As the world becomes more technologically advanced, digital transformation affects how we work, communicate, entertain ourselves, socialize, buy, trade information, and so much more. Organizations have had to transform and migrate both systems and data to the cloud, so that their developers and data scientists can innovate at the speed with which users expect new services. But as data proliferates across the cloud, so too does the risk of a breach of this data. Decoupling data growth from data risk requires data security posture management (DSPM).
Legacy on-premises data security solutions can’t keep up with the speed of change and the scope of data proliferation in the cloud. If innovative organizations want to keep their data secure, a new breed of cloud-native data security solutions such as DSPM must be considered as a fundamental part of a larger comprehensive cloud data security program.
With DSPM, organizations can now see and classify all of their cloud data, known and unknown; understand what data is not adhering to their data policies and therefore presents a risk to the organization; and quickly discern how to mitigate or remove the risk presented by that data. Understanding, analyzing, and managing your risk at that level, particularly risk to your organization’s most sensitive information, will result in a considerably stronger security posture and better compliance.
What Is Data Security Posture Management (DSPM)?
In July 2022, Gartner’s Market Guide for Data Loss Prevention mentioned “DSPM” for the first time. The analyst firm subsequently included it in their 2022 Hype Cycle for Data Security. In this article, we aim to unpack the fairly new idea of DSPM, how it protects data in hyper-complex cloud environments and differs from cloud security posture management (CSPM), and what characteristics organizations should look for in a DSPM solution.
Data security posture management, sometimes known as cloud data security posture management (CDSPM), is a framework for protecting data in the cloud that gives an organization’s security and data team members enhanced insight into and the ability to manage the security posture of their cloud data. At the core of DSPM is a data-centric policy enforcement engine that:
- Automatically and autonomously discovers, classifies, and catalogs all data in the cloud.
- Analyzes data against a set of security policies and best practices (e.g., encryption, retention, etc.) and continuously monitors and alerts on policy violations.
- Prioritizes security and compliance issues (e.g., overexposed data, underprotected data, misplaced data, etc.) and proposes remediation recommendations for implementation.
- Continuously monitors cloud environments for changes, immediately discovering new data assets or posture changes to existing assets.
Thus, a DSPM solution provides continuous visibility into data, assesses data risks, determines what data violates security policies and how, prioritizes data risks, and remediates them accordingly. As a result, a DSPM can help reduce your data attack surface and facilitate compliance with regulations such as GDPR and PCI.
Solving for the Complexity of Cloud
DSPM solutions address one of the core challenges of cloud: complexity.
There are a multitude of cloud storage technologies available to developers and data scientists today. Many are configured differently, creating multiple architectures that constantly change. Developers can spin up or copy entire datastores in seconds, at the push of a button. Data is copied here, there, and everywhere.
The security team must ensure that data security controls are tight but don’t infringe on the free, unfettered use of data by developers and data scientists. Those security controls must also travel with the data, so that data has the proper level of protections regardless of where it goes. The answer: a DSPM solution.
DSPM enacts a set of data-centric security policies such as encryption, activity logging, environment restrictions or retention period that travel with the data. So when data moves from a production environment, which is typically the most protected, to a test or dev environment, it has the proper protections.
The DSPM solution protects the data, regardless of what infrastructure it is on. It supplies data-centric, infrastructure agnostic policies that then get automatically verified wherever that data resides. For instance, say you have Social Security numbers publicly exposed in a database hosted on an Azure VM. The data security person doesn’t even need to be aware that the VM exists. The DSPM discovers the asset, finds the sensitive data in it, and determines there is a data security policy violation. It then prioritizes the violation based on several factors, including sensitivity and risk, and engages the relevant team members to help in remediation.
How Does DSPM Differ From CSPM?
It’s important to understand the differences between the data-centric and the infrastructure-centric solutions for security posture management. CSPM technologies are designed to protect cloud infrastructures. A CSPM detects misconfigurations, vulnerabilities, and compliance violations across an organization’s cloud infrastructure and issues alerts for security teams to manage and fix.
CSPM solutions are great at protecting cloud infrastructure, but they lack data context. CSPMs don’t understand the value of the data or risk to the data that resides inside data stores. So while a CSPM can detect a critical vulnerability in an S3 storage bucket, it will lack insight as to whether that bucket contains any sensitive data, the loss of which could affect the business. Meanwhile, a less severe vulnerability that the CSPM has deprioritized may affect data stores with sensitive financial data such as credit cards, for example.
A DSPM with its data-centric view is needed to properly assess data risk and provide recommendations on the best way to protect that data. A DSPM manages the security of the data, across clouds, regardless of the infrastructure it resides on. A DSPM protects the data plane which has become overwhelmingly complex and dynamic in ever-expanding cloud environments. Data is the new currency for business and requires its own security context.
Organizations need both CSPM and DSPM solutions. They are separate but complementary technologies. When a CSPM leverages the rich data context from the DSPM, the security teams can focus on those alerts that impact highly sensitive data, thereby gaining a higher return on remediation efforts.
The two technologies cover different perspectives that are needed to effectively secure multi-cloud environments. One provides an infrastructure-centric perspective. The other provides a data-centric perspective. Both are important parts of a defense-in-depth strategy: CSPM to strengthen your infrastructure and DSPM to protect the data and reduce the blast radius of an attack.
Evaluating Data Security Posture Management (DSPM) Solutions
When evaluating tools that provide DSPM capabilities, there are several things to consider:
- Plug and Play: there should be no need to provide a list of every data asset, the location, access credentials, or data owner. The system should discover all data autonomously. Its design is to find the unknown.
- Continuous Automation: finding policy violations and evaluating their risk relative to other violations is not a one-time process. Nor is it something that can be done manually in the cloud. Developers and data scientists are constantly shifting the landscape of what data is where, so a DSPM needs to work continuously.
- Comprehensive, adjustable policies: a DSPM should provide robust coverage in both the risks it identifies and the asset types it scans. A DSPM should find and notify on the full breadth of risk: overexposed data, unprotected or underprotected data, misplaced data and unmanaged data, and also cover a robust spectrum of CSPs, asset types, and object types. A DSPM’s policies should also be customizable to meet an organization’s particular needs.
- Guided remediation: security and IT teams have more than enough alerts, so a DSPM should not just find exposures, but also provide full analysis of why the violation exists, evidence for its existence, and technical recommendations on how to fix it. The DSPM should also connect to your existing workflows to make this process as seamless as possible.
- Agentless: to avoid performance impacts, and to get a complete view of ALL your data, look for a solution with an architecture that is agentless and connector-less that operates asynchronously.
- Risk-free: a DSPM should utilize serverless functions that leverage APIs to scan your environment, so data always stays in your cloud environment for maximum security.
Laminar’s Data Security Posture Management Capabilities
Laminar’s data security posture management platformprovides consistent data security across Azure, AWS, Google Cloud, and Snowflake, offering uniform security and governance for multi-cloud environments.
When you choose DSPM from Laminar you can customize your own data security policies or rely on our robust, pre-written data security policies that cover: overexposed data, underprotected or unprotected data, misplaced data, and unmanaged data. With this guidance, our solution then continuously prioritizes policy violations with no effort on your part and clearly displays them with easy-to-read dashboards. Laminar also provides technical remediation guidance and can connect with ticketing and workflow systems for a seamless remediation experience as well as send alerts to SIEM and CSPM tools for advanced correlation activities.
Laminar’s industry-leading technology integrates into your cloud infrastructure. Because the discovery engine for Laminar is embedded within your cloud environment, data never leaves your environment. Laminar scans your organization’s cloud using serverless functions that make use of the cloud service provider’s APIs. Furthermore, Laminar is easy to install using cloud-native tools, does not need an agent, and has no effect on performance.
Want to see Laminar’s Cloud Data Security Platform in Action? Request a demo today.