The Ultimate Guide for

Data Security Posture Management (DSPM)

  

What is Data Security Posture Management (DSPM)

DSPM Definition: 

According to Gartner, who coined the term, “Data security posture management (DSPM) provides visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data stored or application is. It does that by assessing the current state of data security, identifying and classifying potential risks and vulnerabilities, implementing security controls to mitigate these risks, and regularly monitoring and updating the security posture to ensure it remains effective. As a result, it enables businesses to maintain the confidentiality, integrity, and availability of sensitive data. The typical users of DSPM include Information Technology (IT) departments, security teams, compliance teams, and executive leadership.”

The cloud has fundamentally changed how businesses function. Moving workloads and data assets is now simpler than ever and is a boon for productivity, enabling businesses to respond to customer demands and create new revenue opportunities more quickly. However, the pace and permissive nature of the cloud also dramatically expands a company's threat surface and raises the likelihood of a data breach. Put simply, the distributed nature of the cloud seriously complicates data security. Historically, several technologies have attempted to address challenges related to data security, including the following:

  • Data discovery and classification
  • Data loss prevention (DLP)
  • Data access governance (DAG)

DSPM solutions combine capabilities from all three of these areas. However, core to the innovation that DSPM introduces is a cloud-native architecture that represents the foundation of the technology’s next-generation approach to data security. 

  

How does DSPM work?

DSPM enables organizations to solve data security and privacy concerns, but many still aren’t fully aware of what to look for when selecting a solution. A top-tier DSPM solution will perform several functions, including:

Continuous discovery and classification: DSPM continuously discovers and classifies all cloud data stores, sensitive data, and user roles. Agentless technology automatically provides a comprehensive view of data and data stores in any cloud, container, or serverless environment.

Understand and classify data: DSPM determines the types of data that exist and provides security teams with graph-based data analysis using highly accurate, context-aware risk assessment of cloud data. Data is classified based on sensitivity, volume, and regulatory or compliance exposure. Personally identifiable information (PII)  automatically creates a dynamic sensitive data inventory. DSPM automatically incorporates machine learning (ML) models to adjust and fine-tune classifications according to an organization’s unique environment. Once an inventory is established, each data class is assigned a risk-based classification based on the context of privacy or regulatory risk it represents. Likewise, DSPM supports a constantly expanding inventory of PII data classes as it scans the organization’s environment.

DSPM identifies data based on several factors, including:

  • Is data public or internal?
  • Is data sensitive, public, internal, personal sensitive, or non-personal but sensitive?
  • Is data financial, technical, operational, or marketing?

Replace manually created inventories: Instead of relying on inventories that are created by hand, DSPM  provides automatic creation of personal data inventories across all cloud data stores, regardless of how the data store is deployed, discovered, classified, or categorized.

Protect and/or guide remediation: DSPM provides options for remediation, enabling security teams to ascertain how they can protect vulnerable data quickly, how policies can be applied against it, and what identities need to be managed. 

   

Understanding DSPM Through Real-Life Examples

Organizations create, collect, and store vast amounts of data that often become siloed within various business units. Likewise, applications and products are notorious for collecting data in silos. As a result, security and risk teams don’t have the visibility they need to manage or understand data consistently. This makes it challenging to create effective policies for security leaders to implement at scale; reactive measures based on alerts, legislation, zero-day threats, critical vulnerabilities, and attacks keep security teams busy playing whack-a-mole with sprawling security challenges.

This lack of visibility isn’t just inconvenient – it’s dangerous. You can’t protect what you can’t see. 
By adopting a data-centric security architecture, security leaders can make data the top security priority and in so doing, better align with internal stakeholders. A case study example:

How ACV Auctions improved cloud data security and saved on cloud costs

ACV (NASDAQ: ACVA) is a technology and data company specializing in the buying, selling, and managing used vehicle inventory. Its flagship product offering is ACV Auctions which provides a leading digital marketplace for wholesale vehicle transactions and data services.

The Challenge: Secure sensitive cloud data

ACV is bringing new trust and transparency to the wholesale automotive industry, by empowering dealers and commercial partners with data insights and technology innovations. As part of this mission, the company collects and stores data regarding dealers and their transactions in the Amazon Web Services (AWS) cloud. This data is important to ACV’s business, and ACV takes its responsibility for safeguarding the data seriously. As ACV expands its business and market share, the amount of data information it manages will continue to increase.

The Solution: DSPM

ACV chose a leading DSPM solution to gain visibility over the data they manage in AWS, and to ensure that the security team was well-positioned to address vulnerabilities and respond to security incidents across their large, and expanding cloud environment. 

Key Benefits:

  • Improved security posture: The DSPM solution rapidly identified sensitive data exposures, including PII that was left unencrypted, and information that was incorrectly configured to be publicly accessible. It enables ACV’s security team to harden its data security posture, which includes governing who can access sensitive data.
  • Increase context for incident response: ACV’s Security team leverages a DSPM solution to enrich its Vulnerability Management Pipeline and Incident Response capabilities. The solution issues, classifications, and context are aggregated and correlated in a central vulnerability management system. This helps to establish the risk, severity, and priority of a signal issue or asset by providing data context on the blast radius and potential business impact.
  • Minimize data and optimize costs: Data minimization is also a critical aspect of cloud cost optimization. Because cloud resource consumption dictates price, reducing overconsumption and unnecessary storage costs helps ACV Auctions contain cloud costs.

Supporting content

     

Data Security Posture Management v Cloud Security Posture Management

 Do you need a Cloud Security Posture Management (CSPM) solution or a Data Security Posture Management (DSPM) solution? The reality for most organizations is that it's not an either/or situation.

Many organizations use DSPM to understand their data and enrich findings from an existing CSPM tool. Adding DSPM on top of CSPM can help reduce false positives and get more context about the data in your environments.

Why CSPM?

CSPM scans cloud environments, comparing its findings to a policy library of known problems to show you what parts of your environment lack appropriate security controls. CSPM tools are a powerful way to get an overview of vulnerabilities impacting your cloud data stores. CSPM tools show a wide-angle view of potential pathways into various cloud environments across the data landscape. However, CSPM is focused on IaaS and some DBaaS, creating siloed visibility.

For example, CSPM tools are great at telling you about the status of your S3 bucket, but reveal little about the contents inside that bucket, such as sensitive data files containing credentials exposed in plaintext. They also cannot tell if sensitive data is being shared in a way that might create privacy violations(i.e., across geographies with different regulations). CSPM tools have rudimentary data discovery and classification features that simply need to catch up with the growth in data volume and types.

Although CSPM can show you what's wrong with the infrastructure, CSPM by itself can inundate security teams with inaccurate (false-positive) and low-priority alerts. The flood of alerts can cause security teams to miss critical alerts and impact your most valuable data. Almost half (43%) of CSPM alerts are false positives. That is less than ideal when you need to determine if a misconfiguration should be fixed immediately.

To beat alert fatigue and find out about the data within, you need a Data Security Posture Management (DSPM) solution. 

Why DSPM?

DSPM tells you about the sensitive data inside the bucket and if the data is stored in plaintext when it should be encrypted. For example, it can tell you the obfuscation method used, whether it’s hashed, redacted, or tokenized. DSPM also provides insight into user access to data stores and the types of sensitive data users can access.

DPSM provides context to data that can help answer hard-to-find compliance questions like whether or not data belongs to a European Union resident, subjecting the data to the GDPR and what security controls have been applied to protect the data. These and other DSPM capabilities provide security teams with the in-depth data insights they need to understand and prioritize data security issues.
DSPM goes several steps beyond what CSPM does to:

  1. Automatically discover sensitive data. DSPM seeks to build visibility of sensitive data from the start. CSPM scans look for infrastructure vulnerabilities, which may trigger a scan of the data itself. In that way, data visibility is spotty at best when driven by CSPM processes.
  2. Provide holistic coverage. DSPM finds data across IaaS, SaaS, and PaaS/DBaaS. CSPM, on the other hand, scans mostly IaaS and some DBaaS.
  3. Classify data with AI-powered precision. DSPM yields highly accurate classifications without the need for tuning. CSPM leverages rule-based classifiers that require someone to build out the classification policies, test them, and then validate the results over and over again.
  4. Understand data context. DSPM knows what the data represents and when data is at risk. CSPM may know the high-level classification of some data but lacks depth.  
  5. Address compliance obligations related to data. Uncover privacy issues with DSPM, such as the subject role of the data- whether it’s a patient or doctor. Then apply the right controls to satisfy HIPAA requirements. CSPM tells us information about the environment, not the data.  
     

Data Security Posture Management (DSPM) Vendors

Embarking on the journey to fortify your data security posture with Data Security Posture Management (DSPM) requires the right technological allies. In this section, we explore leading DSPM vendors who offer cutting-edge solutions designed to elevate your organization's defense against evolving cyber threats. From data discovery to remediation, these vendors play a pivotal role in shaping the landscape of DSPM, providing advanced tools and insights to safeguard your sensitive data. 


cyera logo

https://www.cyera.io/ 

Cyera is the data security company that gives businesses deep context on their data, applying proper, continuous controls to assure cyber-resilience and compliance. Cyera takes a data-centric approach to security across the data landscape, empowering security teams to know where their data is and what exposes it to risk so they can take immediate action to remediate exposures. Cyera is redefining how companies secure data in the cloud.

To learn more, visit: www.cyera.io/platform/dspm.
Or Request a demo: www.cyera.io/demo 

Key Features:

  • Data Security Platform
  • Data Security Posture Management (DSPM)
  • Data Discovery & Classification
  • Data Detection & Response (DDR)
  • Data Access Governance (DAG)
  • Data Privacy

Gartner Peer Insights

Peer reviews have historically been one of the most significant buying influences, but end-users want reviews they can trust. Gartner Peer Insights is a moderated collection of technology product/service evaluations created by users. The moderation aspect is key--Gartner validates every review comes from an authentic user.

According to one five-star review from a healthcare and biotech Chief Information Security Officer, the technology has been impressive. Still, it is the people at Cyera who genuinely make the solution powerful: 

"Working with the Cyera team has been exceptional from our first meeting with them. The level of customer care, technical support and product development feedback integration is some of the best I have experienced in my career. The team is passionate about their mission to secure data, and help customers understand their risk around data security. It's refreshing to work so closely with a vendor and be able to affect product decisions and design to suit our admittedly very complex needs. The team has also been very responsive to engineering / technical requests, and the regular cadence of meetings with our technical account manager (who is also a privacy expert!) keep us using the product in an effective manner that provides good ROI and meaningful security gains. Overall a great experience."

Another five-star review from an IT Director at a $10+ billion manufacturer was struck by how Cyera’s data governance focus improves security, compliance, and business outcomes:

"Cyera has a unique approach to cloud data governance that is inclusive of customer feedback. To that end, any gaps that we may see in the product today are likely to be addressed in a near-term release. The result is we will have all the visibility into the data that we need to make key decisions that result in reduced security and compliance risk, lower cost of operations, and improved data management capabilities."

A third five-star review returns to the people at Cyera by asking, "What Makes A Perfect Vendor? A Vendor That Acts Like Part Of Your Work Family."

"This vendor has yet ceased to amaze me, in all asks, features requests, professionalism, I could on and on. What makes a perfect vendor? A perfect partner that is aligned and understand your success and what it means to the customers we serve."

Additional Testimonials from Customers:

“Cyera enables me to see where my data is, all of my data events, who is accessing the data, and what is being done with that data across all of my accounts and data stores. This enables me to secure my data and do a better job of troubleshooting and managing my data.

When we implemented Cyera, we got a full picture of our cloud data landscape. Cyera showed us that we had a lot of ghost data that was not being accessed or used. Eliminating it would save us over $50,000 per year in cloud storage costs. Cyera also helps me show our executive team and other business stakeholders how we are managing, governing, and securing our data, and how we are keeping it private.” Erik Bataller, VP of Information Security Officer at ACV Auctions. 

Recent Articles

From Our Blog

The latest articles published by Cyber Security Tribe.

Rethinking Identity in the Age of Fraud and AI
Rethinking Identity in the Age of Fraud and AI

Rethinking Identity in the Age of Fraud and AI

(December 3, 2024) 3 min read
The Scourge of the ‘Industry Standard’
The Scourge of the Industry Standard

The Scourge of the ‘Industry Standard’

(December 2, 2024) 3 min read
The Case for Default Deny
The Case for Default Deny

The Case for Default Deny

(November 25, 2024) 4 min read