Data Security Posture Management is an approach to securing cloud data by ensuring that sensitive data always has the correct security posture - regardless of where it’s been duplicated or moved to.
Here’s a quick example:
Let’s say you’ve built an excellent security posture for your cloud data. For the sake of this example, your data is in production, it’s protected behind a firewall, it’s not publicly accessible, and your IAM controls have limited access properly. Now along comes a developer and replicates that data into a lower environment.
What happens to that fine security posture you’ve built? Well, it’s gone - and now the data is only protected by the security posture in that lower environment. So if that environment is exposed or improperly secured - so is all that sensitive data you’ve been trying to protect.
Security postures just don’t travel with their data. Data Security Posture Management (DSPM) was created to solve this problem.
How Does Data Security Posture Management Work?
If we want a data security posture that travels with the data and helps you remediate issues, we need a solution that does three things:
- Discovers all the data in your public cloud - including shadow data that’s been created but isn’t used or monitored.
- Understands what security posture the data is supposed to have
- Prioritizes alerts based on data sensitivity and offers contextualized remediation plans
Data discovery and classification tools have been around for years. But they’ve lacked the ability to offer any business context. If you can find data but don’t know whether it’s business critical or not, and don't understand its security posture, it’s not much help to the security team that’s trying to prioritize thousands of alerts from different tools.
For example, let’s say a data discovery tool finds PII data. You wouldn’t need an alert if it has the proper security posture. A good DSPM solution wouldn’t waste your time with one.
Why is Data Security Posture Management So Critical Now?
It’s an answer you’ve heard before: the cloud.
Before widespread adoption of public cloud infrastructure, securing data meant securing your data center with a firewall. Even if your data was copied or moved, it still stayed inside your organization’s data center. There wasn’t a difference between your infrastructure security and your data security. But for cloud-first companies, data travels constantly across your cloud, to environments with different security postures. So the need arose to build a product that makes sure all this traveling data has the right security posture.
Wait, Doesn’t Cloud Security Posture Management (CSPM) Already Do This?
CSPM solutions are built to secure cloud infrastructure while DSPM is focused on cloud data. The difference is significant. A CSPM is built to find vulnerabilities in cloud resources, like VMs and VPC networks. Some may also be able to provide very basic insights on the data, like identifying PII in text files in VMs and S3 buckets. Beyond these basic abilities, CSPM products are often data agnostic and don’t prioritize remediation based on data sensitivity.
DSPM, on the other hand, is about the data itself. This includes identifying data vulnerabilities like overexposure, access controls, data flows, and anomalies. A DPSM solution connects the dots between data and the infrastructure security, allowing security teams to understand what sensitive data is at risk instead of showing them a list of vulnerabilities to remediate. Essentially DSPM is adding a layer of data security and data context over the infrastructure security.
How Does Data Security Posture Management Understand What Data is Sensitive?
Some data is obviously sensitive - social security numbers, credit card information, and healthcare data for example. These need to be protected not only for security reasons, but to stay compliant with regulations like PCI-DSS, HIPAA, and more.
But a good DSPM solution needs to go beyond this. To truly provide value, it should be able to autonomously draw conclusions about the type of data it’s finding - and be able to find data that isn’t structured as simply as a credit card number. By understanding and clustering metadata and leveraging ML technologies, DSPMs can find intellectual property, customer data and more that can’t be discovered just from using regular expressions.
Another critical factor is data ownership. DSPM should integrate with data catalogs to understand who is responsible for the data. Finally, there’s the issue of scale. One of the major weaknesses of legacy data discovery and classification solutions is that they aren’t able to scan and classify and the scale of modern cloud infrastructures. DSPM must be able to scan petabytes of data effectively and efficiently, to ensure everything is discovered - without breaking your cloud bill.
Conclusion: DSPM = Security that Travels with Your Data
Data Security Posture Management is new, and with that comes the natural skepticism of ‘do we really need another security acronym?’ But DSPM is solving real security problems caused by the move to the cloud. Customer information, company secrets, and source code leaks aren't caused by initial failures to secure data. They’re caused by the ease with which data is replicated and moved around - without the security posture following. Data Security Posture Management promises to make sure that wherever your data travels in the cloud - your security posture follows.
To learn more about DSPM and how Sentra can help find, classify and secure your cloud data, get a demo here.