What is DSPM?
Gartner’s 2022 Hype Cycle for Data Security describes Data Security Posture Management (DSPM) thusly, “DSPM provides visibility as to where sensitive data is, who has access to that data, how it has been used and what the security posture of the data store or application is.”
DSPM includes data classification to identify sensitive, confidential, and regulated data and also adheres to general security posture strategies to address the context of the data. An increasing number of enterprises are using DSPM as the basis for data risk assessment and to optimize data security governance implementations.
What problem does DSPM solve?
Currently, enterprises are struggling with three key data challenges:
- Massive growth in data, often exponentially from year to year
- Massive migration of data to the Cloud where they have very little data visibility
- Diverse types of data (such as intellectual property, financial, business confidential, and regulated PII/PCI/PHI data) in increasingly complex environments
Traditionally, matching access against specific data is rather complicated, especially since most security tools operate in silos. Not only that, but data in cloud-native environments resides in numerous locations such as storage, persistent volumes, attached volumes, databases. Beyond these locations, data is in motion being processed and moving east-west within a cloud environment. Tracking that data across various formats, data locations, and shadow data is crucial for effective posture management.
Data Security Posture Management (DSPM) offers extensive data observability to identify these types of security gaps, including real-time visibility into data flows and matching risk and compliance with data security controls. DSPM tools also enable organizations to adhere to regulations that require a data risk assessment.
How does DSPM work?
First, the DSPM solution must identify all the sensitive cloud data, from intellectual property to financial to PII/PCI/PHI.Then, it gathers all the information about what data is being shared with whom, and tracks data lineage as it moves across the environment. Identifying where the data may be at risk is a crucial step, as it provides visibility into which data is being shared in accordance with corporate security guidelines and where violations are happening. Typically, the DSPM will alert SOC analysts to provide actionable insights. Finally, and perhaps most importantly, DSPM can remediate those issues as they are happening. For example, it might fix access control issues or permissions. Or, it may disable sharing a sensitive file with a third party that should not be shared.
With Cloud, every file or data element can be easily shared or exposed to anyone around the globe. And this data can also be easily copied, duplicated, modified and shared. Imagine 100 variations of a redlined sensitive contract that needs to be protected, with each version containing different access privileges.
This presents some unique security challenges, which DSPM can address with the right tools. The problem is, there are very few tools available for detecting and classifying data everywhere in a cloud app and even fewer solutions that can offer the security context for risk to that data much less the ability to remediate the risks to that data.
How does DSPM compare to CSPM?
Cloud Security Posture Management (CSPM) can scan a wide variety of cloud resources, giving organizations an in-depth and detailed analysis of issues such as misconfigurations and compliance violations in their cloud environment. Numerous tools offer CSPM, and some leverage feature sets that include a Cloud Workload Protection Platform(CWPP) that scans for vulnerabilities (this combination is often called a Cloud-Native Application Protection Platform (CNAPP). In the end, the more comprehensive tools provide a more in-depth analysis of threats. But compared to DSPM; CSPM and CWPP cannot identify what data is actually at risk. Additionally, it cannot recognize what security posture it should adhere to — meaning who owns the data and who has access to it.
DSPM focuses squarely on the data layer, from identifying sensitive data to monitoring and identifying risk to business-critical data such as inappropriate entitlements or access. Modern DSPM tools can identify risks and remediate those issues by fixing permissions and entitlements.
While CSPM focuses on infrastructure-level issues that can place networks and infrastructure at risk, DSPM focuses on data layer risk that can cause a data breach or loss.
So, the most significant difference between the two types of posture management comes down to context. Instead of being data agnostic like CSPM, DSPM operates on the assumption that not all data is equal nor should it require a similar security posture. Not only does DSPM offer data discovery and classification, it also manages what security posture should be maintained.
Today, some CNAPP/CSPM/CWPP solutions have added some very limited DSPM capabilities focused on classifying data-at-rest in active cloud storage such as S3 buckets in AWS or Blobs in Microsoft Azure. Even the cloud providers themselves offer only limited visibility within their own platforms. Don’t settle for a DSPM solution that can’t detect, classify, analyze security context, and remediate risks to your data everywhere in your cloud and Kubernetes environments.
Microsec.AI and DSPM
Microsec.AI began as a DSPM solution for cloud and Kubernetes before these capabilities even had a special name (back then we called it cloud DLP). We founded Microsec because it was obvious to us that CSPM and CWPP were fatally flawed as solutions. They have no idea what and where sensitive data is in a cloud environment and certainly no way to provide security context or remediation for data risk. Today Microsec.AI includes the ability to detect and classify data in buckets, blobs, file, queue, standard, nearline, coldline, databases, persistent volumes, attached volumes, and in east/west traffic within a cloud application. And our DSPM/CNAPP solution uses the security context with that data knowledge to automatically remediate risks to sensitive data such as exposures, abnormal access, or data flow to risky workloads.