The Comprehensive Guide to Data Security Posture Management (DSPM)

In this guide we detail everything you need to know to fully understand DSPM, including the many reasons it is so critical to an organization's overall security strategy, comparisons to existing approaches, the main benefits of adding DSPM to your security stack, how it works, and guidance on picking a solution.

What is Data Security Posture Management?

Data security posture management (DSPM) is an approach to data security that solves one of the most complex issues in modern cloud environments—knowing where all your data is and how it is secured. This emerging security trend was named by Gartner in its 2022 Hype Cycle for Data Security and has quickly become one of the most critical practices in the cybersecurity space. DSPM addresses the inherent challenges arising from the rapid proliferation of sensitive data that lives in multiple clouds, is stored across many different environments and types of cloud storage technologies.

Data security posture management, sometimes known as cloud data security posture management (CDSPM), provides organizations with a practical approach to securing cloud data by ensuring sensitive and regulated data always has the correct data security posture regardless of where it is stored or moved to. To accomplish this, DSPMs must be able to discover all cloud data, classify it by data type and sensitivity level, detect and alert on data security policy violations, prioritize those alerts, and provide remediation playbooks.

Because of the emerging nature of this new technology, you may still need to become familiar with the who, what, when, where, why, and how. This article aims to provide you with all the tools you need to fully understand why DSPM is so critical to a defense-in-depth strategy, including why you need it, how it compares to existing approaches, how it works, and what to look for in a DSPM solution.

Why do I need a DSPM Solution?

Cloud Transformation + Data Democratization = The Perfect Storm

As the world becomes more technologically advanced, customers and employees expect better and more advanced digital services in their daily lives and also from their business providers. Competition is fierce. Expectations are high. Innovation is critical, which is why organizations have embraced cloud transformation initiatives and moved to the cloud for its flexibility and scalability, but also for its ability to democratize data, aka—make the data available to more people so that they can better harness the value of that data. Because the biggest winners in the cloud era are those that generate the most value from their data.

Why is a DSPM solution important: Gartner prediction on the importance of data analytics initiatives - Laminar Security

This new era shepherded in by cloud transformation and data democratization is characterized by:

  1. The sprawl of cloud data storage technologies across multiple cloud providers which are often configured differently, resulting in multiple architectures that are constantly changing and difficult to manage.
  2. The proliferation of data (mostly shadow data) caused by developers having so many technologies at their disposal that they can spin up or copy entire data stores quickly, without having to involve security.
  3. The death of the traditional perimeter as cloud data is a shared model meaning that data is accessible to everyone from anywhere with no single choke point, leading to sensitive data being overexposed.
  4. A faster rate of change as release cycles now happen in weeks, days, and hours rather than months and years, often leaving security out of the process or forcing security to respond quickly to ensure data is appropriately protected.

The proliferation of cloud data technologies: cloud data security leader Laminar solves the complexity of the cloud data with its DSPM Solution - Laminar Security

The convergence of these factors has created an “Innovation Attack Surface”: a new kind of threat that most organizations unconsciously accept as the cost of doing business. Whereas the traditional attack surface was determined by outside-in activity—malicious external forces (including internal bad actors) seeking to exploit vulnerabilities to gain illicit access to protected information, the innovation attack surface is massive, decentralized, accidental risk creation by the smartest people in your business—your developers and data scientists.

It is in combating this new threat that the need for data security posture management (DSPM) was born.

View our TAG Cyber video on the importance of cloud data security and DSPM.

Limitations of Legacy and CSP-native Solutions

The nature of cloud data, which is magnitudes larger, more distributed, and more dynamic than it was in the on-premises days, has outpaced the capacity of traditional data security to protect it. The result is what we at Laminar refer to as the Security Execution Gap – where security teams lack the tools and expertise to securely support data-led value creation in the cloud.

The security teams that close this gap don’t just create a more secure data environment—they actively enable cloud data practitioners to create more value faster (and safer) than the competition.

In this section, we will explore further the limitations of traditional and other solutions to better understand why DSPM is the only solution.

Alternative

  • Impossible to keep up with the agile cloud environment because things change so fast data inventory becomes obsolete in minutes.
  • Security is blind to “shadow” data, the sensitive files that are copied or moved to data stores they don’t know about.
  • Security has no ability to track the most important “crown jewels” and put proper monitoring in place.
  • There is no ability to easily understand exposure at the data element layer and how to limit access.
  • Require a great deal of in-house engineering work that could be directed to more strategic projects.
  • Connector/agent-based approaches can not autonomously discover unknown data, meaning shadow data. They are simply blind to much of the data in cloud environments.
  • Connector-based solutions require access to the production instances; scanning should be asynchronous to production environments so it won’t affect performance.
  • Cannot discover offline data and are expensive to configure and maintain.
  • Impossible to keep up with the agile cloud environment because things change so fast data inventory becomes obsolete in minutes.
  • Time to value is long for larger enterprises as each data asset must be identified, configured and connected to. For thousands of assets this can take months.
  • They are either single cloud specific or have limited multi-cloud support.
  • The common per-use model is cost prohibitive.
  • They can’t find unknown or “shadow” data.
  • They do not provide policy alerts, guided remediation or ongoing monitoring.
  • Very limited data store scope – for example, AWS Macie only supports AWS S3 buckets; that is incomplete for almost all users. It does not scan RDS, EBS, or self-hosted (e.g., running inside a VM or container) databases on EC2.

The nature of cloud data, which is magnitudes larger, more distributed, and more dynamic than it was in the on-premises days, has outpaced the capacity of traditional data security to protect it. The result is what we at Laminar refer to as the Security Execution Gap – where security teams lack the tools and expertise to securely support data-led value creation in the cloud.The security teams that close this gap don’t just create a more secure data environment—they actively enable cloud data practitioners to create more value faster (and safer) than the competition.

In this section, we will explore further the limitations of traditional and other solutions to better understand why DSPM is the only solution.

 

Alternative Main Limitations
Manual/Homegrown
  • Impossible to keep up with the agile cloud environment because things change so fast data inventory becomes obsolete in minutes.
  • Security is blind to “shadow” data, the sensitive files that are copied or moved to data stores they don’t know about.
  • Security has no ability to track the most important “crown jewels” and put proper monitoring in place.
  • There is no ability to easily understand exposure at the data element layer and how to limit access.
  • Require a great deal of in-house engineering work that could be directed to more strategic projects.
Legacy, on-prem (e.g., BigID, Varonis)
  • Expensive to configure and maintain as it requires the operator to have a list of and credentials for all the data stores, and to try and keep up to date on new data stores.
  • Connector/agent-based approaches can not autonomously discover unknown or offline data, meaning shadow data. They are simply blind to much of the data in cloud environments.
  • Connector-based solutions require access to the production instances; scanning should be asynchronous to production environments so it won’t affect performance.
  • Impossible to keep up with the agile cloud environment because things change so fast data inventory becomes obsolete in minutes.
  • Time to value is long for larger enterprises as each data asset must be identified, configured and connected to. For thousands of assets this can take months.
CSP-Native Tools (e.g., AWS Macie, Azure PurView, Google DLP)
  • They are either single cloud specific or have limited multi-cloud support.
  • They are “per-use” and not continuous scanning. They show only data on assets that were configured for scanning, not unknown or shadow assets. There is no smart scanning of changes to data, each time you pay for a complete re-scan.
  • The common per-use model is cost prohibitive.
  • They can’t find unknown or “shadow” data.
  • They do not provide policy alerts, guided remediation or ongoing monitoring.
  • Very limited data store scope – for example, AWS Macie only supports AWS S3 buckets; that is incomplete for almost all users. It does not scan RDS, EBS, or self-hosted (e.g., running inside a VM or container) databases on EC2.
CSPM/CNAPP (e.g., Wiz, Orca, Lacework)
  • Infrastructure security team is the primary user, not data security
  • Provides basic data discovery with limited context (for example, it can’t tell who owns data, how it’s used, or what it’s security posture is/should be)
  • Has no focus on GRC – privacy, compliance, or governance requirements
  • Does not discover or alert on misplaced or redundant data
  • Increases risk by moving data outside your cloud environment

A more detailed discussion on CSPM vs. DSPM.

Why do organizations need both DSPM and CSPM?

Organizations need both CSPM and DSPM solutions. They are separate but complementary technologies. When a CSPM leverages the rich data context from the DSPM, the security teams can focus on those alerts that impact highly sensitive data, thereby gaining a higher return on remediation efforts.

The two technologies cover different perspectives that are needed to effectively secure multi-cloud environments. One is focused on their primary user of the infrastructure team. The other is designed for data security teams that prioritize security, governance, and privacy requirements independent of infrastructure.

How does DSPM benefit the business?

Deploying a DSPM in an organization yields many benefits to security and data leaders, data security owners, data governance team members, and the users of the data (e.g., developers, data scientists). Among them:

  1. Prevention of sensitive data exposure. In this digital age, an organization’s most important asset is its data. By focusing on the data and finding all known as well as hidden or shadow data DSPM protects cloud data from both external and internal threats.
  2. A smaller, more manageable data attack surface. Protecting the most sensitive data becomes easier when you’ve eliminated the data you don’t need. The identification and remediation of all data security violations ensures proper controls across your cloud environment.
  3. Empowerment of value creators. With DSPM and its ability to automate the validation and enforcement of data security policies, security teams have a chance to empower their cloud data users to innovate, all while protecting the company by keeping sensitive data secure, effectively decoupling data risk from data growth.
  4. Faster, more assured compliance. GDPR, HIPAA, CCPA, COPPA, SOXII, CDMC the acronym soup of privacy regulations, security and data frameworks that have a data component is daunting. That’s what compliance teams are for. Discovering the data in the cloud, classifying it, ensuring compliance by comparing against data security policy and driving action—that’s what DSPM is for.
  5. Reduced cloud cost. Storing data in the cloud costs money month in and month out. The right DSPM has features to help organizations identify redundant, obsolete and trivial (ROT) data in their cloud infrastructure that can be deleted or eliminated to reduce cloud usage fees and reduce the attack surface.

What are the key components of a mature DSPM?

Key components of a DSPM (Data security posture management) - Laminar Security

Data security posture management consists of several elements. These elements together represent the capabilities of a mature DSPM solution as follows:.

  • Discover: Autonomously discover, classify, and catalog all known and shadow data at scale across your public cloud environment.
  • Prioritize: Prioritize all data based on its sensitivity level, security posture, volume, and exposure.
  • Secure: Assess the posture status of sensitive data against extensive pre-built policies, alert on violations, and provide remediation guidelines.
  • Monitor: Continuously monitor new and modified data stores against stated security posture and regulations, regardless of where the data moves in the cloud.

How and when is DSPM used?

Data security, data governance, and privacy practitioners can use DSPM solutions in many ways to help keep their organization secure and compliant. The following are some of the core use cases:

  • Discover and classify data – autonomously build an extensive map of your data landscape. Discover, classify, and categorize all known and unknown data, including shadow and abandoned data across all cloud accounts.
  • Automate policy validation and enforcement – find, prioritize, and fix policy violations for all your cloud data as it travels through the cloud.
  • Control data exposure – pinpoint all your exposed sensitive data and remediate. Whether it’s misplaced data, misconfigured controls, or overexposed access.
  • Comply with data sovereignty – detect and create alerts when sensitive and regulated data violates data residency requirements.
  • Enforce environment segmentation – segment the environment based on data privacy requirements (e.g., PCI DSS, HIPAA) and business needs.
  • Comply with Data Privacy and Governance Frameworks – continuously enforce regulatory compliance and standards requirements for data, and streamline and fast-track evidence collection.

Read on about the core DSPM use cases.

How do I choose a DSPM solution?

Subscribing to and installing a security solution, even the most necessary of solutions, is an investment. Of time, effort, and money. So how can you make sure you’re choosing the best DSPM in the market? Here are several things to look for:

1. A cloud-native platform that has the following attributes:

    • Easy-to-use: In today’s world, practitioners expect their products to have a modern, fresh appearance, similar to what they are used to seeing in their everyday lives. DSPM tools should be as easy to use and lightweight as the tools they use in their personal lives.
    • Fast time-to-value:Your CloudOps team will likely be required to install your DSPM. The process should be easy to understand, with an easy-to-review permissions scheme and a simple installation process. The solution should also be agentless and asynchronous with zero performance impact.
    • Plug & Play: Must not require installation or configuration of connectors or agents. Must not require selection of datastores to scan or obtaining or entering of credentials for each target asset.
    • Risk-free: Your DSPM needs to utilize serverless functions that leverage APIs to scan your environment, so data never leaves your cloud environment for maximum security and privacy.
    • Integrated: Most security teams use a wide range of security tools and are also responsible for many cloud technologies. Your DSPM should be able to integrate with other security and IT tools, such as ITSM, SIEM, CSPM, and CIEM, and take input from any cloud.

2. Discovery and classification that finds known and shadow data and has:

    • Autonomous activity: You deploy a DSPM because you don’t know where your data is in the cloud. That’s why you need a DSPM that you install with just the basic information on your cloud account(s) and then let it run independently without your involvement. There should never be a need to provide a map of data assets, locations, data owners, or access credentials.
    • Breadth of coverage: Cloud environments are complex, so a DSPM must be able to work across multi-cloud environments and read data from within as many of the databases, data pipelines, applications, data warehouses and lakes, be they SaaS, managed or hosted, and object types (collectively, “asset types”) as possible, including shadow data.
    • Depth of coverage: Once assets are discovered, look for a solution that can make sense of, parse, and classify all the data within those asset types; derive context from technical systems and business processes; and classify sensitive data across structured, semi-structured and unstructured data.
    • Custom settings: An organization’s data and risk tolerance are as unique as the organization itself, so it’s important to have the ability to customize data types and sensitivity levels, and add new data types.
    • Multi-Step Contextual Classification: The security team needs solutions that simplify their lives, not complicate them (by adding unnecessary notifications). Therefore, it is necessary to find an out-of-the-box solution that finds your sensitive data with little input and low false positive (FP)/false negative (FN) rates while also being customizable for organizations with specific needs.
    • Data Object Context: Once you’ve discovered your data, you need to know what to do with it. Your DSPM therefore needs to discover the information needed for actionable remediation like file type, content type and owner.
    • Low scanning cost: It doesn’t take long for cloud costs to add up, so choose a data security solution that doesn’t drastically increase your cloud bill.

3. Robust Prioritization that takes into account:

    • Multiple risk factors: The scope of cloud environments makes it impossible to fix all exposures. Prioritizing should be based on a risk profile that takes into account multiple risk factors, such as data sensitivity level, data volume, data exposure, and data security posture.
    • Custom data sensitivity types: Every organization has their own definition of what is restricted, sensitive, confidential, etc. DSPMs must allow for custom definitions of these sensitivity types and associate them with the proper risk profile.

4. Controls that secure data in cloud environments with:

    • Security policies developed by data experts: A credible DSPM vendor will have its own data experts who have developed an extensive set of policies for their solution that are based on data security and privacy best practices published research institutes, thought leaders and regulators, such as GDPR, CCPA, CDMC, CIS, and others. Policies should also cover overexposed sensitive data, unprotected sensitive data, misplaced sensitive data, and redundant sensitive data.
    • Customization: In data security, one size does not fit all. Policies must be customizable to meet the unique needs of organizations with specific regulatory requirements or business needs.
    • A data-centric view across the infrastructure: Data security should only need to focus on and understand the data, so DSPMs must have a data-centric view and find violations across all of the different technologies where sensitive data may be stored.
    • Guided remediation: Once exposed sensitive data has been identified and prioritized, look for a DSPM that offers actionable, guided remediation, infrastructure-aware playbooks, seamlessly integrated into existing ticketing workflows.

5. Monitoring that is:

    • Always-on: The cloud environment changes frequently; your DSPM has to keep you up to speed on environment changes. Look for one that automatically scans new cloud accounts, new data assets that pop up, or new data that is created inside existing assets. No manual steps required.

All of these factors combine to make the best DSPM platform. Here is a quick checklist to use when reviewing.

DSPM Checklist: Quick Data Security Posture Management Evaluation Checklist by Laminar Security

About Laminar

As the leading enterprise DSPM platform, Laminar Security provides agile data security for the cloud, empowering value creators to innovate while reducing risk with always-on security that proactively uncovers all cloud data, classifies it intelligently based on its sensitivity and business impact, identifies and alerts on data security policy violations, prioritizes those alerts, and provides actionable recommendations to remediate them.

Register today and secure your very own personalized, demo of the Laminar DSPM.