Data security Posture management is an approach to securing cloud data, which ensures that sensitive data always has the correct security state – no matter where it is duplicated or moved.
So, what is DSPM? Here’s a quick example:
Let’s say you have created an excellent security Posture for your cloud data. For this example, your data is in production, it’s protected behind a firewall, it’s not publicly accessible, and your IAM controls have appropriately limited access. Now a developer comes in and replicates that data to the lower environment.
What happens to that great security posture you built?
Well, it’s gone – and now the data is protected only by the security posture in that lower environment. So if that environment is exposed or improperly secured – so is all the sensitive data you’re trying to protect.
Security postures do not carry their data. Data Security Posture Management (DSPM) was created to solve this problem.
How does Data Security Posture Management work?
If we want a data security posture that travels with data and helps you solve problems, we need a solution that does three things:
- Explores all the data in your public cloud – including shadow data that has been created but not used or monitored.
- Understands what the security posture of the data should be
- Prioritizes alerts based on data sensitivity and provides relevant remediation plans
Data discovery and classification tools have existed for years. But they lack the ability to offer any business context. If you can find sensitive data, but don’t know whether it’s commercially important or not, and don’t understand its security posture, it’s not much help to a security team that has to process thousands of alerts from different devices.
For example, let’s say a data discovery tool finds PII data. If there is proper security posture in it then you will not need alert. With a good DSPM solution, your time will not be wasted.
Why is data security posture management so important now?
It’s the answer you’ve heard before: clouds.
Before the widespread adoption of public cloud infrastructure, securing data meant securing your data center with a firewall. Even if your data is copied or moved, it remains inside your organization’s data center. There was no separation between your infrastructure security and your data security. But for cloud-first companies, sensitive data travels continuously from your cloud to environments with different security postures. So there is a need to create a product that ensures that all this travel data is in the right security posture.
Wait, doesn’t Cloud Security Posture Management (CSPM) already do this?
CSPM solutions are built to secure cloud infrastructure while DSPM focuses on cloud data. The difference is important. CSPM is designed to detect vulnerabilities in cloud resources such as VMs and VPC networks. Some may even be able to provide very basic information on the data, such as identifying PII in text files in VMs and S3 buckets. Beyond these basic capabilities, CSPM products are often data agnostic and do not prioritize remediation based on data sensitivity.
On the other hand, DSPM is all about the data itself. This includes identifying data vulnerabilities such as overexposure, access control, data flow and anomalies. The DPSM solution connects the dots between data and infrastructure security, allowing security teams to understand where sensitive data is at risk, rather than being shown a list of vulnerabilities to repair. Essentially DSPM is adding a layer of data security and data context on top of infrastructure security.
How does Data Security Posture Management understand which data is sensitive?
Some data is clearly sensitive – for example, Social Security numbers, credit card information and health care data. These need to be protected not only for security reasons, but also to remain compliant with PCI-DSS, HIPAA, and other regulations.
But a good DSPM solution needs to go further than that. To really provide value, it needs to be able to autonomously draw conclusions about the type of sensitive data it contains — and be able to find data that isn’t structured like a credit card number. By understanding and clustering metadata and leveraging ML technologies, DSPMs can find intellectual property, customer data, and more that cannot be discovered using regular expressions alone.
Another important factor is data ownership. The DSPM should integrate with the data catalog to understand who is responsible for the data. Finally, there is the issue of scale. A major weakness of older data discovery and classification solutions is that they are not capable of performing scanning and classification at the scale of modern cloud infrastructures. DSPM needs to be able to effectively and efficiently scan petabytes of data, making sure everything is discovered – without breaking your cloud bill.
Conclusion: DSPM = Security That Travels With Your Data
Data security posture management is new, and with it comes the natural skepticism ‘do we really need another security acronym?’ But DSPM is solving real security problems caused by the move to the cloud and can help prevent major data breaches.
Customer information, company secrets and source code leaks are not caused by initial failures in protecting sensitive data. They are due to the ease with which data is replicated and moved around – without any security concerns. Data security posture management promises to ensure that wherever your data travels in the cloud – your security posture is adhered to and data risks are mitigated.
