Data Security Posture Management or Cloud Security Posture Management? You Need both DSPM & CSPM

Securing the cloud is complex. Securing data in the cloud is hyper-complex.

That’s why organizations need several solutions. Data security posture management to secure the data. Cloud security posture management to secure the infrastructure. The solutions are very different. They answer different needs. They take different viewpoints. They are both needed to secure your organization.

Here’s why you should look at both as part of your larger cloud security stack. The story is one of contrasts, not comparisons.

Data Security Posture Management (DSPM)

There are dozens of different ways to store data just in AWS. Then you add Azure, GCP, Snowflake. Complexity is then further multiplied and amplified by the speed of data proliferation. Developers and data scientists are using data freely in the cloud. They can now move, copy, and share data in seconds instead of weeks. They can spin up new databases as quickly and as often as they like.

While this has been amazing for the business, it creates a gap in security, because when data proliferates, its security is usually an afterthought. In this new world of cloud operations, security teams need to make sure controls are tight while not infringing in any way on the free, unfettered use of data by developers and data scientists necessary for business innovation.

With DSPM, security teams finally have a solution custom-built just for this challenge. A solution built to protect the data. A solution that is completely independent of the underlying infrastructure that is storing the data. This is important because the data security practitioner doesn’t need to know if data is in RDS or S3 or Google BigQuery. They aren’t worried if it’s on AWS, GCP, Azure or Snowflake. What they do care about: what data is the organization storing, how is it being protected, who should and does have access to that data, what is the risk of exposure and how to fix it.

DSPM is the policy enforcement engine that lets security teams put in guardrails in a way that is data-centric, circumvents the complexity of cloud infrastructures, and easily addresses the challenge of ongoing data proliferation. A fully automated data-centric policy engine (as provided by a DSPM) secures your data at the speed of cloud. With it, data security can focus on the data and the policies that provide the guardrails for protecting that data. For instance, data policies could dictate that personally identifiable consumer data should never be publicly exposed, regardless of the infrastructure within which the data resides.

The DSPM solution then converts these data policies into specific technical configurations and shows the user where the data security policy is currently violated, prioritizes issues for resolution, and helps fix those issues with clear, specific technical remediation instructions.

DSPM policies focus on:

  • Data exposure and access
  • Data obfuscation (encryption, tokenization, anonymization)
  • Data segmentation of the environment
  • Data retention
  • Data proliferation control

With this new tool in hand, the data security practitioner needs only to define a set of data-centric security guardrails, and then let the DSPM do the work of finding violations and monitoring for data proliferation. Say you have social security numbers publicly exposed in an Oracle DB hosted on a virtual machine in Azure. The data security person doesn’t even need to be aware that the virtual machine exists. The DSPM discovers the asset, finds the sensitive data in it, and determines there is a data security policy violation. It determines the priority of violation based on several factors including sensitivity and risk, and engages the relevant team members to help in remediation.

Cloud Security Posture Management

In contrast, CSPM is all about the infrastructure. CSPM tools pull metadata via the cloud provider’s API to obtain visibility into the cloud infrastructure layer only. CSPM controls typically address infrastructure-related operational activities such as ensuring encryption keys are properly and regularly rotated or multi-factor authentication (MFA) has been applied to a critical system. CSPMs also report and advise against using overly permissive account settings for identities etc.

Although CSPMs can detect publicly exposed storage buckets they lack complete insight as to the location of sensitive data stores in the cloud environment, its potential for exposure, or the recommended security posture of the data. For instance, they do not know if and which data should be encrypted, how long it should be retained for, or who should and should not have access. They do not monitor access to sensitive data in the cloud or detect indications of data leakage or exfiltration of these “crown jewels.”

Some concrete examples we have found at our customers about where CSPM and DSPM differ are as follows. One customer has a publicly exposed S3 bucket that was identified by CSPM, but the bucket was supposed to be publicly exposed (public by design) as it was hosting a website. However, we found that somebody internally mistakenly placed highly sensitive data in this bucket that now was also publicly exposed. A CSPM does not catch this as it is not aware of the data elements inside. A DSPM does. Alternatively, there are cases where the S3 bucket is NOT publicly exposed, but the data elements inside can be and actually are. Again, the infrastructure is secure, but the data may still be exposed – we’ve seen both examples many times with our customers’ environments.

The Bottom Line

Organizations need both CSPM and DSPM. They complement each other, and cover different perspectives that are needed to effectively secure multi-cloud environments. One provides an infrastructure-centric perspective. The other provides a data-centric perspective. Both are important parts of a defense in depth strategy, CSPM to keep intrusions out of your infrastructure and DSPM to protect the data and reduce blast radius, even after attackers get in.

See how Laminar helps organizations keep their data secure by providing a complete Cloud Data Security Platform, including best-in-class data security posture management (DSPM).

Cloud Security Product Update: Breaking Three Boundaries for Cloud Data Security

Breaking new boundaries

As Laminar’s VP of Product, I enjoy every time our team achieves new heights. I love innovations that truly add value for our customers. It’s exciting to break new boundaries and redefine what’s possible. Protecting your most sensitive data in a public cloud environment is hard. Engineers and data scientists build fast, collect and process data at huge volumes, are doing the right thing for the business, but don’t always have security and privacy top of mind.

Laminar has been defining a new reality for data security in the cloud across the industry. We have also been providing our clients with innovative, first in class services. As of today, we are widening our lead in the industry with several valuable new capabilities:

  • First to secure cloud data in a multi-cloud environment by adding support for Microsoft Azure.

    Multi-cloud adoption has soared due to the advantages of rapid development and minimal vendor lock-in. Gartner estimates that “more than 75% of organizations use multiple public cloud services today, and have plans to expand.” With this announcement Laminar is first in the public cloud data security market to support multi-cloud, by adding Microsoft Azure support to the existing support for Amazon AWS. This has several advantages for fast-moving enterprises:
    1. Consistent controls: With a single pane of glass across a multi-cloud environment, enterprises can apply a consistent set of data governance policies, no matter where and how that data is collected and stored. This capability empowers teams to move faster, make fewer mistakes, and ramp quicker by mastering less tools.
    2. Levelset Security: Rather than have different levels of security due to different levels of knowledge about the built-in offerings of the public clouds, Laminar provides a consistently high level of data security across all clouds.
    3. Cloud Data Catalog: Laminar creates a cloud data catalog across clouds, across tech stacks, and physical locations that contributes to true data democratization.
    4. Guided remediation: Remediation recommendations include the exact set of actions needed for that exact cloud environment, thereby increasing the efficiency of security and governance teams.
  • First to offer a full suite of data-centric security policies

    While most cloud security approaches define security policies at the infrastructure level, Laminar is now the first to offer a full suite of data-centric policies that are automatically enforced. These data-centric policies are geared towards preventing the breach or leakage of sensitive data, regardless of the cloud infrastructure that stores it. Focusing on securing the data as opposed to the infrastructure is at the root of Laminar’s Cloud Data Security Platform and enables many advantages for security teams:
    1. Increased focus and efficiency: Data-centric policies allow security teams to focus on what matters. For example, an infrastructure-centric policy would specify that all S3 buckets would not be publicly accessible. Such a policy then drives tedious, manual processes to figure out if a publicly accessible bucket was designed to be so, and what data it might store. The related but enhanced data-centric policy, that is based on a deep and precise data catalog, would only trigger when actual sensitive data is accidentally publicly exposed, regardless of where it’s stored.
    2. Process simplification: A single data-centric policy replaces multiple infrastructure-centric policies such as a policy per data asset type and per cloud environment. Thus, A data-centric approach greatly simplifies the policy setup process. In a world where security practitioners are a scarce resource, simpler, more focused processes translate into enhanced security.
    3. Reduction of risk: While securing the infrastructure and the application environment are important to prevent and stop attacks, data-centric security policies enable organizations to make sure data is not mismanaged so that at the event of a breach, blast radius is greatly reduced.
  • First to discover and classify data in self-hosted, embedded databases

    “Shadow Data” encompasses data that is not tracked by IT yet might contain sensitive information. A major category of Shadow Data is databases that are embedded into cloud compute instances (AWS EC2s or Azure VMs). As developers rapidly iterate, they easily spin up embedded, hidden data assets that are most often unprotected – and targeted by threat actors. With this announcement, Laminar is the first to support the discovery of these data assets wherever they are located, and the asynchronous, autonomous mapping and classification of the data that is stored in those assets. This has several advantages for dynamic development environments:
    1. Uncovering Shadow Data: Laminar uncovers new as well as abandoned embedded databases spun up by developers, and untracked by security teams.
    2. Autonomous: The platform autonomously and continuously discovers all data assets as they are created by developers or data scientists. Laminar is unique in being able to access data assets even without requiring users to provide credentials such as passwords. The security team is always up to date without any manual steps.
    3. Pinpointing abandoned “Lift and shift” data assets: As legacy systems are “lifted and shifted” to the cloud and then upgraded to cloud-native resources, the result is typically abandoned yet highly sensitive embedded databases that are both untracked and at high risk. Laminar ensures that these data assets are discovered and protected by default.

These are not the last firsts

In closing, I anticipate many, many more firsts with Laminar. I further anticipate that we will continue to define the public cloud data security market, and continue to provide our clients with the best cloud data security platform and services in the market.

 

Houston, We Have a Public Cloud Problem

Nice to meet you all. I’m Ido Livneh, VP, Product at Laminar. I have been spending most of my time this year speaking with CISOs, CDOs (Chief Data Officers) and data protection leaders about their challenges in protecting data in modern public cloud environments, and I found some common themes that almost everyone is struggling with.a. The central issue reminds me of the Apollo 13 line, “Houston, we have a problem.” In this case, it’s data protection in the public cloud. Old workflows and solutions just don’t cut it anymore as the environment has changed.This key challenge led us to focus on an extremely valuable and novel solution for our customers.

We have benefited tremendously from our investor Insight Partners’ program — Insight IGNITE — which introduced us to hundreds of security and data protection decision makers. Speaking with these experts allowed us to validate the problem and solution. To perfect the product market fit, we wanted to utilize research and verification — not haphazard guessing. Which fits so well with another Apollo 13 quote by fight controller Gene Kranz, “Let’s work the problem, people, Let’s not make things worse by guessing.”

 

“Let’s work the problem ,people, let’s not make things worse by guessing”

Gene Kranz, flight controller, Apollo 13

 

Data is at the center of the cloud transformation

Enterprises now put data at the center of innovation. They understand that it is a key asset and a source of differentiation. They democratize it to unleash its full potential and make it accessible for developers and data scientists. Today, innovation happens in the cloud, and new applications run on cloud infrastructure. 

This cloud transformation is great for the business, but it also introduces significant changes to cybersecurity risks, workflows, and acceptable solutions. Recently, a train of Cloud Security Posture Management (CSPM) solutions addressed these changes for the actual infrastructure, the VMs, the boxes, etc. However, overwhelmingly, we found that data protection teams were left behind. The solutions they use and the manual processes they follow haven’t adjusted to this new environment, which makes their work much more challenging than ever before. Most data protection teams are blind to what sensitive data they have in the public cloud.

How the public cloud changed data protection

There are four major factors that significantly changed data protection in public clouds:

  • A sprawl of tech and high complexity

    There are dozens of technologies to store, use, and share data in the cloud. They can be managed by the cloud service provider (AWS S3 buckets, Google Cloud Storage, Azure Blob Storage, etc.), IT (AWS RDS), and even developers or DevOps (database that runs on an EC2 or a Kubernetes node). Each one is configured and used differently. Each one introduces new risks. Not only are these new architectures complex and confusing, they are dynamic and constantly changing. Developers are now in charge and can spin up or copy an existing datastore in a matter of minutes.
  • Data protection teams as business enablers

    Modern data protection teams don’t stop developers from making changes. They set guardrails to allow fewer mistakes. They do fewer architecture reviews as gatekeepers and more continuous monitoring and risk assessments as stewards. Therefore, data protection teams no longer assume they know where all the data is, but rather they are looking for a solution that allows continuous and automated discovery and classification.
  • Data democratization and the pace of change

    Changes to the data are pushed to production at an astonishing pace. More and more developers and data scientists leverage data every day. This makes manual efforts ineffective. By the time they are completed, they are no longer true.
  • No perimeter

    All data in the cloud is accessible from anywhere, given the right credentials or tokens. There’s no longer a single choke point to protect and monitor. Any data leak detection should be distributed and cover all channels of egress and the entire public cloud.

No visibility, context, accountability, or leak detection

The lack of proper solutions to address those changes made the work of data protection teams harder than ever before. They have limited resources to handle the increasing data risk, yet answering data protection questions is only getting harder. This can be split into four main problems:

  • Lack of visibility: where’s my sensitive data? Who has access? How is it configured?
  • Lack of context: what is this data? How did it get there? How is it used?
  • Lack of accountability: who made these changes? Who is the process owner?
  • Lack of leak detection: are my policies being followed? Are there any anomalies in data access and sharing?

 

“Be thankful for problems. If they were less difficult, someone with less ability might have your job”

Jim Lovell, Apollo 13 astronaut

 

A three-step approach towards public cloud data protection

These problems inevitably result in exponential growth of data leakage incidents in the public cloud. IDC recently reported 98% of all companies experience a cloud data breach within the past 18 months. Data policies are violated. Ensuring data privacy and compliance in the public cloud is a tedious struggle. To address that, we recommend that every organization take this three-step approach to Public Cloud Data Protection:

  • Discover and Classify continuously for complete visibility.
  • Secure and Control to improve data risk posture.
  • Detect Leaks and Remediate without interrupting data flow.

The launch of Laminar was about the problem, the opportunity. Learn more about why Public Cloud Data Protection Needs a New Approach.