The rise of data security posture management (DSPM) is not surprising given the increasingly complex cloud environments where organizations store large amounts of data. A process that gives organizations a complete view of the security posture of cloud data assets and sensitive data is extremely valuable to today’s security teams.
Despite the growing importance of DSPM, there are still misunderstandings about what it and what it cannot do for a business.
As data becomes so valuable to companies, it's exploding everywhere. Companies are moving data to the cloud, aggregating it in data warehouses and SaaS applications, and transferring data between systems in real time to make decisions. With security attacks rampant, businesses worry that data breaches will disrupt business operations and innovation.
Traditional data loss prevention (DLP) methods have not been proven effective in the cloud. Traditional DLP is notoriously noisy and user-unfriendly, lacking an understanding of cloud architecture and the ability to handle extreme scale. Typically, they require teams to understand the type of data to be protected and where to implement security controls.
But in the cloud, data sprawl is real. Sensitive data is scattered across cloud services, and there are so many shadow IT data systems that the attack surface is too vague and too large for DLP to defend against.
Cloud-native DLP is already here, but the cost is too high and the focus is narrow. To complicate matters further, security teams are realizing that their recent investments in third-party cloud-native application protection technologies do not address data risks in the cloud.
DSPM emerged as the industry desperately needed a more scalable and reliable data-centric approach to protecting ubiquitous cloud data.
With this background in mind, let's understand what DSPM can and cannot offer.
Provide intelligent insights about your data
DSPM technology enables companies to gain better visibility into their data, regardless of which public cloud it is stored in. At its core, DSPM technology is an approach that uses machine learning techniques to classify and identify sensitive data and provide valuable context such as business, security and privacy metadata and underlying system configuration.
Many DSPM solutions can also monitor data access, allowing enterprises to track data users and their roles, permissions and locations. While DSPM technology will likely evolve as the market matures, the concept itself promises to be a game-changer for data security teams.
But data is not the same as other elements of your cloud infrastructure that you need to protect. Data is not static but is moved and copied between data systems inside and outside the cloud, transformed between tables and columns, and even flows downstream to applications for real-time decision-making.
Data at rest and in motion spans the boundaries of the public cloud and extends to traditional on-premises systems and SaaS applications. Given DSPM's public cloud focus, organizations should consider technologies that extend the benefits of DSPM throughout the entire lifecycle of data and consistently enforce security controls regardless of where the data resides.
Prioritize misconfigurations based on data context
Let's say you receive two alerts from your cloud security posture management (CSPM) solution:
● AWS S3 ensures buckets are publicly accessible through bucket policies
● AWS Redshift Cluster uses default ports for network access
Which one will you prioritize first?
Probably an S3 bucket since everyone can access the data. A Redshift cluster may feel less vulnerable because it may have additional controls in place to prevent hackers from intruding through default ports. But if you know that S3 contains marketing website images, while Redshift Cluster manages financial records containing customers' personally identifiable information (PII), your decision changes.
This is a challenge faced by CSPM solutions because they lack intelligence about the data they are protecting. When teams receive a flood of data security alerts, they need more context to prioritize actions. While some may think that CSPM can automatically fix all alerts, this is not always practical, especially when a small configuration change can cause the entire application to crash.
Supplementary CSPM controls
While DSPM does provide more data intelligence, CSPM solutions still play a vital role in improving an organization's overall security. DSPM and CSPM are complementary solutions that provide multiple layers of defense. For example, CSPM can alert organizations about how attackers can exploit virtual machine misconfigurations to assume administrator roles and access other cloud resources. At the same time, DSPM can help identify unprotected social security numbers and credit card information in the cloud. The role of DSPM is to help organizations protect their data, guiding how to prioritize risk mitigation efforts based on where sensitive data is stored, who has access to it, and misconfigurations of underlying data systems.
In other words, both DSPM and CSPM have unique advantages, and together they provide a more comprehensive security posture. Ultimately, CSPM and DSPM vendors will offer overlapping capabilities, but they understand that the former is widely used in cloud infrastructure, while the latter has the potential to extend data control both inside and outside the cloud.
Comply with data security and privacy regulations
At a basic level, DSPM provides a security posture rule base that maps to various data protection and privacy regulations. When organizations reduce the risk of violating these rules, they also reap the benefits of improved compliance. Additionally, with deep understanding of regulations and automated insights into data, users and locations, DSPM solutions should help solve tough compliance challenges such as cross-border data transfers that violate data and user residency restrictions.
Improving Zero Trust with Data Access Control
One problem with popular role-based access controls (RBAC) is that they often lead to permission leaks. Most organizations give users more permissions than they need because they don't want to slow down their data projects. By analyzing data access activity, DSPM solutions can recommend which users do not require full access and which permissions can be adjusted to improve zero trust.
Additionally, by providing insights into attributes such as data sensitivity and location, DSPM should enable organizations to implement fine-grained attribute-based access controls, such as blocking sensitive information in tables for specific roles or temporarily blocking access requests from suspicious locations.
By staying ahead of the curve in DSPM technology developments, you can help your company plan the most effective cloud data security strategy. It’s worth noting that other teams in the company, such as data privacy and governance, also need data intelligence and control.
It's neither practical nor cost-effective for each team to scan petabytes of cloud data to meet their individual needs. Don’t embark on the DSPM journey alone, but join with others to unify data control across disciplines and data locations using a common foundation of sensitive data intelligence.