All Resources
In this article:
minus iconplus icon
Share the Blog

How DSPM Reduces the Risk of Data Breaches

February 22, 2023
4
 Min Read
Data Security

The movement of more and more sensitive data to the cloud is driving a cloud data security gap – the chasm between the security of cloud infrastructure and the security of the data housed within it. This is one of the key drivers of the Data Security Posture Management (DSPM) model and why more organizations are adopting a data-centric approach. 

Unlike Cloud Security Posture Management (CSPM) solutions, which were purpose-built to protect cloud infrastructure by finding vulnerabilities in cloud resources, DSPM is about the data itself. CSPM systems are largely data agnostic – looking for infrastructure vulnerabilities, then trying to identify what data is vulnerable because of them. DSPM provides visibility into where sensitive data is, who can access that data, how it was used, and how robust the data store or application security posture is.

On a fundamental level, the move to DSPM reflects a recognition that in hybrid or cloud environments, data is never truly at rest. Data moves to different cloud storage as security posture shifts, then moves back. Data assets are copied for testing purposes, then erased (or not) and are frequently forgotten. This leaves enterprises large and small scrambling to track and assess sensitive data and its security throughout the data lifecycle and across all cloud environments.

The data-centric approach of DSPMs is solely focused on the unique challenges of securing cloud data. It does this by making sure that sensitive data always has the correct security posture - regardless of where it’s been duplicated or moved to. DSPM ensures that sensitive data is always secured by providing automatic visibility, risk assessment, and access analysis for cloud data - no matter where it travels.

Because of this, DSPM is well-positioned to reduce the risk of catastrophic data breaches and data exposure, in three key ways:

  1. Finding and eliminating shadow data to reduce the data attack surface:

    Shadow data is any data that has been stored, copied, or backed up in a way that does not subject it to your organization’s data management framework or data security policies. Shadow data may also not be housed according to your preferred security structure, may not be subject to your access control limitations, and it may not even be visible to the tools you use to monitor and log data access.

    Shadow data is basically data in the wrong place, at the wrong time. And it is gold for attackers – publicly accessible sensitive data that nobody really knows is there. Aside from the risk of breach, shadow data is an extreme compliance risk. Even if an organization is unaware of the existence of data that contains customer or employee data, intellectual property, financial or other confidential information – it is still responsible for it.

    Where is all this shadow data coming from? Aside from data that was copied and abandoned, consider sources like decommissioned legacy applications – where historical customer data or PII is often just left sitting where it was originally stored. And there is also data produced by shadow IT applications, or databases used by niche app. And what about cloud architecture changes? When data is lifted and shifted, unmanaged or orphaned backups that contain sensitive information often remain.

    DSPM solutions locate shadow data by looking for it where it’s not supposed to be. Then, DSPM solutions provide actionable guidance for deletion and/or remediation. Advanced DSPM solutions search for sensitive information across different security postures, and can also discover when multiple copies of data exist. What’s more, DSPM solutions scrutinize privileges across multiple copies of data, identifying who can access data and who should not be able to.
  2. Identifying over-privileged users and third parties:

    Controlling access to data has always been one of the basics of cybersecurity hygiene. Traditionally, enterprises have relied on three basic types of access controls for internal users and third parties:

    · Access Control Lists - Straight lists of which users have read/write access
    · Role Based Access Control (RBAC) - Access according to what roles the user has in the organization
    · Attribute Based Access Control (ABAC) – Access determined by the attributes a user must have - job title, location, etc.

    Yet traditional data access controls are tied to one or more data stores or databases – like a specific S3 bucket. RBAC or ABAC policies ensure only the right users have permissions at the right times to these assets. But if someone copies and pastes data from that bucket to somewhere else in the cloud environment, what happens to the RBAC or ABAC policy? The answer is simple: it no longer applies to the copied data. DSPM solves this by ensuring that access control policy travels with data, across both cloud environments. Essentially, DSPM extends access control across any environment by enabling admins to understand where data came from, who originally had access to it, and who has access now.
  3. Identifying data movement, making sure security posture follows:

    Data moves through the public cloud – it’s the reason the cloud is so efficient and productive. It lets people use data in interesting ways. Yet the distributed nature of cloud computing means that organizations may not understand exactly where all applications and data are stored. Third-party hosting places serious limits on the visibility of data access and sharing, and multi-cloud environments frequently suffer from inconsistent security regimes.

    Basically, similar to the access control challenges - when data moves across the cloud, its security posture doesn’t necessarily follow. DSPM solves this by noticing when data moves and how its security posture changes. By focusing on finding and securing sensitive data, as opposed to securing cloud infrastructure or applications, DSPM solutions first discover sensitive data (including shadow or abandoned data), classify data types using AI models, then determine whether the data has the proper security posture. If it doesn’t, DSPM solutions notify the relevant teams and coordinate remediation.

DSPM to secure cloud data

Data security in the cloud is  a growing challenge. And contrary to some perceptions – the security for data created in the cloud, sent to the cloud, or downloaded from the cloud is not the responsibility of the cloud provider (AWS, Azure, GCP, etc.). This responsibility falls squarely on the shoulders of the cloud customer.

More and more organizations are choosing the DSPM paradigm to secure cloud data. In this dynamic and highly-complex ecosystem, DSPM ensures that sensitive data always has the correct security posture – no matter where it’s been duplicated or moved to. This dramatically lowers the risk of catastrophic data leaks, and dramatically raises user and admin confidence in data security.

Yair brings a wealth of experience in cybersecurity and data product management. In his previous role, Yair led product management at Microsoft and Datadog. With a background as a member of the IDF's Unit 8200 for five years, he possesses over 18 years of expertise in enterprise software, security, data, and cloud computing. Yair has held senior product management positions at Datadog, Digital Asset, and Microsoft Azure Protection.

Subscribe

Latest Blog Posts

Karin Zano
Karin Zano
October 1, 2024
3
Min Read
Data Security

5 Cybersecurity Tips for Cybersecurity Awareness Month

5 Cybersecurity Tips for Cybersecurity Awareness Month

Secure our World: Cybersecurity Awareness Month 2024

As we kick off October's Cybersecurity Awareness Month and think about this year’s theme, “Secure Our World,” it’s important to remember that safeguarding our digital lives doesn't have to be complex. Simple, proactive steps can make a world of difference in protecting yourself and your business from online threats. In many cases, these simple steps relate to data — the sensitive information about users’ personal and professional lives. As a business, you are largely responsible for keeping your customers' and employees’ data safe. Starting with cybersecurity is the best way to ensure that this valuable information stays secure, no matter where it’s stored or how you use it.

Keeping Personal Identifiable Information (PII) Safe

Data security threats are more pervasive than ever today, with cybercriminals constantly evolving their tactics to exploit vulnerabilities. From phishing attacks to ransomware, the risks are not just technical but also deeply personal — especially when it comes to protecting Personal Identifiable Information (PII).

Cybersecurity Awareness Month is a perfect time to reflect on the importance of strong data security. Businesses, in particular, can contribute to a safer digital environment through Data Security Posture Management (DSPM). DSPM helps businesses - big and small alike -  monitor, assess, and improve their security posture, ensuring that sensitive data, such as PII, remains protected against breaches. By implementing DSPM, businesses can identify weak spots in their data security and take action before an incident occurs, reinforcing the idea that securing our world starts with securing our data.

Let's take this month as an opportunity to Secure Our World by embracing these simple but powerful DSPM measures to protect what matters most: data.

5 Cybersecurity Tips for Businesses

  1. Discover and Classify Your Data: Understand where all of your data resides, how it’s used, and its levels of sensitivity and protection. By leveraging discovery and classification, you can maintain complete visibility and control over your business’s data, reducing the risks associated with shadow data (unmanaged or abandoned data).
  2. Ensure data always has a good risk posture: Maintain a strong security stance by ensuring your data always has a good posture through Data Security Posture Management (DSPM). DSPM continuously monitors and strengthens your data’s security posture (readiness to tackle potential cybersecurity threats), helping to prevent breaches and protect sensitive information from evolving threats.
  3. Protect Private and Sensitive Data: Keep your private and sensitive data secure, even from internal users. By implementing Data Access Governance (DAG) and utilizing techniques like data de-identification and masking, you can protect critical information and minimize the risk of unauthorized access.
  4. Embrace Least-Privilege Control: Control data access through the principle of least privilege — only granting access to the users and systems who need it to perform their jobs. By implementing Data Access Governance (DAG), you can limit access to only what is necessary, reducing the potential for misuse and enhancing overall data security.
  5. Continual Threat Monitoring for Data Protection: To protect your data in real-time, implement continual monitoring of new threats. With Data Detection and Response (DDR), you can stay ahead of emerging risks, quickly identifying and neutralizing potential vulnerabilities to safeguard your sensitive information.

How Sentra Helps Secure Your Business’s World

Today, a business's “world” is extremely complex and ever-changing. Users can easily move, change, or copy data and connect new applications/environments to your ecosystem. These factors make it challenging to pinpoint where your data resides and who has access to it at any given moment. 

Sentra helps by giving businesses a vantage point of their entire data estate, including multi-cloud and on-premises environments. We combine all of the above practices—granular discovery and classification, end-to-end data security posture management, data access governance, and continuous data detection and response into a single platform. To celebrate Cybersecurity Awareness Day, check out how our data security platform can help improve your security posture.

Read More
David Stuart
David Stuart
September 25, 2024
3
Min Read
Data Security

Top Advantages and Benefits of DSPM

Top Advantages and Benefits of DSPM

Addressing data protection in today’s data estates requires innovative solutions. Data in modern environments moves quickly, as countless employees in a given organization can copy, move, or modify sensitive data within seconds. In addition, many organizations operate across a variety of on premises environments, along with multiple cloud service providers and technologies like PaaS and IaaS. Data quickly sprawls across this multifaceted estate as team members perform daily tasks. 

Data Security Posture Management (DSPM) is a key technology that meets these challenges by discovering and classifying sensitive data and then protecting it wherever it goes. DSPM helps organizations mitigate risks and maintain compliance across a complex data landscape by focusing on the continuous discovery and monitoring of sensitive information. 

If you're not familiar with DSPM, you can check out our comprehensive DSPM guide to get up to speed. But for now, let's delve into why DSPM is becoming indispensable for modern cloud enterprises.

Why is DSPM Important?

DSPM is an innovative cybersecurity approach designed to safeguard and monitor sensitive data as it traverses different environments. This technology focuses on the discovery of sensitive data across the entire data estate, including cloud platforms such as SaaS, IaaS, and PaaS, as well as on-premises systems. DSPM assesses exposure risks, identifies who has access to company data, classifies how data is used, ensures compliance with regulatory requirements like GDPR, PCI-DSS, and HIPAA, and continuously monitors data for emerging threats.

As organizations scale up their data estate and add multiple cloud environments, on-prem databases, and third-party SaaS applications, DSPM also helps them automate key data security practices and keep pace with this rapid scaling. For instance, DSPM offers automated data tags that help businesses better understand the deeper context behind their most valuable assets — regardless of location within the data estate. It leverages integrations with other security tools (DLP, CNAPP, etc.) to collect this valuable data context, allowing teams to confidently remediate the security issues that matter most to the business.

What are the Benefits of DSPM?

DSPM empowers all security stakeholders to monitor data flow, access, and security status, preventing risks associated with data duplication or movement in various cloud environments. It simplifies robust data protection, making it a vital asset for modern cloud-based data management.

Now, you might be wondering, why do we need another acronym? 

Let's explore the top five benefits of implementing DSPM:

1) Sharpen Visibility When Identifying Data Risk

DSPM enables you to continuously analyze your security posture and automate risk assessment across your entire landscape. It can detect data concerns across all cloud-native and unmanaged databases, data warehouses, data lakes, data pipelines, and metadata catalogs. By automatically discovering and classifying sensitive data, DSPM helps teams prioritize actions based on each asset’s sensitivity and relationship to policy guidelines.

Automating the data discovery and classification process takes a fraction of the time and effort it would take to manually catalog all sensitive data. It’s also far more accurate, especially when using a DSPM solution that leverages LLMs to classify data with more granularity and rich meta-data. In addition, it ensures that you stay up-to-date with the frequent changes in your modern data landscape.

2) Strengthen Adherence with Security & Compliance Requirements 

DSPM can also automate the process of identifying regulatory violations and ensuring adherence to custom and pre-built policies (including policies that map to common compliance frameworks). By contrast, manually implementing policies is prone to errors and inaccuracies. It’s common for teams to misconfigure policies that either overalert and inhibit daily work or miss significant user activities and changes to access permissions.

Instead, DSPM offers policies that travel with your data and automatically reveal compliance gaps. It ensures that sensitive data stays within the correct environments and doesn’t travel to regions with retention policies or without data encryption.

3) Improve Data Access Governance

Many DSPM solutions also offer data access governance (DAG). This functionality enforces the appropriate access permissions for all user identities, third parties, and applications within your organization. DAG automatically ensures that the proper controls follow your data, mitigating risks such as excessive permission, unauthorized access, inactive or unused identities and API keys, and improper provisioning/deprovisioning for services and users.

By using DSPM to govern data access, teams can successfully achieve the least privilege within an ever-changing and growing data ecosystem. 


4) Minimize your Data Attack Surface

DSPM also enables teams to detect unmanaged sensitive data, including mislocated, shadow, or duplicate assets. Its powerful data detection capabilities ensure that sensitive data, such as historical assets stored within legacy apps, development test data, or information within shadow IT apps, don’t go unnoticed in a lower environment. By automatically finding and classifying these unknown assets, DSPM minimizes your data attack surface, controls data sprawl, and better protects your most valuable assets from breaches and leaks.


5) Protect Data Used by LLMs

DSPM also extends to LLM applications, enabling you to maintain a strong risk posture as your team adopts new technologies. It considers LLMs as part of the data attack surface, applying the same DAG and data discovery/classification capabilities to any training data leveraged within these applications. 

By including LLMs in your overarching data security approach, DSPM alleviates any GenAI data privacy concerns and sets up your organization for future success as these technologies continue to evolve.

Enhance Your DSPM Strategy with Sentra

Sentra offers an AI-powered DSPM platform that moves at the speed of data, enabling you to strengthen your data risk posture across your entire hybrid ecosystem. Our platform can identify and mitigate data risks and threats with deep context, map identities to permissions, prevent exfiltration with a modern DLP, and maintain a rich data catalog with details on both known and unknown data. 

In addition, our platform runs autonomously and only requires minimal administrative support. It also adds a layer of security by discovering and intelligently categorizing all data with removing it from your environment. 

Conclusion

DSPM is quickly becoming an essential tool for modern cloud enterprises, offering comprehensive benefits to the complex challenges of data protection. By focusing on discovering and monitoring sensitive information, DSPM helps organizations mitigate risks and maintain compliance across various environments, including cloud and on-premises systems.

The rise of DSPM in the past few years highlights its importance in enhancing security. It allows security teams to monitor data flow, access, and status, effectively preventing data duplication or movement risks. With advanced threat detection, improved compliance and governance, detailed access control, rapid incident response, and seamless integration with cloud services, DSPM provides significant benefits and advantages over other data security solutions. Implementing DSPM is a strategic move for organizations aiming to fortify their data protection strategies in today's digital landscape.

Read More
Meni Besso
Meni Besso
September 16, 2024
4
Min Read
Compliance

GDPR Compliance Failures Lead to Surge in Fines

GDPR Compliance Failures Lead to Surge in Fines

In recent years, the landscape of data privacy and protection has become increasingly stringent, with regulators around the world cracking down on companies that fail to comply with local and international standards. 

The latest high-profile case involves Uber, which was recently fined a staggering €290 million ($324 million) by the Dutch Data Protection Authority (DPA) for violations related to the General Data Protection Regulation (GDPR). This is a wake up call for multinational companies. 

Graph showing the rise of GDPR fines from 2018-2024

What is GDPR?

The General Data Protection Regulation (GDPR) is a data protection law that came into effect in the EU in May 2018. Its goal is to give individuals more control over their personal data and unify data protection rules across the EU.

GDPR gives extra protection to special categories of sensitive data. Both 'controllers' (who decide how data is processed) and 'processors' (who act on their behalf) must comply. Joint controllers may share responsibility when multiple entities manage data.

Who Does the GDPR Apply To?

GDPR applies to both EU-based and non-EU organizations that handle the data of EU residents. The regulation requires organizations to get clear consent for data collection and processing, and it gives individuals rights to access, correct, and delete their data. Organizations must also ensure strong data security and report any data breaches promptly.

What Are the Penalties for Non-Compliance with GDPR?

Non-compliance with the General Data Protection Regulation (GDPR) can result in substantial penalties.

Article 83 of the GDPR establishes the fine framework, which includes the following:

Maximum Fine: The maximum fine for GDPR non-compliance can reach up to 20 million euros, or 4% of the company’s total global turnover from the preceding fiscal year, whichever is higher.

Alternative Penalty: In certain cases, the fine may be set at 10 million euros or 2% of the annual global revenue, as outlined in Article 83(4).

Additionally, individual EU member states have the authority to impose their own penalties for breaches not specifically addressed by Article 83, as permitted by the GDPR’s flexibility clause.

So far, the maximum fine given under GDPR was to Meta in 2023, which was fined $1.3 billion for violating GDPR laws related to data transfers. We’ll delve into the details of that case shortly.

Can Individuals Be Fined for GDPR Breaches?

While fines are typically imposed on organizations, individuals can be fined under certain circumstances. For example, if a person is self-employed and processes personal data as part of their business activities, they could be held responsible for a GDPR breach. However, UK-GDPR and EU-GDPR do not apply to data processing carried out by individuals for personal or household activities. 

According to GDPR Chapter 1, Article 4, “any natural or legal person, public authority, agency, or body” can be held accountable for non-compliance. This means that GDPR regulations do not distinguish significantly between individuals and corporations when it comes to breaches.

Specific scenarios where individuals within organizations may be fined include:

  • Obstructing a GDPR compliance investigation.
  • Providing false information to the ICO or DPA.
  • Destroying or falsifying evidence or information.
  • Obstructing official warrants related to GDPR or privacy laws.
  • Unlawfully obtaining personal data without the data controller's permission.

The Top 3 GDPR Fines and Their Impact

1.  Meta - €1.2 Billion ($1.3 Billion), 2023 

In May 2023, Meta, the U.S. tech giant, was hit with a staggering $1.3 billion fine by an Irish court for violating GDPR regulations concerning data transfers between the E.U. and the U.S. This massive penalty came after the E.U.-U.S. Privacy Shield Framework, which previously provided legal cover for such transfers, was invalidated in 2020. The court found that the framework failed to offer sufficient protection for EU citizens against government surveillance. This fine now stands as the largest ever under GDPR, surpassing Amazon’s 2021 record.

2. Amazon - €746 million ($781 million), 2021

Which leads us to Amazon at number 2, not bad. In 2021, Amazon Europe received the second-largest GDPR fine to date from Luxembourg’s National Commission for Data Protection (CNPD). The fine was imposed after it was determined that the online retailer was storing advertisement cookies without obtaining proper consent from its users.

3. Instagram - €405 million ($427 million), 2022

The Irish Data Protection Commission (DPC) fined Instagram for violating children’s privacy online in September 2022. The violations included the public exposure of kids' phone numbers and email addresses. The DPC found that Instagram’s user registration system could default child users' accounts to "public" instead of "private," contradicting GDPR’s privacy by design principles and the regulations aimed at safeguarding children's information.

Uber currently ranks at number 6 with the latest €290 million fine they received from the Dutch Data Protection Authority (DPA) for the GDPR related violations.

Uber’s GDPR Violation

The Dutch DPA accused Uber of transferring sensitive data of European drivers to the United States without implementing appropriate safeguards. This included personal information such as account details, location data, payment information, and even sensitive documents like taxi licenses, criminal records, and medical data. The failure to protect this data adequately, especially after the invalidation of the E.U.-U.S. Privacy Shield in 2020, constituted a serious violation of GDPR.

Despite Uber's claim that its cross-border data transfer process was compliant with GDPR, the DPA's decision to impose the record fine underscores the growing importance of adhering to stringent data protection regulations. Uber has since ceased the practice, but the financial and reputational damage is already done.

The Implications for Global Companies

The growing frequency of such fines sends a clear message to global companies: compliance with data protection regulations is non-negotiable. As European regulators continue to enforce GDPR rigorously, companies that fail to implement adequate data protection measures risk facing severe financial penalties and reputational harm.

In the case of Uber, the company’s failure to use appropriate mechanisms for data transfers, such as Standard Contractual Clauses, led to significant repercussions. This situation emphasizes the importance of staying current with regulatory changes, such as the introduction of the E.U.-U.S. Data Privacy Framework, and ensuring that all data transfer practices are fully compliant.

How Sentra Helps Orgs Stay Compliant with GDPR

Sentra helps organizations maintain GDPR compliance by effectively tagging data belonging to European citizens.

When EU citizens' Personally Identifiable Information (PII) is moved or stored outside of EU data centers, Sentra will detect and alert you in near real-time. Our continuous monitoring and scanning capabilities ensure that any data violations are identified and flagged promptly.

Example of EU citizens PII stored outside of EU data centers

Unlike traditional methods where data replication can obscure visibility and lead to issues during audits, Sentra provides ongoing visibility into data storage. This proactive approach significantly reduces the risk by alerting you to potential compliance issues as they arise.

Sentra does automatic classification of localized data - specifically in this case, EU data. Below you can see an example of how we do this. 

Sentra's automatic classification of localized data

The Rise of Compliance Violations: A Wake-up Call

The increasing number of compliance violations and the related hefty fines should serve as a wake-up call for companies worldwide. As the regulatory environment becomes more complex, it is crucial for organizations to prioritize data protection and privacy. By doing so, they can avoid costly penalties and maintain the trust of their customers and stakeholders.

Solutions such as Sentra provide a cost-effective means to ensure sensitive data always has the right posture and security controls - no matter where the data travels - and can alert on exceptions that require rapid remediation. In this way, organizations can remain regulatory compliant, avoid the steep penalties for violations, and ensure the proper, secure use of data throughout their ecosystem. 

Read More
decorative ball