Data Security Posture Management (DSPM): What Is It And Why Does It Matter Now?

Data Security Posture Management (DSPM) is an emerging security practice that solves cloud security concerns by automating data detection and protection activities in a dynamic environment. In this article, we explore DSPM, including what it is and how it varies from CSPM, how DSPM enterprises differ from other security organizations, and how the phenomenon is becoming a catalyst for addressing security concerns. 

The cloud revolution has fundamentally altered how businesses function. Moving workloads and data assets is now simpler than ever and is a boon for many business units since it allows them to do tasks more quickly. However, it also dramatically raises the likelihood of a data breach. It inhibits enterprises’ capacity to put sensitive data in the environment and complicates data security.

Data Security Posture Management, or DSPM, is a new emerging security trend recently announced by Gartner in its 2022 Hype Cycle for Data Security. It addresses these cloud security challenges by automating data detection and protection operations in an ever-changing environment. It connects data, applications, and identities to provide a comprehensive picture of a company’s security posture.

Let’s go through DSPM in-depth: what it is and how it differs from CSPM, how DSPM businesses vary from other security firms, and how the phenomenon is becoming a catalyst for tackling security challenges.

See More: Tech Talk: How Data Security Begins With Data Connectivity Explains CData’s CISO

The Present State of Data Security & How DSPM Has a Role to Play

As data is the most valuable asset for companies, it is not surprising that data protection is a top priority for most security teams. It is especially true for software companies that process and store sensitive customer data, such as personal information, PHI, or financial information.

However, Jonathan RoizinOpens a new window , co-founder and CEO at Flow Security, thinks securing sensitive data in modern application environments is almost impossible. In an ever-changing architecture, data is fragmented over thousands of applications, data stores, and SaaS providers. “Still, most organizations use traditional techniques to discover and protect data: manual data store scanning and tagging.” 

Roizin thinks this old-fashioned paradigm is minimal and completely ignores the business context of the protected data, making the subsequent data breach inevitable.

Karthik KrishnanOpens a new window , founder and CEO of Concentric AI, believes that in the present data security state, enterprises are struggling with three key data challenges:

• Massive growth in data from year to year
• Massive migration of data to the cloud
• The data that is worth protecting has become a very complex environment – from intellectual property to financial data to business confidential information to regulated PII/PCI/PHI data

“This is presenting unique challenges to data security,” says Krishnan. He thinks that traditional ways of protecting data like rule writing to discover what data organizations have that is worth protecting or relying on their end-users to ensure that data is shared with the right folks at all times simply don’t work in an environment such as the cloud where it is now very easy for employees to create, modify and share sensitive content with anyone.

What is data security posture management?

Erfan ShadabiOpens a new window , a cybersecurity expert with comforte AG, defines data security posture management as “essentially a set of security solutions and automation that enables the organization’s Security, IT and DevOps teams to get better visibility and manage the data security posture of their data storage.”

According to Gartner’s definition, DSPM provides visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data store or application is. 

“This requires database scanning and a data flow analysis to determine the data sensitivity, and based on that, DSPM forms data risk assessment and manages data security governance policies.”

– Jonathan Roizin, co-founder and CEO, Flow Security

Krishnan further explains how DSPM works. “DSPM focuses squarely on the data layer, from identifying sensitive data to monitoring and identifying risk to business-critical data such as inappropriate entitlements or access, risky sharing, etc., that can place sensitive data in the wrong hands – either third parties or internal users/groups.” And this includes not just identifying risk but remediating those issues, such as fixing permissions, entitlements, and sharing issues, he adds.

But DSPM and CSPM are different… 

It’s important not to confuse DSPM with cloud security posture management (CSPM), as they differ significantly, says Roizin. “CSPM focuses on the cloud infrastructure, seeking to provide cloud assets visibility and alerts on risky misconfigurations. DSPM, on the other hand, focuses on the data itself and its application context by analyzing data both at rest and in motion and classifying the data for its sensitivity, such as PII, PHI, and financial information.” DSPM’s data discovery and posture management mustn’t be limited to cloud-only scope and context but also include on-prem, SaaS, and shadow databases.

While CSPM focuses on infrastructure-level vulnerabilities that can place networks/ infrastructure at risk, DSPM focuses on data layer risk that can cause a data breach or loss.

– Karthik Krishnan, founder and CEO, Concentric AI

Shadabi shares that CSPM tools typically control and address infrastructure-related issues like insufficient encryption, improper encryption keys management, and other account permissions issues and errors. “On the other hand, DSPM solutions focus on the notion that the perimeter-based defensive methods only go part of the way toward protecting data. Because it’s not the ‘perimeter’ that malicious actors are after. It’s the data,” adds Shadabi.

How Does DSPM Address Cloud Security Issues?

The cloud was designed for collaboration, where every file or data element can be easily shared with anyone halfway around the globe. They can also be copied, duplicated, modified and shared very easily. Think of 100 variations of a redlined sensitive contract that needs to be protected, where each variant can have different access privileges. 

DSPM provides the missing piece in cloud security – protecting sensitive data. Roizin explains how:

Data discovery and data catalog

• ML-powered classification of PII, PHI, and financial information, both predefined and customized
• Data catalog and data flow map of data stores, internal applications, SaaS providers, and third parties
• Detection of unmanaged data stores and shadow databases

Data risk assessment automation

• Prioritized out-of-the-box data-centric risks finding and compliance violations such as over-exposure to the internet, substandard encryption implementation, sensitive data to logs, and known IOCs
• Integration suite for a seamless experience for collaboration and remediation processes

Data egress management

• Discovering SaaS and third-parties
• Classifying egress data flows
• Controlling data shared with external services

Data policy management

• Managing security and compliance policies
• Automatically generating policies into a set of platform-specific controls for all relevant data stores
• Combining out-of-the-box and customized policies

Data least privilege assurance

• Detecting gaps between allowed and used permissions
• Suggesting role definitions with minimal needed data-access privilege

See More: Understanding the Data Lifecycle and Five Ways to Ensure Data Confidentiality

How do DSPM companies differ from traditional data security firms?

Krishnan outlines the capabilities that effective DSPM companies provide enterprises. These include comprehensive content and context-driven data discovery, allowing enterprises to discover all their sensitive data without writing burdensome rules or regex patterns. DSPM autonomously identifies where the data may be at risk – for example, inappropriate entitlements or risky sharing without requiring enterprises to write upfront policies. This is critical because DSPM solutions should, on their own, be able to determine if sensitive data that was shared with a third party was appropriate or not and present those data risk insights to the security teams. Finally, DSPM remediates those issues to prevent data breaches.

And effective DSPM companies do this with an easy deployment model that:

• Is API based, agentless, and can be easy to deploy in 5-10 minutes
• Can work across unstructured and structured data
• Can handle petabytes of data without requiring large security teams 
• Operate as a SaaS solution

Traditional data security companies, Krishnan explains, are different in two ways. “Some are complementary and operate downstream of DSPM companies – for example data encryption companies can leverage DSPM data discovery and risk insights for effective policy enforcement such as encrypting critical data and preventing data access abuse.”

“Some traditional companies are competitive – for example data access governance or data classification vendors where the solutions were mostly architected for on-premises data.” Their deficiencies for cloud data include: 

• Data discovery has required enterprises to write burdensome rules and policies upfront to corral their data and identify what is sensitive and what is not. This often requires enterprises to need large security teams that often know upfront what data they need to protect (very much a chicken and egg problem, as most enterprises need solutions to help them understand what data they have that is worth protecting).
• They are pretty oblivious to where access and activity violations may be happening because they do not have the intelligence to dynamically infer whether sensitive data shared with a third party was appropriate or not.
• They also cannot handle either the volumes of data or the dynamic nature of cloud environments, take months to deploy, and operate mostly as an on-premises solution. 

DSPM as a category has arisen directly out of a need for effective capabilities to discover, monitor, and protect sensitive data in the cloud without the limitations of existing approaches.

– Karthik Krishnan, founder and CEO of Concentric AI

Key takeaway

Most data security tools are built for traditional environments, where data is stored in a few big data stores and is accessed by a small group of people, says Roizin. DSPM solutions can definitely help address complex data security challenges. 

According to Krishnan, DSPM can help companies handle data security by knowing what data is being shared with whom, by tracking data lineage as it moves across the environment, identifying where the data may be at risk and alerting SOC analysts and providing actionable insights, and by remediating those issues as they are happening like fixing access control issues or permissions or disabling sharing with a third party for a sensitive file that ought not to have been shared.

DSPM is different because they are well adapted to the new world: its modern approach enables comprehensive data discovery, classification, and protection in a frictionless way by integrating natively with the infrastructure features and APIs, Roizin concludes.

Do you think DSPM can take over other security solutions in the cybersecurity market? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to know!

MORE ON SECURITY TRENDS

• Gartner Security & Risk Management Summit 2022: Top Must-know Highlights
• Network, Resources and Security Trends Organizations Need to Follow
• 10 Cloud Security Trends That Will Shape 2022 and Beyond
• Gartner Lists Top Security and Risk Management Trends in 2021