The Big Guide to Data Security Posture Management (DSPM)

DSPM is a crucial piece of your cloud security puzzle. Learn what it is, why it matters, and how to choose the best solution to protect your sensitive data while growing your business. 

‍

Why DSPM, and Why Now?

Data is an asset – but it's also a risk. Data breaches are one of the main areas keeping CISOs up at night. The combination of digital transformation processes, an increased appetite for data and analytics, and the proliferation of cloud data stores means every enterprise is storing more sensitive data than it can easily monitor or control.

Data has always been a prime target for hackers and criminals. However, ransomware attacks and other data breaches have increased in recent years, as have the associated costs. According to IBM, between 2021 and 2022, the total cost of a breach increased by 10%. At the same time, privacy and compliance requirements around sensitive data increase the overhead for DevOps and security teams. And so, Engineering organizations, already overstretched, must now tackle an increasingly challenging data security landscape. 

Enterprises are realizing that sensitive data is putting them at risk, and existing solutions are not keeping up with the rapid adoption of cloud data infrastructure. This has given rise to the new practice of data security posture management (DSPM). DSPM addresses the core challenges that arise when sensitive data is stored across many cloud repositories. It provides organizations with a set of practical tools to discover and secure sensitive data. And it's designed for a reality where data lives in multiple clouds and dozens of services.

In this guide, we'll walk you through the basics of DSPM. We'll cover key challenges, benefits, and an overview of how DSPM compares to other cloud security tools.

What is DSPM?

Data security posture management (DSPM) is a set of practices and technologies used to assess, monitor, and reduce the risk related to data residing in cloud data stores – with a focus on multi-cloud environments.

DSPM was acknowledged as a new category of data security by Gartner in 2022, and there continues to be some ambiguity in the way different vendors or analysts use it. However, in most cases a DSPM solution includes:

• Data discovery. DSPM tools provide visibility into your cloud data inventory – the various services where sensitive data might be held across IaaS and PaaS deployments. This could include cloud databases such as Redshift or Snowflake, as well as unstructured object storage such as Amazon S3 or Google Cloud Storage.
• Data classification. There are many types of sensitive data, each posing a different level of risk and warranting a different response. An organization might store PII data, credit card details, and access keys. None of these should fall into the wrong hands, but some pose a larger threat than others.
• Identifying static risk related to data. This includes practices meant to enhance the overall security posture related to data access, such as permissions, encrypted storage, and user management.

DSPM vs CSPM

How does DSPM differ from cloud security posture management (CSPM) – which, until recently, was seen as the prevailing approach for protecting cloud data assets?

CSPM solutions focus on protecting the infrastructure itself, rather than the actual data. CSPM policies are geared towards reviewing data replication rules, fine-tuning access control, or finding weaknesses in cloud infrastructure or design – without scanning the data itself. 

DSPM looks beyond the policy level at the content of the data. By scanning and classifying enterprise data, it allows an organization to see the true picture of where sensitive data is located and how it is being utilized. It also helps prioritize the long list of discovered issues and prevents alert fatigue (which can lead to important issues being ignored).

Read more about the differences between DSPM and CSPM.

The Technical Challenge

The Data-Driven Enterprise and Cloud Adoption Create New Risks

The need to reimagine the approach to enterprise data security did not appear out of the blue. Rather, it was a consequence of the evolving business and technology landscape.

The public cloud has changed the way organizations work with data. Organizations no longer rely on monolithic databases or DevOps platforms; instead, developers leverage the cloud's elasticity to adopt a wide range of tools and microservices. These new paradigms give product and analytics teams more space to innovate and iterate quickly. At the same time, they create many potential risks when it comes to sensitive data. 

Let's look a bit closer at three related trends, and see how they impact data security.

1. The Breakdown of the Enterprise Data Warehouse

‍

Data used to reside in a single enterprise-wide data warehouse (EDW), such as the ones provided by Oracle or Teradata. Security teams had a well-defined attack surface to worry about: protecting data meant securing the data warehouse. Access to data was often through DBA teams, which could maintain strict oversight.

This is no longer the case. Enterprises are leaning towards democratizing data, expanding access to it, and using a variety of best-in-breed tools to tackle specific data challenges. This makes teams more data-driven, but also means the attack surface sprawls into dozens or hundreds of potential data stores.

 Today, very few large organizations rely on a single EDW. The elasticity of the cloud makes it easy to spin up new services and retain larger amounts of raw data. It is much more common to see cloud architectures using lower-cost object storage (such as Amazon S3) to store raw data, which can then be processed in a wide range of databases or analytic services to satisfy various use cases in the organization.

For example, a financial services organization might be storing the raw transaction log in object storage, copying a subset of the data to Snowflake for analytics purposes, moving some logs into Elasticsearch for application troubleshooting, and giving data science teams access to the raw data to run Spark ETL and machine learning jobs. For each use case, data is copied and moved, adding another potential location where sensitive data might end up.

2. Microservice-Based Development

It's not just storage that has become distributed. Modern software engineering also favors breaking apart monolithic applications into microservices – smaller applications or pieces of code, which communicate via APIs. This is aided by containerized application development, which allows developers to deploy new environments in a few clicks. 

Microservices give developers flexibility and free them from overreliance on DevOps. However, each microservice has data assets assigned to it, leading to a further proliferation of data copies with minimal oversight. 

A great deal of modern engineering work is around processing or analyzing data. It's almost inevitable developers will move or replicate sensitive data in the process of writing new code.

3. Multi-Cloud Architectures

The previous challenges are inherent to the way organizations use cloud infrastructure. The adoption of multi-cloud environments exacerbates them. The ease of moving data between services leads organizations to adopt tools from different cloud providers – again, in order to solve a specific data problem. For example, the same dataset might find itself in Amazon Aurora and Azure Synapse due to different teams needing to run a different SQL query, or in order to optimize costs.

As data moves between clouds, tracking lineage and classification becomes even more challenging. Native tools offered by the public cloud providers are limited to that specific cloud. Sensitive data has even more possibilities to seep into unmonitored corners. In these circumstances, creating effective oversight can be extremely difficult.

Business Drivers for Increasing Cloud Data Security

These technical challenges create financial risk for organizations that store sensitive data. While it’s difficult to find a company that doesn’t fit this definition, larger enterprises are at higher risk. They store more customer data and face more severe reputational and financial harms in case the data is compromised.

And the threat is far from theoretical. 2,690 ransomware attacks were reported in 2021 - a 92.7% rise from the previous year. On average, the cost of a data breach for enterprises was $4.35 million, according to IBM Security. The foremost reason to improve data security is to prevent a data breach from occurring – and to reduce the amount of data that is exposed if one does occur.

Additional drivers for increasing scrutiny around data assets include:

• Compliance: Most businesses are impacted by some kind of regulation around data security. This could be data privacy laws such as GDPR and CCPA, legislation related to medical data such as HIPAA, or standards such as SOC 2 which can have a material impact on a company's ability to do business with certain entities. Complying with regulatory requirements, or collecting evidence in order to achieve compliance, will often require an organization to have a clear inventory of its sensitive data.
• Mergers and acquisitions / divestitures: During the process of buying or selling new companies, businesses need to have a clear picture of the data they hold. This can be as part of due diligence and risk assessment processes; unsecure data might be a large enough risk to affect the buyer’s decision. On the other hand, the ability to monetize data without risking a privacy or security mishap can affect the price of the transaction.
• Cost efficiencies: Improving data security posture can reduce costs in multiple layers – both in terms of insurance against incidents such as ransomware attacks, as well as in savings driven by automation of manual processes such as policy checks, data classification, or periodic sampling and scanning of stored data.

Permissions, Policies, and Endpoint Security Aren't Enough

Previous approaches to securing enterprise data were focused on securing network entry points (legacy solutions) or on managing permissions, tools, and user access (CSPM). However, neither of these approaches is sufficient for the cloud era:

• No endpoint: The majority of cloud data breaches never hit an endpoint. Attackers target services hosted on the public cloud, which might not be covered by enterprise VPN services. The perimeter has dissolved, and security efforts need to happen inside the cloud rather than at the entry point.
• Impossible to track data usage after permissions have been granted: Due to the proliferation of data, the tendency to broaden access to datasets, and the way data is replicated for various analytic services, it's almost inevitable that sensitive data will end up where it doesn't belong. Permissions alone will struggle to cover every contingency, every 'quick fix' that becomes permanent, and every case where a developer accidentally pulls more data than they need, or forgets to delete a copy of the data sitting in a loosely-monitored S3 bucket.

DSPM offers a way around these limitations by scanning the data itself, in the cloud repositories where it's stored. This allows for more proactive monitoring, including 'shadow' data that is being generated on the cloud or moved from one cloud service to another. Importantly, DSPM tools work regardless of whether the original access to the data was authorized.

Benefits of a DSPM Solution
‍

‍

• Better visibility into where sensitive data lives: DSPM solutions scan cloud data repositories, discover sensitive data, and classify it. This creates an accurate map and inventory of the organization's data assets. It helps to understand where sensitive data is stored, who is accessing the data, and where it is going.
• Identify data risks: Static risk analysis identifies data that is not fully protected and prevents misuse of data assets. The types of checks performed here include ensuring that data is encrypted and that logging is enabled in any situation where sensitive data is being accessed.
• Policy controls: DSPM solutions provide a policy engine that is supported by a deep data threat model. They can detect real time risks when they appear, allowing for immediate remediation to stop a potential breach.

Comparing Different Cloud Data Security Tools

We've talked about the differences between DSPM and CSPM. But how does it compare to other types of cloud data security solutions, and where would it fit in an enterprise's overall cybersecurity suite?

• Data loss prevention (DLP) tools were designed for data exfiltration from the endpoint and are irrelevant in the cloud as data breaches in cloud don't reach the endpoint.
• Cloud access security brokers (CASBs) help enforce security policies between data consumers and SaaS applications. However, they do not cover data after it is stored on IaaS, PaaS or DBaaS – which is where DSPM comes in.
• Native solutions offered by public cloud vendors (AWS, Azure, Google) do not support multi-cloud environments and are often limited in coverage and functionality (for example, only covering one type of service or database). DSPM provides holistic coverage, including in multi-cloud environments.

Learn More About DSPM and Cloud Data Security

• Hype Cycle for Data Security, Gartner (subscription based)
• Visit our product page to discover how Dig Security is leading the new wave of DSPM solutions

About the Author

Sharon Farber is the Director of Product Marketing at Dig Security and as such believes that good technology needs to be accompanied by simple words. A veteran in Cyber Security, Sharon has worked for several big software vendors including Computer Associates as well as small nimble start-ups. She has held a variety of positions, some more technical than others. Sharon holds a B.S degree in Computer Science and a Masters in Operations Research. Whenever she gets time, Sharon enjoys swimming in the Mediterranean.