Yoav Regev

If you had searched for "DSPM" on Google three years ago, you likely would have only found information related to a dspm manufacturing website… But in just a few short years, the concept of Data Security Posture Management (DSPM) has evolved from an idea into a critical component of modern cybersecurity for enterprises.

Let’s rewind to the summer of 2021. Back then, when we were developing what would become Sentra and our DSPM solution, the term didn’t even exist. All that existed was the problem - data was being created, moved and duplicated in the cloud, and its security posture wasn’t keeping pace. Organizations didn’t know where all of their data was, and even if they could find it, its level of protection was inadequate for its level of sensitivity.

After extensive discussions with CISOs and security experts, we realized a critical gap between data security and the modern environments (further exacerbated by the fast pace of AI). Addressing this gap wasn’t just important—it was essential. Through these conversations, we identified the need for a new approach, leading to the creation of the DSPM concept, which didn't exist before. 

It was thrilling to hear my Co-Founder and VP Product, Yair Cohen, declare for the first time, “the world’s first DSPM is coming in 2021.” We embraced the term "Data Security Posture Management," now widely known as "DSPM."

Why DSPM Has Become an Essential Tool

Today, DSPM has become mainstream, helping organizations safeguard their most valuable asset: their data.

"Three years ago, when we founded Sentra, we dreamed of creating a new category called DSPM. It was a huge bet to pursue new budgets, but we believed that data security would be the next big thing due to the shift to the cloud. We could never have imagined that it would become the world’s hottest security category and that the potential would be so significant."

-Ron Reiter, Co-Founder and CTO, Sentra

This summer, Gartner has released its 2024 Hype Cycle for Data Security, and DSPM is in the spotlight for good reason. Gartner describes DSPM as having "transformative" potential, particularly for addressing long-standing data security challenges. 

As companies rapidly move to the cloud, DSPM solutions are gaining traction by filling critical visibility gaps. The best DSPM solutions offer coverage across multi-cloud and on-premises environments, creating a unified approach to data security.

DSPM plays a pivotal role in the modern cybersecurity landscape by providing organizations with real-time visibility into their data security posture. It helps identify, prioritize and mitigate risks across the entire data estate. By continuously monitoring data movement and access patterns, DSPM ensures that any policy violations or deviations from normal behavior are quickly flagged and addressed, preventing potential breaches before they can cause damage.

DSPM is also critical in maintaining compliance with data protection regulations. As organizations handle increasingly complex data environments, meeting regulatory requirements becomes more challenging. DSPM simplifies this process by automating compliance checks and providing clear insights into where sensitive data resides, how it’s being used, and who has access to it. This not only helps organizations avoid hefty fines but also builds trust with customers and stakeholders by demonstrating a commitment to data security and privacy.

In a world where data privacy and security threats rank among the biggest challenges facing society, DSPM provides a crucial layer of protection. Businesses, individuals, and governments are all at risk, with sensitive information constantly under threat. 

That’s why we are committed to developing our data security platform, which ensures your data remains secure and intact, no matter where it travels.

From DSPM to Data Security Platform in the AI Age

We began with a clear understanding of the critical need for Data Security Posture Management (DSPM) to address data proliferation risks in the evolving cloud landscape. As a leading data security platform, Sentra has expanded its capabilities based on our customers’ needs to include Data Access Governance (DAG), Data Detection and Response (DDR), and other essential tools to better manage data access, detect emerging threats, and assist organizations in their journey to implement Data Loss Prevention (DLP). We now do this across all environments (IaaS, PaaS, SaaS, and On-Premises).

We continue to evolve. In a world rapidly changing with advancements in AI, our platform offers the most comprehensive and effective data security solutions to keep pace with the demands of the AI age. As AI reshapes the digital landscape, it also creates new vulnerabilities, such as the risk of data exposure through AI training processes. Our platform addresses these AI-specific challenges, while continuing to tackle the persistent security issues from the cloud era, providing an integrated solution that ensures data security remains resilient and adaptive.

DSPMs facilitate swift AI development and smooth business operations by automatically securing LLM training data. Integrations with platforms like AWS SageMaker and GCP Vertex AI, combined with features such as DAG and DDR, ensure robust data security and privacy. This approach both supports responsible AI applications and also reduces risks such as breaches and bias.

So, Sentra is no longer only a DSPM solution, it’s a data security platform. Today, we provide holistic solutions that allow you to locate any piece of data and access all the information you need. Our mission is to continuously build and enhance the best data security platform, empowering organizations to move faster and succeed in today’s digital world. 

Success Driven by Our Amazing People

We’re proud that Sentra has emerged as a leader in the data security industry, making a significant impact on how organizations protect their data. 

Our success is driven by our incredible team, their hard work, dedication, and energy are the foundation of everything we do. From day one, our people have always been our top priority. It's inspiring to see our team work tirelessly to transform the world of data security and build the best solution out there. This team of champions never stops innovating, inspiring, and striving to be the best version of themselves every day.

Their passion is evident in their work, as shown in recent projects that they initiated, from the new video series, “Answering the Most Searched DSPM Questions”, to a behind the scenes walkthrough of our data security platform, and more.

We’re excited to continue to push the boundaries of what’s possible in data security.

A heartfelt thank you to our incredible team, loyal customers, supportive investors, and dedicated partners. We’re excited to keep driving innovation in data security and to continue our mission of making the digital world a safer place for everyone.

In April of 2023, it was discovered that several Samsung employees reportedly leaked sensitive data via OpenAI’s chatbot ChatGPT. The data leak included the source code of software responsible for measuring semiconductor equipment. This leak emphasizes the importance of taking preventive measures against future breaches associated with Large Language Models (LLMs).

LLMs are created to generate responses to questions with data that they continuously receive, which can unintentionally expose confidential information. Even though OpenAI specifically tells users not to share “any sensitive information in your conversations”, ChatGPT and other LLMs are simply too useful to ban for security reasons. You wouldn’t ban an employee from using Google or an engineer from Github. Business productivity (almost) always comes first.

This means that the risks of spilling company secrets and sharing sensitive data with LLMs are not going anywhere. And you can be sure that more generative AI tools will be introduced to the workplace in the near future.

‍

“Banning chatbots one by one will start feeling “like playing whack-a-mole” really soon.”

• Joe Payne, the CEO of insider risk software solutions provider Code42.

In many ways, the effect of LLMs on data security is similar to the changes we saw 10-15 years ago when companies started moving their data to the cloud.

Broadly speaking, we can say there have been three ‘eras’ of data and data security….

The Era of On-Prem Data

The first was the era of on-prem data. For most of the history of computing, enterprises stored their data in on-prem data centers, and secured access to sensitive data by fortifying the perimeter. The data also wasn’t going anywhere on its own. It lived on company servers, was managed by company IT teams, and they controlled who accessed anything that lived on those systems. 

The Era of the Cloud

Then came the next era - the cloud. Suddenly, corporate data wasn’t static anymore. Data was free and could be shared anywhere - engineers, BI tools, and data scientists were accessing and moving thus free-flowing data to drive the business forward. How you leverage your data becomes an integral part of a company’s success. While the business benefits were clear, this created a number of concerns - particularly around privacy, compliance, and security. Data needed to move quickly, securely, and have the proper security posture at all times. 

The challenge was that now security teams were struggling with basic questions about the data  like: 

• Where is my data? 
• Who has access to it? 
• How can I comply with regulations? 

It was during this era that Data Security Posture Management (DSPM) emerged as a solution to this problem - by ensuring that data always had proper access controls wherever it traveled, this solution promised to address security and compliance issues for enterprises with fast-moving cloud data.

And while we were answering these questions, a new era emerged, with a host of new challenges. 

The Era of AI

The recent rise of Large Language Models (LLMs) as indispensable business tools in just the past few years has introduced a new dimension to data security challenges. It has significantly amplified the existing issues in the cloud era, presenting an unparalleled and exploding problem. While it has accelerated business operations to new heights, this development has also taken the cloud to another level of risk and challenge.

While securing data in the cloud was a challenge, at least you controlled (somehow) your cloud. You could decide who could access it, and when. You could decide what data to keep and what to remove. That has all changed as LLMs and AI play a larger role in company operations. 

Globally, and specifically in the US, organizations are facing the challenge of managing these new AI technology initiatives efficiently while maintaining speed and ensuring regulatory compliance. CEOs and boards are increasingly urging companies to leverage LLMs and AI and use them as databases. However, there is a limited understanding of associated risks and difficulties in controlling the data input into these models. The ultimate goal is to mitigate and prevent such situations effectively. 

‍
LLMs are a black box. You don't know what data your engineers are feeding into it, and you can’t be sure that users aren’t going to be able to manipulate your LLMs into disclosing sensitive information. For example, an engineer training a model might accidentally use real customer data that now exists somewhere in the LLM and might be inadvertently disclosed. Or an LLM powered chatbot might have a vulnerability that leads it to respond with sensitive company data to an inquiry. This is the challenge facing the data security team in this new era. 

‍

How can you know what the LLM has access to, how it’s using that data, and who it’s sharing that data with?

Solving The Challenges of the Cloud and AI Eras at the Same Time

Adding to the complexity for security and compliance professionals is that we’re still dealing with the challenges from the cloud era. Fortunately, Data Security Posture Management (DSPM) has adapted to solve these eras’ primary data security headaches.

For data in the cloud, DSPM can discover your sensitive data anywhere in the cloud environment, understand who can access this data, and assess its vulnerability to security threats and risk of regulatory non-compliance. Organizations can harness advanced technologies while ensuring privacy and compliance seamlessly integrated into their processes. Further, DSPM tackles issues such as finding shadow data, identifying sensitive information with inadequate security postures, discovering duplicate data, and ensuring proper access control.

For the LLM data challenges, DSPMs can automatically secure LLM training data, facilitating swift AI application development, and letting the business run as smoothly as possible.

Any DSPM solution that collaborates with platforms like AWS SageMaker and GCP Vertex AI, as well as other AI IDEs, can ensure secure data handling during ML training. Full integrations with features like Data Access Governance (DAG) and Data Detection and Response (DDR), provide a robust approach to data security and privacy.

AI has the remarkable capacity to reshape our world, yet this must be balanced with a firm dedication to maintaining data integrity and privacy. Ensuring data integrity and privacy in LLMs is crucial for the creation of ethical and responsible AI applications. By utilizing DSPM, organizations are equipped to apply best practices in data protection, thereby reducing the dangers of data breaches, unauthorized access, and bias. This approach is key to fostering a safe and ethical digital environment as we advance in the LLM era.

To learn more about DSPM, schedule a demo with one of our experts.

Access to and sharing cloud data is fast becoming the new reality, enabling enterprises to innovate quickly and compete better. But it also comes with a more complex data risk landscape. 

Information security leaders are grappling with a fresh set of priorities to handle cloud data challenges. They must strike the right balance between enabling business growth and securing sensitive data. CISOs, in particular, are exploring ways to empower employees and data handlers to naturally make secure choices and create controls that support them.

This shift requires a change in mindset that centers around trust. In a perimeter-less environment, concerns about how data is protected, used, and shared are vital factors influencing stakeholders' trust in an organization's data security management abilities. Recent findings from KPMG's "Cybersecurity Considerations 2023" study reveal that over a third of organizations recognize that building trust can boost profitability.

The study also claims that our future relies on data and digital infrastructure, creating a complex web of interconnected ecosystems and vast information networks. As our dependence on these systems grows, it increases the attractiveness of malicious actors seeking to exploit vulnerabilities. Regarding digital trust (the level of confidence people have in digital systems), it's crucial to understand that regulatory requirements will likely expand, raising the bar for transparency and accountability when protecting sensitive data.

DSPM is vital in navigating this changing landscape, aligning with CISO priorities to enhance data security in a world where trust and innovation are indispensable. The role of the CISO, VP information technology, chief security officers, and data security leaders is complex. 

DSPM is a proactive approach to securing cloud data by ensuring that sensitive data always has the correct security posture. It brings the context of sensitive data into risk assessments and profiling, making it a vital tool for navigating the intricacies and complexities of the data security landscape.

Let's look at some of the practical challenges and priorities facing Information security leaders today (as outlined by Gartner) and how DSPM is perfectly positioned to set up security teams and leaders to deliver against these challenging requirements. 

As CISOs tackle their multifaceted role, they grapple with several core priorities. These include reducing cybersecurity threat exposure, enhancing organizational resilience, aligning cybersecurity investments with tangible business outcomes, and optimizing the efficiency of security systems and talent. Reporting on cyber risk and evaluating cybersecurity's overall effectiveness are equally critical. 

However, these priorities come with their share of challenges. Striking a balance between immediate threat response and proactive risk decisions remains an ongoing challenge while staying abreast of the evolving threat landscape and best practices is crucial. Effective communication of security's value in business outcomes, especially to leaders from various functions and boards, is a persistent concern. 

According to Gartner, many organizations map cybersecurity investments to specific business outcomes and establish clear security metrics linked to business performance. CISOs are urged to adopt a more rigorous approach to prioritize security resources and evaluate investments.

Here's how DSPM supports the critical data security questions that are top of mind for CISOs and data security leaders:

1. Where is our sensitive cloud data, and is it sufficiently protected? 

‍ DSPM immediately addresses this question by automatically discovering and classifying all sensitive data stores at speed and scale across multi-cloud environments such as AWS, Azure, GCP, as well as SaaS services such as Snowflake, Microsoft 365 and Google Suite. The breadth and granularity of coverage leave no stone unturned, ensuring that all sensitive cloud data is tracked down and accurately categorized within your organization.

Sentra's novel scanning approach uses minimal processing power, ensuring scanning speed and efficiency. This means that the CISO can always gain a clear and prioritized view of sensitive data from a dynamic data catalog that is continuously updated. With Sentra, the CISO can also rest assured that the data will never leave their cloud environment, removing an additional layer of risk. 

Sensitive data assets with a weak security posture are accurately identified, including misconfigurations, encryption types, compliance violations, backups, logging, etc. 

This fast, automated discovery, classification, and data security posture assessment will provide the CISO with all the information needed.

2. Can we quantify our data risks? 

CISOs need to understand the most severe data risks upfront. DSPM provides a data risk assessment with a quantification and prioritization of the actual risks. This helps CISOs prioritize their efforts when taking swift corrective actions. 

Context is everything when it comes to accurate data risk prioritization and scoring. Sentra's automated risk scoring is built from a rich data security context. This context originates from a thorough understanding of various layers:

1. Data Access: Who has access to the data, and how is it governed?
2. User Activity: What are the users doing with the data? 
3. Data Movement: How does data move within a complex multi-cloud environment?
4. Data Sensitivity: How sensitive is the data? 
5. Misconfigurations: Are there any errors that could expose data?

3. How do we ensure compliance?

DSPM enables CISOs to align their data security practices with industry-specific data regulations and standards. This ensures the organization remains compliant and avoids potential legal and financial penalties.

Sentra assesses how your data security posture stacks up against standard compliance and security frameworks your organization needs to comply with. 

4. How do we proactively reduce the data attack surface?

A concern for CISOs is how to continuously reduce the data attack surface. They aim to mitigate their organization's overall risk profile by doing so. DSPM empowers CISOs with the tools and insights to proactively shrink the data attack surface while providing measurable benchmarks to track progress.

Sentra excels at identifying PII, PHI, and financial data across all cloud resources, including databases, storage buckets, virtual machines, and more. This ensures the prompt detection of compliance violations, making remediation efficient.

By continuously scanning and accurately classifying data, it becomes easy to spot anomalies. For example, you’ll notice when a new application version begins logging PII or when sensitive data is transferred from a production environment to an unsecured development system. Here are some practical examples of how to uphold a strong data security posture with Sentra:

• Detect forgotten shadow data with the option to remove it or strengthen its security posture 
• Identify inactive identities with access to sensitive data and disable them
• Detect unencrypted credentials or authentication tokens within configuration files and secure them

These insights empower CISOs and their teams to take fast corrective measures, strengthening their data security posture.

5. How do we manage data access and third-party risks?

Safeguarding sensitive data hinges on maintaining precise control over identities, access, and entitlements. DSPM supports the indispensable role of precise data access controls, which is why Sentra supports a transition to fine-grained access controls tailored to your organization's needs. 

Achieving 'least privilege access' requires continuous monitoring and vigilant tracking of access keys and user identities to ensure that each user operates strictly within their designated roles and responsibilities.

Sentra offers businesses the capability to address risks related to third-party provider access proactively. Vulnerabilities are minimized from the outset by granting varying levels of access to different providers. Sentra quickly conducts impact assessments in case of a third-party provider data breach and facilitates immediate remediation to limit further exposure. Additionally, identity mapping to the sensitive data that can be accessed is provided. For instance, the CISO can monitor which internal users or third parties can access PII or financial data. With Sentra, questions like "Who within my organization can access SSNs and credit card numbers?" or "Which external users can access PHI?" can be answered efficiently, providing a comprehensive view of data access.

6. How are critical data risks being remediated?

DSPM is pivotal in providing prioritized remediation guidance keeping CISOs well informed and in control. For less complex issues, DSPM can often initiate remediation steps automatically, saving time and reducing the risk of human error.

Sentra assigns risk scores to identified data vulnerabilities, prioritizing them based on their potential impact. This prioritization ensures that CISOs can focus their efforts and resources on the most critical issues first.

7. How can we address resourcing challenges? 

Automation in DSPM offers many advantages that enable CISOs to address the ongoing skills shortage while bridging the talent gap in data security. By automating routine, error-prone, and time-consuming tasks such as data discovery, classification, and risk assessment, DSPM allows CISOs to maximize the value of their existing cybersecurity teams. It not only boosts operational efficiency but also minimizes the reliance on a large workforce. This is especially crucial in an environment where organizations need help finding and hiring qualified security professionals. 

DSPM ensures that the available expertise is utilized to its fullest extent by pivoting expertise toward addressing the most critical data vulnerabilities. Not only does this drive operational efficiency, but it also mitigates the friction induced by cybersecurity measures, reducing unnecessary effort and preserving employee productivity. Automation and an API-first approach can help streamline processes, reduce the risk of human error, and improve the efficiency of data security teams.

8. How do we communicate the business value of data security to the board?

A crucial responsibility for CISOs is to provide the board with a high-level update on prioritizing their most critical data risks. DSPM enables CISOs to furnish the board with comprehensive reports, allowing for a macroscopic view of security priorities and the capability to delve into granular details to address specific concerns.

DSPM's reporting capabilities make it easier for CISOs to communicate data security status to executives and the board. This facilitates speaking the language of business value and gaining the necessary support and resources.

DSPM is a proactive partner for CISOs, helping them maintain control over their organization's data security. It offers real-time insights, automation, and a structured approach to remediation, ensuring that CISOs can make informed decisions and stay ahead of evolving threats.

By Yoav Regev, CEO and Co-Founder, Sentra

Today we’re announcing that Sentra has raised a $30 million dollar Series A round to revolutionize the way cloud first enterprises secure their data. This brings Sentra’s total funding to $53M.  I’m excited to be working together with  Standard Industries, Munich Re Ventures, Moore Capital, Xerox, INT3, Bessemer Venture Partners, and Zeev Ventures  to help enterprises securely leverage their data to enable growth. The last 18 months have already been an amazing journey, and I wanted to take this opportunity to share some thoughts around how we got to where we are, and what I’m looking forward to in the coming months and years. 

The Sentra Team

When we founded Sentra, we had a very clear objective regarding the team we wanted to build - we only wanted the best people. People who are passionate about their work and the problems we’re addressing. Not just people who are technically brilliant, but those who are drawn to challenges and aren’t easily discouraged. This is the mindset required to solve one of the largest problems facing cybersecurity leaders. 

18 months later, it’s clear we accomplished that objective. This team built a revolutionary new data security platform that’s impressing security leaders on a daily basis. Within minutes of seeing the platform, security leaders grasp the value Sentra is providing - securing the most important corporate asset (data) while simultaneously breaking down silos between security, engineering, and data teams.

The Sentra Way

Culture comes from people. When you have the best people it’s just going to be easier to build a productive and healthy culture. Teams should be excited to work together. I’d describe the culture today as one that values independence, responsibility, and persistence. Team members need to be given the freedom to try new things, occasionally fail at them, and move on quickly to find other, better ways forward. When you’re building a product to solve a global security problem, it’s going to be difficult, and there will be setbacks and disappointments. The team at Sentra embodies these values and it’s what’s allowed us to build such a revolutionary product so quickly. 

Building the Data Centric Future

Getting the right team and culture in place is critical for tackling one of the greatest security challenges of our time - data security in the cloud. There are a few reasons why cloud data security is an unsolved problem. 

It begins with the simple fact that data travels in the cloud. It gets processed, extracted, duplicated, and moved by different teams. But when data moves, its security posture doesn’t move with it - for example, if it was encrypted in one environment and duplicated to a lower environment, it might be unencrypted now. Another issue caused by data movement is that sensitive data gets abandoned and forgotten, creating vulnerable shadow data. Finally, even when vulnerable sensitive data is identified, it’s hard to know where the data came from and how it’s meant to be secured. 

Data and engineering teams are the ones moving this data around. And that’s actually a good thing. We want them to leverage the flexibility of the cloud to do amazing things for the business. Security should enable this work, not slow it down. At the same time, we need to make sure the data is secured. This is what we’re building. A data-centric future where we keep the data secure and enable the business to reach new heights.  

Here’s what this future is going to look like:

First, companies will know where all of their sensitive data is. Shadow data, especially sensitive shadow data, will not exist. Data is the most important asset, and knowing where your most important asset is at all times is crucial.

Next, sensitive data will always have the right security posture. When sensitive data moves and its security posture is affected, the right people know instantly. And they also know where the data came from, who owns it, and how to remediate data vulnerabilities before they become incidents. The data attack surface will shrink, with the result that even when there’s a breach, the most sensitive data assets are secured. 

The result? Business growth. Enterprises will be able to confidently move large amounts of data between cloud environments, generating the insights and innovations they need to grow. In other words, the full promise of the cloud will be realized. 

In the future, organizations will be able to move quickly and securely at the same time!

We’re building this future right now.