From shadow databases and misconfigured permissions to unsecured passwords and AI training pipelines, the cloud presents numerous attack and exposure paths.
It’s no surprise, then, that more than 80% of breaches in 2023 included cloud data.
Data security posture management (DSPM) has emerged as a standard for protecting sensitive data in the cloud and other environments sensitive data, preventing data breaches, and meeting compliance requirements. However, there is confusion about what DSPM truly is (and isn’t), why it’s important, how it works, and how to evaluate a DSPM solution successfully.
We put together this blog post to help you gain a better understanding of DSPM and what it means to protect sensitive data in complex cloud environments. Continue reading for all the details.
What is DSPM?
According to Gartner, “Data security posture management (DSPM) provides visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data stored or application is.”
Although the DSPM acronym is new, the concept is not.
DSPM takes the principles of data security and primarily applies them to cloud environments. Many of the concepts used to secure data on-premises and in applications are the same: data discovery, data access control, and data monitoring.
An effective DSPM discovers where sensitive data lives across your entire cloud environment — including IaaS, databases, SaaS applications, and cloud file storage — and analyzes the risks and exposures, and enables cloud, IT, and security teams to efficiently detect threats and close the security gaps.
Cloud security posture management (CSPM) focuses on securing the infrastructure, and data loss prevention (DLP) focuses on sensitive data loss in motion at egress points. DSPM focuses on protecting the data itself and strengthening security posture in order to prevent data breaches.
Why is DSPM important?
Organizations continue to store valuable data in increasingly complex cloud environments.
According to Gartner, 80% of enterprises will have adopted multiple public cloud IaaS offerings by 2025. The flexibility and scale offered by these cloud environments also makes it more difficult to secure the data within – leading to a greater risk of data breach.
Major data breaches are increasingly common in SaaS and IaaS.
In January 2022, an unsecured AWS S3 bucket exposed more than a million files on the Internet, including airport employee records. In another example, hundreds of organizations leaked private and sensitive information due to misconfigured Salesforce pages. And, the recent Sisense data breach exposed terabytes of data as a result of a hard-coded token that gave attackers access to Amazon S3 buckets.
Data breaches like these are difficult to prevent in sprawling cloud environments. DSPM aims to secure data and prevent data breaches across IaaS, PaaS, and SaaS. When armed with the right DSPM capabilities, organizations are better prepared to prevent data breaches and meet compliance requirements, like HIPAA, GDPR, CCPA, NIST, and ITAR.
How does DSPM work?
The end goal of DSPM is to prevent data breaches and stay in compliance. To do this, effective DSPM includes two types of capabilities: passive capabilities and active capabilities.
The passive capabilities are always on, working in the background to provide real-time visibility into the data and its security posture. They include data discovery and classification, and exposure analysis and posture.
Data discovery and classification
To protect sensitive data, you first must understand what sensitive data exists and where it lives. DSPM automatically scans and discovers sensitive data across your environment and classifies it based on its sensitivity and type, such as whether it is credentials, PHI, PII, HIPAA, etc.
Not all data discovery and classification solutions are created equal, however. Because cloud environments are constantly changing, data needs to be scanned continually and in real-time.
Sampling the data, especially in object stores like Amazon S3 and Azure Blob, is insufficient. Unlike a database, you can’t assume that just because you scanned 2TB of an S3 account and found no sensitive content, the other 500TB of data is not sensitive. Without thorough, real-time data discovery and classification, the organization is exposed to risk.
Exposure analysis and posture
Once you understand what sensitive data exists and where it lives, the next step is to understand the security gaps and exposure risks. DSPM analyzes the data and detects vulnerabilities like misconfigurations, overexposed permissions, and third-party application liability.
To gain a deep understanding of risks and exposures, sensitive data needs to be mapped to permissions and access activity across platforms, applications, and all the way down to the object level. Without this deep understanding, your security posture can easily become compromised.
Exposures and posture should also be mapped to the relevant compliance frameworks, like CMMC, GDPR, HIPAA, ISO, NIST, PCI, and SOX. This helps you to stay in compliance and provides a benchmark for the overall security of your data.
The active capabilities of DSPM enable IT and security teams to remediate security gaps and mitigate exposure to improve security posture. While some DSPM solutions don’t offer remediation, this is the critical last mile between simply knowing that your data is at risk and securing it.
Remediation
Once security gaps and exposures are identified, DSPM enables cloud, IT, and security teams to expediently fix the root cause issues.
The longer it takes to fix issues — eliminate risky permissions, misconfigurations, ghost users, sharing links, etc. — the greater the risk of a data breach. It takes just eight hours to breach an unsecured or misconfigured database.
Manually fixing a single misconfigured file can take hours and issues can quickly pile up. For most organizations, automated remediation is needed to close security gaps, stay compliant, and create an environment that becomes more resilient over time.
Effective DSPM combines passive and active capabilities.
Is DSPM standalone?
DSPM should be an important part of your data security strategy if your organization is primarily in the cloud. But even for cloud-first organizations, DSPM is only one part of a holistic data strategy.
DSPM is one part of a holistic approach to data security.
In addition to improving your data security posture with DSPM, detecting active attacks is important. Threat detection and response is particularly important if you are in an industry that is highly targeted by attackers, such as healthcare, government, manufacturing, or finance.
Capabilities for event monitoring and investigations are also important capabilities that go beyond classifying data to provide a deep understanding of the sensitive data flow — how it was created, updated, deleted, uploaded, downloaded, and shared. In many cases, like insider threats, ransomware, and advanced persistent threats (APT), understanding what is being done with the data is key to detecting and preventing a data breach.
For most organizations, it is important to secure data wherever it resides, even if you are primarily in the cloud, including on-premises, AI copilots, email, and more. All of the places where sensitive data could reside can become attack vectors – even if your sensitive data is primarily in the cloud. Gen AI copilots, for example, are an increasingly easy way for bad actors to obtain credentials.
DSPM vs. CSPM
On the surface, DSPM and CSPM might seem similar. While both solutions are designed to protect your organization from cyber threats, they each take a unique approach to achieving that goal.
DSPM ensures that sensitive data is protected wherever it resides, while CSPM focuses on securing the cloud infrastructure of critical business applications by taking a vulnerability-centric approach. CSPM scans and analyzes cloud infrastructure to identify misconfigurations and other security gaps.
CSPM excels at finding infrastructure and network vulnerabilities and misconfigurations, like identifying a vulnerable EC2 instance running unpatched Windows with Log4j. DSPM, on the other hand, provides a granular understanding of the data and its exposure. For example, a database snapshot containing sensitive patient data is exposed to a service account with a weak password – making it a prime target for attackers.
CSPM doesn’t provide visibility into the data within. Attacks such as a threat actor finding an API key in an orphaned snapshot, or using social engineering to gain access with legitimate credentials, or an insider copying sensitive data to a personal account — all these exposures would be missed using CSPM alone. While CSPM is valuable, the only surefire way to prevent a data breach is to know what is happening with the data itself.
Varonis’ Data Security Platform bridges the gap between the two concepts. Our universal database connector can integrate with any network-connected database to discover and classify sensitive structured data at scale — no matter where it lives.
Read more:
DSPM vs. DLP
DLP solutions use a wide variety of techniques to protect data, such as classification, encryption, monitoring, and policy enforcement, and focus on endpoints or the perimeter of the cloud through controlled egress points.
While DLP focuses on preventing data from leaving the environment, DSPM focuses on improving the security posture of the data — understanding what sensitive data there is, analyzing the exposure and risks, and closing security gaps.
Our Data Security Platform uses the DSPM and DLP frameworks in conjunction to improve data visibility, compliance, posture, and threat detection.
How to evaluate DSPM solutions
There is a lot of noise in the DSPM space, and it can be difficult to distinguish a legitimate solution from one that ultimately won’t produce outcomes for your organization.
Our DSPM Buyer’s Guide helps you better understand the different types of DSPM solutions, avoid common pitfalls, and includes questions to ask vendors to ensure you purchase a data security solution that meets your unique requirements.
Within the guide, leading CISOs recommend three evaluation steps that represent best practices for evaluating a DSPM solution:
1. Run a proof-of-concept (POC)
“My golden rule when evaluating any new technology is to validate claims with a POC. Vendors who refuse to do a POC should raise red flags. Try to do POCs on production systems or sandboxes that mimic your production environment’s scale. For DSPM, test data classification results for false positives.”
2. Ask for a sample risk assessment
“Ask to see an anonymized risk report from a real customer — not a marketing brochure. This can help you understand if the vendor offers the level of granularity and depth you’re after. Sample reports can help you determine if a POC is worthwhile.”
3. Read real customer reviews
“Be careful judging vendors based on awards and press, many of which are pay-to-play. Look for validated DSPM reviews from trusted sources like Gartner and Forrester. Ask to speak directly to reference customers. Make sure they have customer case studies on their website. You don’t want to be their first big customer.”
Don’t wait for a breach to occur.
DSPM should be on the radar of any cloud-first organization prioritizing data security and are an important part of a holistic data security approach.
By understanding how data discovery and classification, exposure analysis and posture, and remediation, help prevent data breaches and comply with increasingly stringent regulations, you will have a good idea of which DSPM capabilities are the best fit for your company.
Varonis leads the DSPM Market on Gartner Peer Insights and is the only solution that automatically remediates risk, enforces policies, and detects threats in real-time.
Explore more of our platform and schedule a 30-minute demo to learn more.
