Data Security Posture Management (DSPM)
Data is every business's most crucial asset—the foundation of any security program. Data security posture management (DSPM) is an innovative technology that Gartner recognizes as a solution to cloud-driven data sprawl. DSPM solutions aim to enable security and compliance teams to answer three fundamental questions:
- Where is our sensitive data?
- What sensitive data is at risk?
- How can we take action to remediate that risk?
The cloud has fundamentally changed how businesses function. Moving workloads and data assets is now simpler than ever and is a boon for productivity, enabling businesses to quickly respond to customer demands and create new revenue opportunities. However, the pace and permissive nature of the cloud also dramatically expands a company's threat surface and raises the likelihood of a data breach. Put simply, the distributed nature of the cloud seriously complicates data security.
Historically, several technologies have attempted to address challenges related to data security, including the following:
- Data discovery and classification
- Data loss prevention (DLP)
- Data access governance (DAG)
DSPM solutions combine capabilities from all three of these areas. However, core to the innovation that DSPM introduces is a cloud-native architecture that represents the foundation of the technology’s next-generation approach to data security.
DSPM vs. Traditional Approaches
The shift toward cloud-based workloads and data storage has been remarkable, driven by businesses' need for agility, scalability, and digital transformation. Cloud-native architectures distribute data across multiple platforms, each with its unique security requirements. The increased complexity means traditional security measures may fall short as they monitor and prevent data breaches for data with set locations and static definitions of the data they should defend.
DLP tools were designed to prevent data breaches and leaks. While they can implement effective controls—their agent-based approaches provide inline preventative measures to avoid data breaches via network, email, and endpoint data transmission–they come with inherent limitations.
A key limitation of DLP tools is the data and use cases they were designed to protect. DLP tools focus on unstructured data. This means there is no visibility or controls applied to structured data (stored in databases).
Another limitation is the use cases a DLP tool supports. There are unique DLP tools for cloud, email, endpoint, and network security just to name a few. This fragmentation creates silos of visibility, understanding, and control, even if the tools are implemented and configured perfectly.
Another fundamental challenge is that DLP tools depend on human interaction. In order for a DLP tool to discover datastores, a human must point the tool to the store, and in most cases manually establish the connection. This manual process of scoping the coverage area makes it challenging for them to keep pace with the fluidity of dynamic cloud environments. Unless a solution is designed with cloud-native architectures in mind, there will be delays or even gaps in coverage.
For example, a DLP may fail to identify new data assets created during automatic deployments, inadvertently leading to the exposure of unknown unknowns. In this scenario, sensitive data might be hosted within newly formed structures unbeknownst to the security team.
In addition, in order for a DLP tool to classify data, although many solutions provide some basic templates to account for common data classes, a human must define the static logic that the tool will use to recognize that data in the datastores it has been connected to. However, because it's impossible to predict every new permutation and type of data, rule-based DLP has the well-known drawback of allowing the leakage of confidential data outside of the rule structures. This situation arises from employees finding ways to sidestep traditional DLP rules and coverage areas, enabling them to intentionally bypass rigid controls.
The Forrester report "Data Security Platforms, Q1 2023: The 14 Providers That Matter Most and How They Stack Up" (March 2023) underscored the necessity for solutions that offer comprehensive data discovery, classification, and security across disparate environments. The named leaders in cloud environments each provide a unique approach to data security. According to Forrester, data security platforms reduce the burden of operations, minimize user security friction, and reduce risk with strong security and risk management.
Gartner's 2023 "Innovation Insight: Data Security Posture Management" report spotlights DSPM as a solution for the surge in structured and unstructured data. It extends beyond what traditional DLP can offer by providing a unified view of an organization's data security posture across all cloud platforms. DSPM facilitates comprehensive mapping and tracking of sensitive data, ensuring a clear understanding of its entire journey and fortifying its protection by minimizing vulnerability. The report anticipates great benefits from adopting DSPM, including geographic data mapping, improved data security posture overall, and business benefits by leveraging the data catalog tools inherent in DSPM dashboards. Gartner's report also highlights "the urgent need for new technologies, such as DSPM, that can help discover shadow data and mitigate the growing data security and privacy risks."
However, what both Forrester and Gartner neglect to highlight is the fundamental difference between legacy data security solutions like DLP, and the innovation DSPM represents. All of the legacy solutions, including those that lead the Forrester Wave, implement a legacy architecture requiring humans to connect the tools to datastores, and extensive manual processing to define how to classify, and therefore detect data. But, a recent survey of North American security leaders highlighted that the manual processes, complex and time-consuming implementation and configuration cycles, and lack of automation were impacting their ability to achieve robust data security.
That is the fundamental challenge DSPM solutions were created to address.
DSPM Solutions Address Key Security Use Cases
Businesses thrive on collaboration. The current reality of highly distributed environments—many of which leverage cloud technologies—means that any file or data element can be easily shared with the click of a button. DSPM provides the missing piece to complete most security programs' puzzles—a means of identifying, contextualizing, and protecting sensitive data.
DSPM solutions empower security teams to do the following:
- Understand the data an enterprise manages and what's at risk. Agentless integration gives security teams immediate visibility into all their data assets. The most advanced DSPM solutions implement a blend of machine learning (ML), artificial intelligence (AI), and regular expressions (RegEx) to automatically classify and assess the security of an enterprise's data without human involvement. This gives security teams continuous, actionable insights to reduce risk.
- Protect sensitive data from breaches and data leaks. Proactive assessments of internet-facing exposure and access permissions, coupled with detection and response capabilities, keep an enterprise's most precious data assets safe from attack.
- Anticipate threats and respond to attacks faster. Dynamic visibility across environments and deployment modes, coupled with intelligent ML algorithms eliminates cumbersome training periods and learns the patterns of interaction between systems, users, and data, which allows the detection of anomalous activity in real-time.
- Empower distributed teams to securely leverage data. User permission graphs highlight the sensitive data a given identity can access, which informs DAG as well as facilitates access permission trimming, and enables data to be shared safely.
- Increase productivity by simplifying audits. Continuously updated sensitive data inventories save time and effort when complying with subject access requests as well as privacy and compliance audits by always knowing what data an enterprise has, where it is located, and who has access.
Advantages of Modern, Cloud-native DSPM
Modern, cloud-native DSPM solutions offer a superior alternative to traditional DLP and other tools that claim DSPM capabilities but rely on legacy, human-driven approaches. Cloud-native DSPM uses an agentless approach to dynamically discover structured and unstructured data across a company’s data landscape. Then, AI and ML automatically and continuously identify, learn, and classify sensitive data so the platform can identify vulnerabilities and empower security teams to respond to changes in the data environment. Unlike legacy DLP, which typically depends on static rules, cloud-native DSPM adapts and learns from data interactions in real-time. This dynamic approach allows for a more precise understanding of the data context, helping to reveal potentially hidden vulnerabilities:
Cyera, a data security platform provider, employs advanced AI to effectively pinpoint vulnerabilities in the system by optimizing the balance between detailed logging and cost. Its policy engine enables the security teams to fortify their data security posture while efficiently managing cloud expenses. This is achieved by identifying where the most sensitive data resides and revealing instances when a lack of encryption or tokenization, datastore configurations, data drift, overly permissive access, and misuse expose the business to unnecessary risks (e.g., situations where administrative actions or modifications to sensitive data are not adequately logged are flagged).
Uses Artificial Intelligence for Automated Classification
Automated data classification is a powerful feature of modern DSPM that uses language models, ML, and RegExes to determine the type and sensitivity of data. With DLP, the classification uses either predefined strings or patterns to determine if data may be too sensitive to pass unchecked through enterprise network boundaries. In contrast, AI-powered DSPM does not rely on these limited resources. Instead, it can extract topics and match information to more general categories and contexts, providing enriched categorization to data assets.
Cyera incorporates language learning models (LLMs) in its process to successfully identify and categorize data types within an established data inventory. This technology facilitates the decryption and restoration of each data snapshot in a separate environment for scanning. As a result, data is classified into several categories, such as personal, financial, health-related, and business-specific information.
Additionally, Cyera uses AI to discover unique data types relevant to the customer and their specific environment. This is achieved by understanding the context derived from the environment, data source, and the data itself.
Helps You Keep Up with Evolving Standards
DSPM is responsive to regulatory changes, helping businesses stay compliant. As regulations evolve, DSPM vendors can adapt to new requirements and automatically enable them within their client deployments as well as their own. This flexibility ensures that data assets are appropriately protected and managed to the necessary standards, even when those standards are updated.
Aligns with Buying Centers
DSPM focuses on delivering automated, continuous, and highly accurate data discovery and classification for security teams. The following list provides clarity on how these approaches align with buying centers, all of which have data discovery and classification needs but, as you'll see subsequently, leverage it for different purposes:
Global risk and compliance teams, including governance, IT, and privacy groups, use the following:
- Data management prepares data for use and typically supports efforts such as data governance, data quality, and accuracy, as well as data mapping and lineage analysis.
- Information governance supports data lifecycle management and helps with ROT (redundant, obsolete, trivial) reduction, cloud migration, storage reduction, infrastructure optimization, and data lifecycle requirements, such as retention, deletion, and disposition.
- Privacy facilitates privacy processes and compliance and helps to enable the fulfillment of data subject access rights (DSARs), such as data access or deletion requests; track cross-border data transfers; and manage privacy processes to support requirements such as the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR).
Security teams aim to understand data in order to apply controls to develop a resilient posture, minimize their threat surface, and improve ransomware resilience, so they use the following:
- DLP enables teams to take action to protect their data and enforce security policies.
- DAG focuses on the implementation of data security access policies for unstructured data.
- Tokenization and format-preserving encryption (FPE) solutions aim to protect sensitive data or create a deidentiﬁed copy of a data set.
Specialists translate into business units or product owners.
Products that appeal to this buying center can include an emphasis on user-driven classification labels or identification of specific types of intellectual property, such as source code, or sensitive data, such as nondisclosure agreements.
Evaluate Your Data Security Posture Holistically
Evaluating your data security posture involves understanding the threats to your data and the protections you have in place. DSPM offers a suite of evaluation metrics to help cybersecurity professionals measure their data security effectiveness.
Key evaluation metrics for DSPM typically include environment and datastore coverage, the ability to accurately identify data at risk, insights into the root cause of threat exposure, the effectiveness of leveraging existing tools, and overall time to value. These metrics provide a holistic view of your data security posture, highlighting potential areas of risk and action points for remediation, as well as the solution’s ability to be rapidly deployed to cover new sources of data and apply remediation.
New entrants into the DSPM market support a variety of deployment models. Cyera has taken the most expansive and holistic approach, covering structured and unstructured data across Infrastructure-as-a-Service (IaaS), Platform/Database-as-a-Service (PaaS/DBaaS), and Software-as-a-Service (SaaS), with on-prem support currently under development. This ensures that security teams develop a comprehensive understanding of their data and any security or compliance exposures that exist as data is created, consumed, and used by the organization.
Performing regular DSPM assessments is essential to maintain a robust security posture. These evaluations can identify new and emerging risks as well as verify that all sensitive data is adequately protected. Cyera's DSPM solution continuously discovers, learns, and classifies data across a businesses data landscape, which creates dynamic visibility and ongoing data risk assessments as data grows and evolves throughout its lifecycle.
DSPM and the Future of Data Security
The world of data security is rapidly evolving, and DSPM is at the forefront of this change. Forrester's 2023 report on data discovery platforms emphasizes the growing importance of solutions that can provide comprehensive visibility and control over data, regardless of where it resides.
With the increasing migration of data to the cloud and the proliferation of remote work, the importance of DSPM is expected to continue growing. This trend is likely to see further integration of AI and ML in DSPM solutions, enabling more dynamic, proactive data security.
In the future, you can expect DSPM to continue evolving to meet the ever-changing data security landscape. This evolution will include enhanced features for automatic data discovery to account for the entirety of a business’s data landscape, harnessing evolving technologies to accelerate classification, deeper integrations with the broad ecosystem of security tools, as well as more sophisticated analytics to understand complex data interactions.
Maintaining a strong data security posture in the cloud is a complex challenge. DSPM offers a powerful solution that can provide comprehensive visibility and control over your data assets. It goes beyond traditional DLP techniques by leveraging advanced technologies such as AI and ML, enabling dynamic data security.
In our increasingly data-centric world, DSPM is no longer just a nice-to-have—it's an essential tool for any business serious about protecting its most valuable asset: its data.
For more insights into data security trends and solutions, check out our other Glossary posts.
Author: Alison Gunnels.