Securing the cloud is complex. Securing data in the cloud is hyper-complex.
That’s why organizations need several solutions. Data security posture management to secure the data. Cloud security posture management to secure the infrastructure. The solutions are very different. They answer different needs. They take different viewpoints. They are both needed to secure your organization.
Here’s why you should look at both as part of your larger cloud security stack. The story is one of contrasts, not comparisons.
Data Security Posture Management (DSPM)
There are dozens of different ways to store data just in AWS. Then you add Azure, GCP, Snowflake. Complexity is then further multiplied and amplified by the speed of data proliferation. Developers and data scientists are using data freely in the cloud. They can now move, copy, and share data in seconds instead of weeks. They can spin up new databases as quickly and as often as they like.
While this has been amazing for the business, it creates a gap in security, because when data proliferates, its security is usually an afterthought. In this new world of cloud operations, security teams need to make sure controls are tight while not infringing in any way on the free, unfettered use of data by developers and data scientists necessary for business innovation.
With DSPM, security teams finally have a solution custom-built just for this challenge. A solution built to protect the data. A solution that is completely independent of the underlying infrastructure that is storing the data. This is important because the data security practitioner doesn’t need to know if data is in RDS or S3 or Google BigQuery. They aren’t worried if it’s on AWS, GCP, Azure or Snowflake. What they do care about: what data is the organization storing, how is it being protected, who should and does have access to that data, what is the risk of exposure and how to fix it.
DSPM is the policy enforcement engine that lets security teams put in guardrails in a way that is data-centric, circumvents the complexity of cloud infrastructures, and easily addresses the challenge of ongoing data proliferation. A fully automated data-centric policy engine (as provided by a DSPM) secures your data at the speed of cloud. With it, data security can focus on the data and the policies that provide the guardrails for protecting that data. For instance, data policies could dictate that personally identifiable consumer data should never be publicly exposed, regardless of the infrastructure within which the data resides.
The DSPM solution then converts these data policies into specific technical configurations and shows the user where the data security policy is currently violated, prioritizes issues for resolution, and helps fix those issues with clear, specific technical remediation instructions.
DSPM policies focus on:
- Data exposure and access
- Data obfuscation (encryption, tokenization, anonymization)
- Data segmentation of the environment
- Data retention
- Data proliferation control
With this new tool in hand, the data security practitioner needs only to define a set of data-centric security guardrails, and then let the DSPM do the work of finding violations and monitoring for data proliferation. Say you have social security numbers publicly exposed in an Oracle DB hosted on a virtual machine in Azure. The data security person doesn’t even need to be aware that the virtual machine exists. The DSPM discovers the asset, finds the sensitive data in it, and determines there is a data security policy violation. It determines the priority of violation based on several factors including sensitivity and risk, and engages the relevant team members to help in remediation.
Cloud Security Posture Management
In contrast, CSPM is all about the infrastructure. CSPM tools pull metadata via the cloud provider’s API to obtain visibility into the cloud infrastructure layer only. CSPM controls typically address infrastructure-related operational activities such as ensuring encryption keys are properly and regularly rotated or multi-factor authentication (MFA) has been applied to a critical system. CSPMs also report and advise against using overly permissive account settings for identities etc.
Although CSPMs can detect publicly exposed storage buckets they lack complete insight as to the location of sensitive data stores in the cloud environment, its potential for exposure, or the recommended security posture of the data. For instance, they do not know if and which data should be encrypted, how long it should be retained for, or who should and should not have access. They do not monitor access to sensitive data in the cloud or detect indications of data leakage or exfiltration of these “crown jewels.”
Some concrete examples we have found at our customers about where CSPM and DSPM differ are as follows. One customer has a publicly exposed S3 bucket that was identified by CSPM, but the bucket was supposed to be publicly exposed (public by design) as it was hosting a website. However, we found that somebody internally mistakenly placed highly sensitive data in this bucket that now was also publicly exposed. A CSPM does not catch this as it is not aware of the data elements inside. A DSPM does. Alternatively, there are cases where the S3 bucket is NOT publicly exposed, but the data elements inside can be and actually are. Again, the infrastructure is secure, but the data may still be exposed – we’ve seen both examples many times with our customers’ environments.
The Bottom Line
Organizations need both CSPM and DSPM. They complement each other, and cover different perspectives that are needed to effectively secure multi-cloud environments. One provides an infrastructure-centric perspective. The other provides a data-centric perspective. Both are important parts of a defense in depth strategy, CSPM to keep intrusions out of your infrastructure and DSPM to protect the data and reduce blast radius, even after attackers get in.
See how Laminar helps organizations keep their data secure by providing a complete Cloud Data Security Platform, including best-in-class data security posture management (DSPM).