All Resources
In this article:
minus iconplus icon
Share the Blog

How PCI DSS 4.0 Improves Your Security Posture

April 11, 2024
4
 Min Read
Compliance

The Payment Card Industry Data Security Standard (PCI DSS) sets the bar for organizations handling cardholder information - any business that stores, processes, or transmits cardholder data. With the release of version 4.0, there are significant changes on the horizon. 

Staying compliant with industry standards is crucial, especially when it comes to protecting sensitive payment card data.

In this blog, we will explore how PCI DSS can enhance your security posture by establishing a continuous process to secure cardholder data.

Understanding PCI DSS v4.0

PCI DSS v4.0 brings several notable updates, emphasizing a more comprehensive and risk-based approach to data security. Companies in the payment card ecosystem must take note of these changes to ensure they remain compliant and resilient against evolving threats.

Increased Focus on Cloud and Service Providers

One of the key highlights of PCI DSS v4.0 is its focus on cloud environments and third-party service providers. As more businesses leverage cloud services for storing and processing payment data, it's imperative to extend security controls to these environments.

Expanded Scope of Requirements

With the proliferation of digital transactions, PCI DSS v4.0 expands the scope of requirements to address emerging technologies and evolving threats. The standard now covers a broader range of systems, applications, and processes involved in payment card transactions.

Emphasis on Risk-Based Approach

Recognizing that not all security threats are created equal, PCI DSS v4.0 places a greater emphasis on a risk-based approach to security. Organizations should assess risks systematically and prioritize security measures based on potential impact and likelihood of occurrence.

Enhanced Focus on Data Protection

From encryption and access control to data retention policies, organizations are expected to implement robust measures to prevent unauthorized access and data breaches. This will help mitigate the risk of data theft and ensure compliance with regulatory standards.

New PCI DSS 4.0 Release Implementation by March 2025

Out of the 64 of the new requirements, 51 are future dated due to their complexity and/or cost of implementation. This is relevant and important for any business that stores, processes or transmits cardholder data.

Further, it is crucial to focus on establishing a continuous process:

  • Automated log analysis for threat detection (Req: 10.4.1.1)
  • On-going review of access to sensitive data (Req: 7.2.4)
  • Detection of stored PAN anywhere it is not expected (Req: 12.10.7)

How Sentra Helps Comply With PCI DSS 4.0

Below are a few examples of how Sentra can assist you in complying with PCI DSS 4.0 by continuously monitoring your environment for threats and vulnerabilities.

In today's threat landscape, security is an ongoing process. PCI DSS v4.0 emphasizes the importance of continuous monitoring and testing to detect and respond to security incidents in real-time. By implementing automated monitoring tools and conducting regular security assessments, organizations can proactively identify vulnerabilities and address them before they are exploited by attackers.

PCI DSS 4.0 New Requirement How Sentra Solves It
10.4.1.1 Automated mechanisms are used to perform audit log reviews. Sentra's Data Detection and Response (DDR) module continuously monitors logs from sensitive data stores, identifying threats and anomalies in real time that may indicate potential data breaches or unauthorized access to sensitive data.

7.2.4 All user accounts and related access privileges, including third party/vendor accounts, are reviewed as follows:

  • At least once every six months.
  • Ensure user accounts and access remain appropriate based on job function.
  • Any inappropriate access is addressed.
  • Management acknowledges that access remains appropriate.
Sentra's Data Security Posture Management (DSPM) data access module frequently scans your sensitive data stores, mapping out the various identities with access to your data, including third-party entities, internal users, and applications. This aids in ensuring least privilege access and allows for the analysis of each identity's security posture through a risk-based approach.

12.10.7 Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected, and include:

  • Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the currently defined CDE, as applicable.
  • Identifying whether sensitive authentication data is stored with PAN.
  • Determining where the account data came from and how it ended up where it was not expected.
  • Remediating data leaks or process gaps that resulted in the account data being where it was not expected.
Sentra's scanning and classification engine detects all types of sensitive data, including PII, digital identities, and financial data, especially PAN, across all your cloud accounts. It highlights potential "shadow data" suspected of being misplaced. Additionally, Sentra's DataTreks module tracks the movement of sensitive data across accounts, regions, and environments, helping you understand the root cause and take preventive steps.

Use Sentra's Reporting Capabilities to Adhere With PCI DSS

Here you can see a detected S3 bucket which contains credit card numbers and personal information which are not properly encrypted.

This is an example of how Sentra creates a threat in real time, detecting suspicious activity in a sensitive AWS S3 bucket.

In the dashboard below, you can see open security issues grouped by different compliances frameworks.

Proactive Integration of New Compliance Controls

Sentra remains vigilant in staying up to date with changes in PCI-DSS, GDPR, CCPA and other compliance frameworks. To ensure continuous compliance and security, Sentra actively monitors updates and integrates new controls as they become available. This proactive approach allows users to automate the validation process on an ongoing basis, ensuring that they always adhere to the latest standards and maintain a robust security posture.

Implementation Timeline and Best Practices

It's essential for relevant companies to understand the implementation timeline for PCI DSS v4.0. With a two-phase approach, certain requirements are future-dated due to their complexity or cost of implementation. However, it's crucial not to overlook these future requirements, as they will eventually become mandatory for compliance.

These requirements will be considered best practices until March 31, 2025, after which they will become obligatory. This transition period allows organizations to gradually adapt to the new standards while ensuring they meet current compliance requirements.

Conclusion

As the payment card industry continues to evolve, so must the security measures used to protect sensitive data. PCI DSS v4.0 represents a significant step forward in enhancing data security and resilience against emerging threats. Understanding the key changes and implementation timeline is crucial for companies to proactively adapt to the new standard and maintain compliance in an ever-changing regulatory landscape.

Sentra plays a pivotal role in this ongoing compliance effort. Its comprehensive features align closely with the requirements of PCI DSS v4.0, providing automated log analysis for threat detection, ongoing review of access to sensitive data, and detection of stored PAN outside expected locations. Through Sentra's Data Detection and Response (DDR) module, organizations can continuously monitor logs from sensitive data stores, identifying threats and anomalies in real-time, thus aiding in compliance with PCI DSS 4.0 requirements such as automated log reviews.

Furthermore, Sentra's Data Security and Posture Management (DSPM) module facilitates the review of user accounts and access privileges, ensuring that access remains appropriate based on job function and addressing any inappropriate access, in line with PCI DSS v4.0 requirements. In addition, Sentra's scanning and classification engine, coupled with its DataTreks module, assists in incident response procedures by detecting all types of sensitive data, including PAN, across cloud accounts and tracking the movement of sensitive data, aiding in the remediation of data leaks or process gaps.

By leveraging these capabilities, organizations can streamline their compliance efforts, mitigate risks, and maintain the security and integrity of cardholder data in accordance with PCI DSS v4.0 requirements.

Meni is an experienced product manager and the former founder of Pixibots (A mobile applications studio). In the past 15 years, he gained expertise in various industries such as: e-commerce, cloud management, dev-tools, mobile games, and more. He is passionate about delivering high quality technical products, that are intuitive and easy to use.

Subscribe

Latest Blog Posts

Yair Cohen
Yair Cohen
September 10, 2024
4
Min Read
Data Security

How Does DSPM Safeguard Your Data When You Have CSPM/CNAPP

How Does DSPM Safeguard Your Data When You Have CSPM/CNAPP

After debuting in Gartner’s 2022 Hype Cycle, Data Security Posture Management (DSPM) has quickly become a transformative category and hot security topic. DSPM solutions are popping up everywhere, both as dedicated offerings and as add-on modules to established cloud native application protection platforms (CNAPP) or cloud security posture management (CSPM) platforms.

But which option is better: adding a DSPM module to one of your existing solutions or implementing a new DSPM-focused platform? On the surface, activating a module within a CNAPP/CSPM solution that your team already uses might seem logical. But, the real question is whether or not you can reap all of the benefits of a DSPM through an add-on module. While some CNAPP platforms offer a DSPM module, these add-ons lack a fully data-centric approach, which is required to make DSPM technology effective for a modern-day business with a sprawling data ecosystem. Let’s explore this further.

How are CNAPP/CSPM and DSPM Different?

While CNAPP/CSPM and DSPM seem similar and can be complementary in many ways, they are distinctly different in a few important ways. DSPMs are all about the data — protecting it no matter where it travels. CNAPP/CSPMs focus on detecting attack paths through cloud infrastructure. So naturally, they tie specifically to the infrastructure and lack the agnostic approach of DSPM to securing the underlying data.

Because a DSPM focuses on data posture, it applies to additional use cases that CNAPP/CSPM typically doesn’t cover. This includes data privacy and data protection regulations such as GDPR, PCI-DSS, etc., as well as data breach detection based on real-time monitoring for risky data access activity. Lastly, data at rest (such as abandoned shadow data) would not necessarily be protected by CNAPP/CSPM since, by definition, it’s unknown and not an active attack path.

What is a Data-Centric Approach?

A data-centric approach is the foundation of your data security strategy that prioritizes the secure management, processing, and storage of data, ensuring that data integrity, accessibility, and privacy are maintained across all stages of its lifecycle. 

Standalone DSPM takes a data-centric approach. It starts with the data, using contextual information such as data location, sensitivity, and business use cases to better control and secure it. These solutions offer preventative measures, such as discovering shadow data, preventing data sprawl, and reducing the data attack surface.

Data detection and response (DDR), often offered within a DSPM platform, provides reactive measures, enabling organizations to monitor their sensitive assets and detect and prevent data exfiltration. Because standalone DSPM solutions are data-centric, many are designed to follow data across a hybrid ecosystem, including public cloud, private cloud, and on-premises environments. This is ideal for the complex environments that many organizations maintain today.

What is an Infrastructure-Centric Approach?

An infrastructure-centric solution is focused on optimizing and protecting the underlying hardware, networks, and systems that support applications and services, ensuring performance, scalability, and reliability at the infrastructure level.

Both CNAPP and CSPM use infrastructure-centric approaches. Their capabilities focus on identifying vulnerabilities and misconfigurations in cloud infrastructure, as well as some basic compliance violations. CNAPP and CSPM can also identify attack paths and use several factors to prioritize which ones your team should remediate first. While both solutions can enforce policies, they can only offer security guardrails that protect static infrastructure. In addition, most CNAPP and CSPM solutions only work with public cloud environments, meaning they cannot secure private cloud or on-premises environments.

How Does a DSPM Add-On Module for CNAPP/CSPM Work?

Typically, when you add a DSPM module to CNAPP/CSPM, it can only work within the parameters set by its infrastructure-centric base solution. In other words, a DSPM add-on to a CNAPP/CSPM solution will also be infrastructure-centric. It’s like adding chocolate chips to vanilla ice cream; while they will change the flavor a bit, they can’t transform the constitution of your dessert into chocolate ice cream. 

A DSPM module in a CNAPP or CSPM solution generally has one purpose: helping your team better triage infrastructure security issues. Its sole functionality is to look at the attack paths that threaten your public cloud infrastructure, then flag which of these would most likely lead to sensitive data being breached. 

However, this functionality comes with a few caveats. While CSPM and CNAPP have some data discovery capabilities, they use very basic classification functions, such as pattern-matching techniques. This approach lacks context and granularity and requires validation by your security team. 

In addition, the DSPM add-on can only perform this data discovery within infrastructure already being monitored by the CNAPP/CSPM solution. So, it can only discover sensitive data within known public cloud environments. It may miss shadow data that has been copied to local stores or personal machines, leaving risky exposure gaps.

Why Infrastructure-Centric Solutions Aren’t Enough

So, what happens when you only use infrastructure-centric solutions in a modern cloud ecosystem? While these solutions offer powerful functionality for defending your public cloud perimeter and minimizing misconfigurations, they miss essential pieces of your data estate. Here are a few types of sensitive assets that often slip through the cracks of an infrastructure-centric approach: 

In addition, DSPM modules within CNAPP/CSPM platforms lack the context to properly classify sensitive data beyond easily identifiable examples, such as social security or credit card numbers. But, the data stores at today’s businesses often contain more nuanced personal or product/service-specific identifiers that could pose a risk if exposed. Examples include a serial number for a product that a specific individual owns or a medical ID number as part of an EHR. Some sensitive assets might even be made up of “toxic combinations,” in which the sensitivity of seemingly innocuous data classes increases when combined with specific identifiers. For example, a random 9-digit number alongside a headshot photo and expiration date is likely a sensitive passport number.

Ultimately, DSPM built into a CSPM or CNAPP solution only sees an incomplete picture of risk. This can leave any number of sensitive assets unknown and unprotected in your cloud and on-prem environments.

Dedicated DSPM Completes the Data Security Picture

A dedicated, best-of-breed DSPM solution like Sentra, on the other hand, offers rich, contextual information about all of your sensitive data — no matter where it resides, how your business uses it, or how nuanced it is. 

Rather than just defending the perimeters of known public cloud infrastructure, Sentra finds and follows your sensitive data wherever it goes. Here are a few of Sentra’s unique capabilities that complete your picture of data security:

  • Comprehensive, security-focused data catalog of all sensitive data assets across the entire data estate (IaaS, PaaS, SaaS, and On-Premises)
  • Ability to detect unmanaged, mislocated, or abandoned data, enabling your team to reduce your data attack surface, control data sprawl, and remediate security/privacy policy violations
  • Movement detection to surface out-of-policy data transformations that violate residency and security policies or that inadvertently create exposures
  • Nuanced discovery and classification, such as row/column/table analysis capabilities that can uncover uncommon personal identifiers, toxic combinations, etc.
  • Rich context for understanding the business purpose of data to better discern its level of sensitivity
  • Lower false positive rates due to deeper analysis of the context surrounding each sensitive data store and asset
  • Automation for remediating a variety of data posture, compliance, and security issues

All of this complex analysis requires a holistic, data-centric view of your data estate — something that only a standalone DSPM solution can offer. And when deployed together with a CNAPP or CSPM solution, a standalone DSPM platform can bring unmatched depth and context to your cloud data security program. It also provides unparalleled insight to facilitate prioritization of issue resolution.

To learn more about Sentra’s approach to data security posture management, read about how we use LLMs to classify structured and unstructured sensitive data at scale.

Read More
Yoav Regev
Yoav Regev
August 28, 2024
3
Min Read
Data Security

Sentra’s 3-Year Journey: From DSPM to Data Security Platform

Sentra’s 3-Year Journey: From DSPM to Data Security Platform

If you had searched for "DSPM" on Google three years ago, you likely would have only found information related to a dspm manufacturing website… But in just a few short years, the concept of Data Security Posture Management (DSPM) has evolved from an idea into a critical component of modern cybersecurity for enterprises.

Let’s rewind to the summer of 2021. Back then, when we were developing what would become Sentra and our DSPM solution, the term didn’t even exist. All that existed was the problem - data was being created, moved and duplicated in the cloud, and its security posture wasn’t keeping pace. Organizations didn’t know where all of their data was, and even if they could find it, its level of protection was inadequate for its level of sensitivity.

After extensive discussions with CISOs and security experts, we realized a critical gap between data security and the modern environments (further exacerbated by the fast pace of AI). Addressing this gap wasn’t just important—it was essential. Through these conversations, we identified the need for a new approach, leading to the creation of the DSPM concept, which didn't exist before. 

It was thrilling to hear my Co-Founder and VP Product, Yair Cohen, declare for the first time, “the world’s first DSPM is coming in 2021.” We embraced the term "Data Security Posture Management," now widely known as "DSPM."

Why DSPM Has Become an Essential Tool

Today, DSPM has become mainstream, helping organizations safeguard their most valuable asset: their data.

"Three years ago, when we founded Sentra, we dreamed of creating a new category called DSPM. It was a huge bet to pursue new budgets, but we believed that data security would be the next big thing due to the shift to the cloud. We could never have imagined that it would become the world’s hottest security category and that the potential would be so significant."

-Ron Reiter, Co-Founder and CTO, Sentra

This summer, Gartner has released its 2024 Hype Cycle for Data Security, and DSPM is in the spotlight for good reason. Gartner describes DSPM as having "transformative" potential, particularly for addressing long-standing data security challenges. 

As companies rapidly move to the cloud, DSPM solutions are gaining traction by filling critical visibility gaps. The best DSPM solutions offer coverage across multi-cloud and on-premises environments, creating a unified approach to data security.

DSPM plays a pivotal role in the modern cybersecurity landscape by providing organizations with real-time visibility into their data security posture. It helps identify, prioritize and mitigate risks across the entire data estate. By continuously monitoring data movement and access patterns, DSPM ensures that any policy violations or deviations from normal behavior are quickly flagged and addressed, preventing potential breaches before they can cause damage.

DSPM is also critical in maintaining compliance with data protection regulations. As organizations handle increasingly complex data environments, meeting regulatory requirements becomes more challenging. DSPM simplifies this process by automating compliance checks and providing clear insights into where sensitive data resides, how it’s being used, and who has access to it. This not only helps organizations avoid hefty fines but also builds trust with customers and stakeholders by demonstrating a commitment to data security and privacy.

In a world where data privacy and security threats rank among the biggest challenges facing society, DSPM provides a crucial layer of protection. Businesses, individuals, and governments are all at risk, with sensitive information constantly under threat. 

That’s why we are committed to developing our data security platform, which ensures your data remains secure and intact, no matter where it travels.

From DSPM to Data Security Platform in the AI Age

We began with a clear understanding of the critical need for Data Security Posture Management (DSPM) to address data proliferation risks in the evolving cloud landscape. As a leading data security platform, Sentra has expanded its capabilities based on our customers’ needs to include Data Access Governance (DAG), Data Detection and Response (DDR), and other essential tools to better manage data access, detect emerging threats, and assist organizations in their journey to implement Data Loss Prevention (DLP). We now do this across all environments (IaaS, PaaS, SaaS, and On-Premises).

We continue to evolve. In a world rapidly changing with advancements in AI, our platform offers the most comprehensive and effective data security solutions to keep pace with the demands of the AI age. As AI reshapes the digital landscape, it also creates new vulnerabilities, such as the risk of data exposure through AI training processes. Our platform addresses these AI-specific challenges, while continuing to tackle the persistent security issues from the cloud era, providing an integrated solution that ensures data security remains resilient and adaptive.

DSPMs facilitate swift AI development and smooth business operations by automatically securing LLM training data. Integrations with platforms like AWS SageMaker and GCP Vertex AI, combined with features such as DAG and DDR, ensure robust data security and privacy. This approach both supports responsible AI applications and also reduces risks such as breaches and bias.

So, Sentra is no longer only a DSPM solution, it’s a data security platform. Today, we provide holistic solutions that allow you to locate any piece of data and access all the information you need. Our mission is to continuously build and enhance the best data security platform, empowering organizations to move faster and succeed in today’s digital world. 

Success Driven by Our Amazing People

We’re proud that Sentra has emerged as a leader in the data security industry, making a significant impact on how organizations protect their data. 

Our success is driven by our incredible team, their hard work, dedication, and energy are the foundation of everything we do. From day one, our people have always been our top priority. It's inspiring to see our team work tirelessly to transform the world of data security and build the best solution out there. This team of champions never stops innovating, inspiring, and striving to be the best version of themselves every day.

Their passion is evident in their work, as shown in recent projects that they initiated, from the new video series, “Answering the Most Searched DSPM Questions”, to a behind the scenes walkthrough of our data security platform, and more.

We’re excited to continue to push the boundaries of what’s possible in data security.

A heartfelt thank you to our incredible team, loyal customers, supportive investors, and dedicated partners. We’re excited to keep driving innovation in data security and to continue our mission of making the digital world a safer place for everyone.

Read More
Daniel Suissa
Daniel Suissa
August 26, 2024
3
Min Read
Data Security

Overcoming Gartner’s Obstacles for DSPM Mass Adoption

Overcoming Gartner’s Obstacles for DSPM Mass Adoption

Gartner recently released its much-anticipated 2024 Hype Cycle for Data Security, and the spotlight is shining bright on Data Security Posture Management (DSPM). Described as having a "transformative" potential, DSPM is lauded for its ability to address long-standing data security challenges. 

DSPM solutions are gaining traction to fill visibility gaps as companies rush to the cloud.  Best of breed solutions provide coverage across multi-clouds and on-premises, providing a holistic approach that can become the authoritative inventory of data for an organization - and a useful up-to-date source of contextual detail to inform other security stack tools such as DLPs, CSPMs/CNAPPS, data catalogs, and more, enabling these to work more effectively. Learn more about this in our latest blog, Data: The Unifying Force Behind Disparate GRC Functions.

However, as with any emerging technology, Gartner also highlighted several obstacles that could hinder its widespread adoption. In this blog, we’ll dive into these obstacles, separating the legitimate concerns from those that shouldn't deter any organization from embracing DSPM—especially when using a comprehensive solution like Sentra.

Obstacle 1: Scanning the Entire Infrastructure for Data Can Take Days to Complete

This concern holds some truth, particularly for organizations managing petabytes of data. Full infrastructure scans can indeed take time. However, this doesn’t mean you're left twiddling your thumbs waiting for results. With Sentra, insights start flowing while the scan is still in progress. Our platform is designed to alert you to data vulnerabilities as they’re detected, ensuring you're never in the dark for long. So, while the scan might take days to finish, actionable insights are available much sooner. And scans for changes occur continuously so you’re always up to date.

Obstacle 2: Limited Integration with Security Controls for Remediation

Gartner pointed out that DSPM tools often integrate with a limited set of security controls, potentially complicating remediation efforts. While it’s true that each security solution prioritizes certain integrations, this is not a challenge unique to DSPM. Sentra, for instance, offers dozens of built-in integrations with popular ticketing systems and data remediation tools. Moreover, Sentra enables automated actions like auto-masking and revoking unauthorized access via platforms like Okta, seamlessly fitting into your existing workflow processes and enhancing your cloud security posture.

Obstacle 3: DSPM as a Function within Broader Data Security Suites

Another obstacle Gartner identified is that DSPM is sometimes offered merely as a function within a broader suite of data security offerings, which may not integrate well with other vendor products. This is a valid concern. Many cloud security platforms are introducing DSPM modules, but these often lack the discovery breadth and classification granularity needed for robust and accurate data security.

Sentra takes a different approach by going beyond surface-level vulnerabilities. Our platform uses advanced automatic grouping to create "Data Assets"—groups of files with similar structures, security postures, and business functions. This allows Sentra to reduce petabytes of cloud data into manageable data assets, fully scanning all data types daily without relying on random sampling. This level of detail and continuous monitoring is something many other solutions simply cannot match.

Obstacle 4: Inconsistent Product Capabilities Across Environments

Gartner also highlighted the varying capabilities of DSPM solutions, especially when it comes to mapping user access privileges and tracking data across different environments—on-premises, cloud services, and endpoints. While it’s true that DSPM solutions can differ in their abilities, the key is to choose a platform designed for multi-cloud and hybrid environments. Sentra is built precisely for this purpose, offering robust capabilities to identify and protect data across diverse environments (IaaS, PaaS, SaaS, and On-premises), ensuring consistent security and risk management no matter where your data resides.

Conclusion

While Gartner's 2024 Hype Cycle for Data Security outlines several obstacles to DSPM adoption, many of these challenges are either surmountable or less significant than they might first appear. With the right DSPM solution, organizations can effectively overcome these obstacles and harness the full transformative power of DSPM.

Curious about how Sentra can elevate your data security? 

Request a demo here.

Read More
decorative ball