Gartner’s Hype Cycle for Data Security, 2022 highlighted an area of innovation that data and security professionals should keep their eye on: data security posture management (DSPM). According to the report, DSPM is a response to the increasingly complex multi-cloud infrastructures security and IT teams are managing today. These ecosystems often consist of disparate platforms, hundreds of cloud services, varying data formats, tons of access points, and, of course, the vast volume of data generated by countless systems and users every day.
With increasing data innovations and agile cloud development, data proliferates quickly and data security teams no longer have a holistic view of an organization’s data in the cloud. This includes:
- where it is stored
- who has access
- whether it’s secure
- whether it’s in compliance with relevant regulations
Without a holistic view, teams are likely to face unprotected, overexposed, misplaced, redundant and unknown shadow data, which can—and often does—include sensitive data. With that in mind, it’s no surprise that nearly half (45%) of all data breaches happen in the cloud, the average cost of which is over $9 million USD in the United States.
Gartner emphasizes the importance of DSPM because it “provides visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data store or application is.” This data visibility empowers data security professionals to assess risk, establish and enforce security policies, meet compliance requirements, remediate vulnerabilities, and more.
In this Hype Cycle, DSPM is located in the Technology Trigger phase, meaning a problem has been identified, but few understand the full scope of the problem, and fewer still know how to address it. So what does it actually mean for you and your business?
DSPM for Leadership
Achieving organization-wide buy-in on data security initiatives can be challenging. Infrastructure security is clearly in the domain of IT, while data security lies with the CISO who is not always a part of IT. Additionally, buy-in must be obtained from the Chief Data Officer (CDO), data governance, and data privacy teams. CISOs constantly walk a very fine line between business agility and risk mitigation. One only has to look at the conviction of Uber’s former CISO to comprehend the seriousness of missteps for this role.
According to the Hype Cycle, DSPM’s market penetration is less than one percent currently. Security professionals can differentiate themselves and their organization by using DSPM to decouple data growth from data risk. With this strong foundation, CISOs can make risk-based decisions about data security, governance policies, compliance concerns and appropriate security controls — creating peace of mind for themselves and other stakeholders.
Regardless of where a company is in their cloud evolution, it’s never too early to look into new ways to secure data in the cloud. For example, data security governance (DSG), data risk assessment (DRA), financial data risk assessment (FinDRA), privacy impact assessments (PIA), data breach response processes, and DSPM are categories that many organizations should consider. These can help enforce more consistent policies, especially as new data and privacy laws continue to be rolled out.
On the topic of data security, it’s key to note that security professionals must carefully vet any DSPM solution, as this is a newly evolving product category. Here’s what you need to know.
Data Security Posture Management (DSPM) In Practice
The first step in any data management strategy is to obtain a concrete understanding of what data exists within your architecture. This is made even more difficult when you consider that the mean number of data sources per organization is 400 sources.
Data Discovery, Classification, and Cataloging
As you’re building out your data catalog, remember to include not just your known, but also your shadow data—the data that exists in your cloud environment that security and IT may not even be aware of such as deleted data from previous “versions” of your cloud data files.
Data cataloging is often done before a large data migration, as part of an audit, or during a cleanse, but in the new agile cloud environment it needs to be continuous and it is not a one time event. Continuous data discovery and classification is core to DSPM.
Another piece of groundwork that must be tackled is mapping user access. With dozens of data storage services from each Cloud Service Provider (CSP) and each having multiple access control technologies, mapping access to a specific data element is extremely challenging. It’s important to note that access to the data element is entirely different then access to the infrastructure. If you don’t have visibility into who has access to what data and how data is accessed, you can’t hope to track that or prevent unauthorized access.
Data Risk Management and Data Hygiene
Creating and enforcing data security policies can be a daunting, ambiguous, and unique to each organization task. The good news? DSPM tools often have out-of-the-box policies to get an organization started or the ability to customize policies for organizations who already have a framework in place.
Laminar recommends beginning with the data governance framework, such as cloud data management capability (CDMC) or Gartner’s data security governance (DSG) framework. CDMC provides auditable processes and controls, in addition to establishing a system of protection levels for data with different risk profiles, ensuring that the most sensitive data receives the strongest protection. These best practices can be used to guide the buildout of an overarching data security policy.
Because DSPM provides such a comprehensive view of an organization’s data, Gartner posits that it “forms the basis of a data risk assessment (DRA) to evaluate the implementation of data security governance (DSG) policies.” Essentially, a framework gives guidelines for specific processes and controls you should have in place and DSPM gives complete visibility to where these apply as well as help you enable governance and enforce compliance.
Once policies are in place, then you can:
(1) maintain data hygiene by remediating misplaced, redundant or obsolete data and
(2) manage data risk by detecting and remediating overexposed and unprotected data, and prioritizing security issues based on your business’ data risk profile.
Data Privacy and Compliance
DSPMs detect and remediate regulatory and industry compliance violations and generate audit-ready compliance reports. Data residency requirements are often one of the top concerns of data privacy and compliance users. That’s because given the nature of cloud—it’s not in owned, discrete geographic locations and is dispersed across the CSP’s infrastructure—data often travels to, is stored in, or is accessed from geographies you may not be aware of. This can put an organization in violation of privacy regulations. A DSPM provides visibility into data store geolocations and data movement across cloud environments and regions.
Data Access and Governance
We’ve talked about access above in several places because it’s critical to knowing who has access to what data in order to protect that data. During discovery and classification DSPM identifies who has access to data and how it’s accessed (as noted above), then, for data governance teams in particular, DSPM can also identify all internal/external users, roles, and resources with access and, especially for sensitive data stores, track their privileges.
Data Context and Remediation
You’re probably noticing a trend—to fully grasp your data security posture, you need comprehensive visibility into every corner of your cloud infrastructure: who has access to which dataset, and if it’s secure. But knowing there’s a problem is only useful if you can then fix the problem.
Data context gives the user an understanding of the data owner. This is critical for issue remediation as in order to action a remediation recommendation the person who owns the data store must be identified and contacted with the details of the recommended fix.
Why DSPM Now?
DSPM made it onto Gartner’s Hype Cycle 2022 because over a decade’s worth of cloud potential has been unleashed in a few years. That’s exposed a fast-growing gap between the agility needed to safely create value with cloud data and legacy data security tools and techniques.
Security teams can fight against the dying light of command and control based data security, or embrace a new role as critical enablers of business agility. The winners will be the ones that marry the agility they need to the security they have to have, with zero compromises for anyone.
There is a new risk environment that must be overcome, The Innovation Attack Surface. An ephemeral, non-contiguous patchwork of accidental (or negligent) risk creation by the smartest people in your business. In essence, it refers to the continuous unintentional risk cloud data users, such as developers and data scientists, create when using data to drive innovation.
What’s needed is a new agile security paradigm for cloud data. Agile means autonomous, continuous and context-driven protection for cloud data.
A cloud-native DSPM platform bridges the gaps between disparate cloud platforms, creating a comprehensive view of your entire public cloud environment. It automatically analyzes, discovers and classifies your data; facilitates user access tracking; assesses for violations of your data security posture and guides the remediation process for continuous protection.
From there, a CISO can feel more confident about their security posture including governance policies and appropriate controls, as well as reducing their data attack surface without slowing down business-critical processes and innovation.
DSPM tooling empowers security professionals to make their security processes efficient, effective, and scalable.
Laminar Delivers Agile Data Security for the Cloud
Laminar’s cloud-native DSPM platform continuously discovers, classifies, and secures all known and unknown data — including shadow data — across your cloud environments, establishing a comprehensive data catalog. With this foundation, you’ll be ready to assess adherence to the CDMC Framework, enforce data security policies, and meet compliance requirements, all without impacting cloud performance. The platform also continuously monitors your security posture, and if a policy violation is detected, it will prioritize alerts and send actionable remediation recommendations.
If you’d like to learn more on DSPM solutions such as how it compares to other tools and how to evaluate solutions check out our Guide to DSPM.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.