Data Security Posture Management: What’s Fact and What’s Fiction?
The rise of data security posture management (DSPM) comes as no surprise considering the increasingly complex cloud environments in which organizations are storing massive volumes of data. A process that grants organizations full visibility over the security posture of cloud data assets and sensitive data is extremely valuable to today’s security teams.
Though DSPM has risen in prominence, there are still misconceptions about what it can and cannot do for businesses.
With data becoming so valuable for companies, it’s exploding everywhere. Companies are moving data to the cloud, aggregating it in data warehouses and SaaS applications and streaming it in real-time between systems to make decisions. With rampant security attacks, companies worry about data breaches disrupting business operations and innovation.
Traditional data loss prevention (DLP) approaches haven’t proven to be effective in the cloud. Known to be noisy and unfriendly to users, conventional DLPs lack an understanding of cloud architectures and the ability to handle hyperscale. Often, they require teams to know the type of data to protect and where to implement security controls. But in the cloud, data sprawl is real. Sensitive data is dispersed across cloud services and with so many shadow IT data systems, the attack surface is just too vague and too large for a DLP to defend.
Cloud-native DLPs have emerged but are too expensive and narrowly focused. To add to the complication, security teams are realizing their recent investments in third-party cloud-native application protection technologies do not address data risks in the cloud. The industry is in dire need of a more scalable and reliable data-centric approach to protect cloud data everywhere, hence the emergence of DSPM.
With this background in mind, let’s understand what a DSPM can and cannot deliver.
Provide Intelligent Insights About Data
DSPM technology offers companies greater visibility into their data, regardless of the public cloud in which it is stored. At the core of a DSPM technology, is a way to classify and identify sensitive data using machine learning techniques and to provide valuable context, such as business, security, and privacy metadata, and underlying system configurations. Many DSPM solutions can also monitor data access, allowing businesses to track data users and their roles, permissions, and locations. Although DSPM technologies are likely to evolve with the maturity of the market, the concept itself promises to be a game-changer for data security teams.
But data is unlike other elements of cloud infrastructure you need to protect. Data is not static but is being moved and copied across data systems in the cloud and beyond, transforming between tables and columns, and even streaming downstream to applications for real-time decisions. Data at rest and in motion spans the boundaries of public clouds, extending into legacy on-prem systems and SaaS applications. Given the public cloud focus of DSPM, organizations should consider technologies that extend the benefits of a DSPM to the full lifecycle of data and consistently implement security controls, no matter where the data lives.
Prioritize Misconfigurations Based on Data Context
Let’s say you get two alerts from your cloud security posture management (CSPM) solution:
● AWS S3 Ensure Bucket is Publicly Accessible Via Bucket Policy
● AWS Redshift Cluster uses the default port for network access
Which one would you prioritize first?
Probably the S3 bucket, as the data is accessible to everyone. The Redshift Cluster might feel less vulnerable as it may have other controls to prevent hackers from breaking in through the default port. But your decision would change if you knew that S3 contains marketing website images while the Redshift Cluster manages financial records containing customer personal identifiable information (PII).
This is the challenge with CSPM solutions, as they lack intelligence about the data they protect. When teams are flooded with data security alerts, they need more context to prioritize actions. While some might argue that a CSPM could auto-remediate all alerts, this is not always practical, especially when a small configuration change can bring down the entire application.
Complement CSPM Controls
While DSPM does offer more data intelligence, CSPM solutions still play a crucial role in improving overall security for an organization. DSPM and CSPM are complementary solutions that provide a multi-layered defense. For example, a CSPM can alert an organization on how an attacker can exploit a virtual machine misconfiguration to assume an admin role and access other cloud resources. Meanwhile, a DSPM can help identify unprotected social security numbers and credit card information in the cloud. The role of a DSPM is to help an organization protect its data by guiding how to prioritize risk mitigation efforts based on where that sensitive data is stored, who has access to it and what are the underlying data system misconfigurations.
In other words, both DSPM and CSPM have their unique strengths, and together they provide a more comprehensive security posture. Eventually, CSPM and DSPM vendors will offer overlapping capabilities but understand that the former goes broad across the cloud infrastructure while the latter has the potential to extend data controls deep within and outside the cloud.
Comply With Data Security and Privacy Regulations
At a basic level, DSPMs offer a library of security posture rules mapped to various data protection and privacy regulations. As organizations mitigate risks that violate these rules, they can also reap the benefits of improved compliance. Further, with deep knowledge of regulations and automated insights into data, users and locations, DSPM solutions should help address tricky compliance challenges, such as cross-border data transfers that violate data and user residency restrictions.
Improve Zero-Trust Through Data Access Controls
One issue with the prevalent role-based access controls (RBAC) is that they often result in permission leakage. Most organizations give users more permissions than they need, as they do not wish to slow data projects. By analyzing data access activity, DSPM solutions can recommend which users don’t need full access and what permissions can be rightsized to improve zero-trust.
Additionally, with insight into attributes – such as data sensitivity and locations, DSPMs should enable organizations to implement granular attribute-based access controls, such as masking sensitive information in a table for a particular role or temporarily blocking access requests from a suspicious location.
In Conclusion
By getting ahead in the DSPM technology evolution, you can help plan the most effective cloud data security strategy for your company. It’s important to note that other teams in your company, such as data privacy and governance, also need data intelligence and controls. It’s not practical nor cost-effective for each team to scan petabytes of cloud data for their respective needs. Rather than go solo on your DSPM journey, bring others along and unify data controls across disciplines and data locations using a common foundation for sensitive data intelligence.
