How to win the battle for data security: CSPM vs. DSPM or maybe DDR?
Entering the ring
In a previous blog post we wrote about the new Data Security Posture Management (DSPM) category introduced by Gartner (Hype Cycle for Data Security, August 4, 2022), and how it brings a new approach to security with a “data centric view”. This is a major change and quite pivotal especially since tools such as Cloud Security Posture Management (CSPM) are often confused for data solutions. We also mentioned Data Detection and Response (DDR) capabilities as an essential component to data security. With this blog I will challenge the different categories with real life examples, all of which I personally encountered during my work at Dig.
First round: CSPM vs. DSPM Let ‘em play
In this example, a financial organization stores customer information in AWS S3 buckets. Let’s see how each solution approaches the environment:
CSPM maneuver: The CSPM solution scans the environment and finds a replication rule that copies data from one bucket to another continuously. Jobs like this are common in the business enterprise and so there is no particular policy preventing duplication of data. Nevertheless, data duplication jobs may lead to data sprawl and unnecessary storage costs if no longer required, and so the operation is tagged with “medium” severity and is forever lost under a heap of high severity items.
Before we turn to our opponent, let’s describe what would help determine whether this job is posing a risk or should be considered benign. Following is a list of supporting data points to make such a decision:
- Content: what type of data is being replicated, does it have customer information considered private such as PII? Does it contain company financial data or other IP? Is it regulated? Is it constrained by data residency for location requirements?
- Access: When was any of the two data sets last used? Who created the job originally and when? Who can provide the business justification for this data? Are the two datasets showing different access permissions which could indicate misalignment?
- Configuration: are there any configuration differences between the two data sets that makes one of them more vulnerable? Is the content encrypted?
DSPM : The better data player
A quick onboarding of our DSPM solution provided the following context:
- A data classification scan marked both buckets with “PII data”
- It clearly showed that this job was created by a user who is no longer with the company, an indicator that might lead to a potential ghost data
- Furthermore, the replicated data was not encrypted and had versioning turned off, both in violation of company policies when it comes to sensitive data
“Context “ is the real factor which deems the operation important and bumps it up to the top of the priority list - allowing the security team to focus their efforts on business critical data first.
Second round: DSPM vs. DDR
We already established that DSPM improves the security posture from a data point of view. Since not all data assets are created equal, DSPM discovers data and classifies it so that the sensitivity of the underlying data is included with other posture considerations. This is an advantage over tools which don’t have that inherently and need to factor in data labels as an extra step to determine the severity of the risk and whether it should be addressed immediately (“sensitive”) or later (“non-sensitive”).
In essence, data posture management searches for data vulnerabilities, misconfigurations and loosely permitted access, all of which are considered static risk. These issues have been this way for a while and should be handled as prioritized. What DSPM lacks is a real time monitoring, detection and response, the same capabilities that DLP provides for on-prem data assets, but work differently in cloud environments. To illustrate this with a real life example, let’s have another match:
In the next round of combat our DSPM solution discovered a snapshot that contained corporate sensitive data. Very similar to the earlier scenario, DB snapshots are a necessity of the business whether they contain sensitive data or not. So no big deal here..unless.
The powerful knockout comes when a user shares the snapshot with an external account outside the organization. Now this is a potential malicious act that should be stopped immediately. A DSPM solution can discover the change on the next scanning cycle, which depending on the chosen solution, could take anywhere between an hour and the end of the week, but that is not enough because an active attack is a force to be reckoned with.
The DDR solution monitors and processes all events to detect and respond to data related threats in real time - setting the business security workflows in motion. As it significantly reduces the MTTD and involves faster the data owners to resolve, this incident is quickly mitigated. DDR solutions also allow automatic response, mitigating the gap between a quick MTTD and a quick MTTR.
And the winner is
If you came this far, you probably figured that the combined power of DSPM and DDR is essential to protect and govern cloud data assets, while CSPM is better suited for securing other critical workloads.
And yes, we do have a winner - today’s winner is you, who gets to pull your organization yet over another hurdle that could have caused the next breach.