Understand the meaning, importance, and how to implement DSPM.
DSPM or Data Security Posture Management is the modern approach to securing the information ecosystem. It represents a pivotal shift from the traditional castle-and-moat approach focused on IT devices to one that is focused on data.
According to Gartner, “data security posture management (DSPM) provides visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data stored or application is.”
At its core, DSPM is a “data-first” approach to information security. Historically, IT security has focused on securing hardware and software assets like servers, workstations, networks, and applications. Also called the “castle and moat” approach, it can be compared with securing a castle without focusing on the crown jewels in the treasury within the castle. However, this approach does not work optimally in the modern, cloud-heavy environment where an organization has limited control over what a cloud service provider does.
Moreover, such an approach ignores what is truly important to the organization – data. After all, cybercriminals operate not to render IT assets useless, but to steal sensitive data or make it unavailable pending a ransom payment. Therefore, Protecting the assets where the data resides without protecting the data itself is not sufficient. With the recent explosion of AI/ML and DevOps, new data is being created and moved around at such a high rate that most organizations are finding it difficult to keep track of every API or sensitive data’s location. This “shadow data” can render traditional security controls ineffective. This is exactly what DSPM is designed to address, by focusing on the core asset of data and not just the infrastructure in which it resides.
DSPM is an emerging need that became well-known with Gartner’s publication of its Hype Cycle for Data Security, 2022. According to Gartner, “Data security posture management (DSPM) provides visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data stored, or application is. It does that by assessing the current state of data security, identifying, and classifying potential risks and vulnerabilities, implementing security controls to mitigate these risks, and regularly monitoring and updating the security posture to ensure it remains effective. As a result, it enables businesses in maintaining the confidentiality, integrity, and availability of sensitive data.”.
While Gartner had categorized DSPM in the initial Innovation Trigger phase (“A potential technology breakthrough kicks things off. Early proof-of-concept stories and media interest trigger significant publicity”) of a 5-phase cycle, it is expected to reach the final Plateau of Productivity phase within a decade with “transformational” impact. While the concept is new, several players have emerged, and it makes sense for organizations to set the ball rolling on this journey.
DSPM traverses the worlds of cloud security and data security, and the conversation often brings up comparisons with CSPM (Cloud Security Posture Management) and Data Loss Prevention (DLP). Below is a quick summary of these three security mechanisms:
CSPM: Monitor and manage the security of cloud offerings by detecting and remediating misconfigurations (unrestricted access, logging not enabled, etc.) and known vulnerabilities. However, it focuses on infrastructure and services while being agnostic to the specific asset organizations want to protect – data. Without this context, CSPM is a one-size-fits-all approach that ignores the relative importance of different kinds of data and overlooks potential issues like excessive access. Also, by definition, its scope does not include non-cloud assets.
DLP: Monitor and block (if required) data egress from endpoints, cloud perimeter or email based on predefined rules. While the focus is on securing data, it is not conducive to multi-cloud environments and the consequent data sprawl.
DSPM: Combines the features of CSPM and DLP, and goes beyond to secure all data, on-premises and in the cloud. By focusing on the data and not where it is stored or how it is moved, DSPM can address use cases like unknown data stores, risky data flows and excessive permissions.
The strategy to implement DSPM should follow a structured process that is customized for the organization. For example, different organizations treat different kinds of data differently, and this should be reflected in the strategy. In general, DSPM implementation can be organized in the following steps:
1. Data Discovery
Identifying all data elements across on-premises and cloud data stores. While organizations usually have good visibility into on-premises data stores, this is not true for the cloud due to its spread across multiple providers and physical locations.
2. Data Classification
Categorizing data elements based on some predefined criteria. These can include factors such as confidentiality (PII, PHI, etc.), integrity (single source of truth), availability (no downtime allowed), access (limited access), storage (persistent), compliance (regulatory requirements like GDPR, HIPAA), etc.
3. Risk Assessment
Determining risks to confidentiality, integrity, and availability of data. This can be done by methods like threat modeling, vulnerability scanning, penetration testing and controls evaluation. Risks thus identified include misconfigurations, excessive entitlements, data provenance and data lineage issues, and regulatory non-compliance.
4. Configuration Management
Ensuring that system and application configurations align with security best practices, compliance requirements and internal policies.
5. Remediation and Prevention
Providing visibility into prioritized data risks and information to perform root cause analyses of threats along with step-by-step instructions for remediation.
Once DSPM is implemented, some results like data discovery start to show immediately. At the same time, some of the benefits like quicker risk remediation are evident over a longer timeframe. In general, the benefits of DSPM can be enumerated as follows:
1. Automated data discovery
In an organization, data can be generated, copied, or backed up outside known channels. Consequently, they cannot be secured via traditional means that focus on the underlying infrastructure and services. A DSPM solution can scan all organizational assets to discover such “shadow” data in unknown data stores, and subsequently, protect them.
2. Attack surface minimization
With widespread cloud migration, the attack surface for data breaches expands significantly. A DPSM solution can effectively reduce the attack surface by continuously checking data stores in cloud accounts for misconfigurations (example, AWS S3 bucket open to the Internet) and vulnerabilities (example, unpatched virtual machine).
3. Optimal access management
Several security incidents can be traced to excessive access. This is true for external attackers and malicious insiders who can leverage such access to exfiltrate more data, as well as user error where it can result in cascading failures. A DSPM solution can catalog all existing access privileges and compare them to actual usage to identify excessive access (and dormant users). Subsequent adjustments will result in enforcement of the principle of least privilege; in other words, the minimum access required to function effectively. Of course, deactivating dormant user accounts also contributes to reducing the attack surface, mentioned earlier.
4. Quicker risk remediation
The faster a risk is remediated, the lesser the chance of it being realized. Similarly for a security incident response, the quicker it can be responded to (containment, eradication, and recovery), lesser the adverse impact. A DSPM solution supports faster reaction through continuous monitoring of data security metrics that results in quicker insights.
5. Proactive regulatory compliance
Regulations like PCI DSS and GDPR specify security controls for payment card data (PCI) and personally identifiable information (PII) respectively. These include encryption requirements and the ability to identify all stores and data flows for specific data elements. A DSPM solution can help an organization stay ahead of the curve by continuously monitoring data to ensure compliance requirements are being met.
An ideal DSPM solution should be easily deployable on an organization’s existing technology stack and provide full visibility into the entire data landscape. Such visibility is possible with automated data discovery and data classification combined with integration with external threat intelligence to offer an accurate picture of critical data exposure. Data lineage mapping can offer useful insights for root cause analysis of security incidents, and real-time dashboards complete the picture.
While some tools specialize in data at rest, others focus on data in transit. By analyzing the organization’s code base for APIs that are used for data transfers as well as the actual data streams themselves, Riscosity can create a complete picture of all data in transit. Additionally, Riscosity offers users the ability to action on such insights by blocking, redirecting or redacting data transfers if they violate internal policies, all key features of a DSPM solution.
The world of security is ever-changing. What was good security practice yesterday is necessarily not so today. That’s because the technological environment changes (migration to the cloud), business processes change (data-driven decision-making) and so do attackers’ Tactics, Techniques, and Procedures. In such a world, DSPM is the paradigm organizations need to follow to protect their most valuable asset, their data. Interested to see how an integrated DSPM could work in your environment? Schedule a personalized demo to learn how Riscosity can help you improve your overall data flow security posture, meet compliance regulations, and reduce your attack surface in complex multi-cloud environments.