Data is every business’s most crucial asset – the foundation of any security program. Data Security Posture Management (DSPM) is an emerging security trend named by Gartner in its 2022 Hype Cycle for Data Security. The aim of DSPM solutions is to enable security teams to answer three fundamental questions:
- Where is our sensitive data?
- What sensitive data is at risk?
- How can we take action to remediate that risk?
The cloud has fundamentally changed how businesses function. Moving workloads and data assets is now simpler than ever, and is a boon for productivity, enabling businesses to quickly respond to customer demands and create new revenue opportunities. However, the pace and permissive nature of the cloud also dramatically expands a company’s threat surface and raises the likelihood of a data breach. Put simply, the distributed nature of the cloud seriously complicates data security.
Historically, a number of technologies have attempted to address challenges related to data security, including:
- Data Discovery and Classification
- Data Loss Prevention (DLP)
- Data Access Governance (DAG)
DSPM solutions combine capabilities from all three of these areas, and represent the next generation approach.
DSPM represents a next-generation approach to data security
DSPM vendors are taking a cloud-first approach to make it easier to discover, classify, assess, prioritize, and remediate data security issues. They are solving cloud security concerns by automating data detection and protection activities in a dynamic environment and at a massive scale.
Gartner Research summarizes the DSPM space, saying, “Data security posture management provides visibility as to where sensitive data is, who has access to that data, how it has been used and what the security posture of the data store or application is. In simple terms, DSPM vendors and products provide “data discovery+” — that is, in-depth data discovery plus varying combinations of data observability features. Such features may include real-time visibility into data ﬂows, risk and compliance with data security controls. The objective is to identify security gaps and undue exposure. DSPM accelerates assessments of how data security posture can be enforced through complementary data security controls.” To summarize Gartner’s definition, DSPM provides visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data store or application is.
The foundation of a DSPM offering is data discovery and classification. Reports like Forrester’s Now Tech: Data Discovery And Classification, Q4 2020 dive deep into data discovery and classification technologies, which in Forrester’s case aligns to five segments: data management, information governance, privacy, security, and specialist concerns. These segments align to three major buying centers: global risk and compliance, security, and business units/product owners.
DSPM focuses on delivering automated, continuous, and highly accurate data discovery and classification for security teams. The following list provides clarity on how these approaches align to buying centers, all of which have data discovery and classification needs, but as you will see below, want to leverage it for different purposes:
- Global Risk and Compliance Teams including governance, IT, and privacy groups use:
- Data management prepares data for use, and typically supports efforts like data governance, data quality and accuracy, as well as data mapping and lineage analysis.
- Information governance supports data lifecycle management and helps with ROT (redundant, obsolete, trivial) reduction, cloud migration, storage reduction and infrastructure optimization, data lifecycle requirements like retention, deletion, and disposition.
- Privacy facilitates privacy processes and compliance, and helps to enable the fulfillment of data subject access rights (DSARs) like data access or deletion requests, track cross-border data transfers, and manage privacy processes to support requirements like CCPA and GDPR.
- Security Teams aim to understand data in order to apply controls to develop a resilient posture, minimize their threat surface, and improve ransomware resilience and use:
- Data Loss Prevention (DLP) enables teams to take actions to protect their data and enforce security policies.
- Data Access Governance (DAG) focuses on the implementation of data security access policies for unstructured data.
- Tokenization and Format-Preserving Encryption (FPE) solutions aim to protect sensitive data or create a deidentiﬁed copy of a dataset.
- Specialists translate into business units or product owners. Products that appeal to this buying center can include an emphasis on user-driven classification labels, or identification of specific types of intellectual property like source code or sensitive data like non-disclosure agreements.
Posture management solutions abound
Today there are three prevailing types of posture management solutions: cloud security posture management (CSPM), SaaS security posture management (SSPM), and data security posture management (DSPM). The solutions can be disintermediated as follows:
- CSPM focuses on the cloud infrastructure, seeking to provide cloud assets visibility and alerts on risky misconfigurations.
- SSPM identifies misconfigurations, unnecessary user accounts, excessive user permissions, compliance risks, and other cloud security issues.
- DSPM focuses on the data itself and its application context by analyzing data both at rest and in motion, classifying the data for its sensitivity, such as PII, PHI, and financial information, and providing remediation guidance as well as workflows to automatically close security gaps.
While DSPM solutions have focused on a cloud-first approach, data security is not limited only to cloud environments. Therefore more mature DSPM solutions will also include on-prem use cases since most businesses maintain some form of on-prem data, and will for years to come. In addition, as the DSPM space evolves, and solutions gain maturity, some will become more robust data security platforms, which will include the ability to:
- Discover and classify sensitive data
- Reduce the attack surface
- Detect and respond to data security issues
- Automate risk remediation workflows
- Maintain operational resilience and preparedness
DSPM solutions address key security use cases
Businesses thrive on collaboration. The current reality of highly distributed environments - many of which leverage cloud technologies - means that any file or data element can be easily shared at the click of a button. DSPM provides the missing piece to complete most security programs’ puzzles – a means of identifying, contextualizing, and protecting sensitive data.
DSPM solutions empower security teams to:
- Understand the data an enterprise manages, and what’s at risk - agentless integration gives security teams immediate visibility into all of their data assets. DSPM solutions automatically classify and assess the security of an enterprise’s data, giving actionable insights to reduce risk.
- Protect sensitive data from breaches and data leaks - proactive assessments of internet-facing exposure, and access permissions, coupled with detection and response capabilities, keep an enterprise’s most precious data assets safe from attack.
- Anticipate threats and respond to attacks faster - intelligent machine learning algorithms eliminate cumbersome manual regular expression tuning, and learn the patterns of interaction between systems, users, and data, allowing detection of anomalous activity in real-time.
- Empower distributed teams to leverage data, securely - user permission graphs highlight the sensitive data a given identity can access, which informs data access governance as well as facilitating access permission trimming, and enable data to be shared safely.
- Increase productivity by simplifying audits - continuously updated sensitive data inventories save time and effort when complying with subject access requests, as well as privacy and compliance audits by always knowing the data an enterprise has, where it is located, and who has access.