server and network infrastructure is extremely powerful to enable the ability for the zero client to appear faster than a regular desktop due to the server being able to deliver PCoIP otherwise known as DaaS (Desktop as a service)
The common theme was that they generally inconvenienced, as all had fairly obvious ways one might hypothetically evade them.
The sorts of steps LinuxBender suggests seem more sensible at a cost of being more invasive, it's just a matter of much the company is willing to go before it is impractical. Locking down the BIOS, encrypting the hard drive and isolating the computer in a secure room are the other points I'd expect, but that takes things to different level and it's less about regular employee situations then (so maybe getting off topic?)
This also recently was made public that Xbox did the same with private builds of console software for people releasing youtube videos of unreleased software.