Home
Topics
Data security posture management
Data security posture management (DSPM) is a cybersecurity technology that identifies sensitive data across multiple cloud environments and services, assessing its vulnerability to security threats and risk of regulatory non-compliance.
DSPM provides insight and automation that enable security teams to quickly address data security and compliance issues and prevent their recurrence.
First identified by industry analyst Gartner in its 2022 Hype Cycle for Data Security, DSPM is sometimes referred to as ‘data first’ security because it inverts the protection model embraced by other cybersecurity technologies and practices.
Instead of securing the devices, systems and applications that house, move or process data, DSPM focuses on protecting the data directly. That said, DSPM complements many of the other solutions in an organization’s security technology stack.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.
Most security technologies protect sensitive data by preventing unauthorized access to the network, or by detecting and blocking suspicious or malicious behaviors by authorized or unauthorized users, application programming interfaces (APIs), Internet of Things (IoT) devices or other entities.
These technologies have transformed data security and threat detection and response for the better. But furious adoption of cloud computing, agile cloud-native development and both artificial intelligence (AI) and machine learning (ML) led to data security risks and vulnerabilities that these technologies don’t always address; which in turn can leave organizations at risk of data breaches and regulatory compliance violations.
Chief among these data risks is shadow data—data backed up, copied or replicated to a data store that’s not monitored, managed or governed by the same security teams, policies or controls as the original data. For example, as part of their iterative development and testing, DevOps teams might spin up scores of new data stores every day, and copy sensitive data to them. A single misconfiguration could render the data in any or all of these stores more vulnerable to unauthorized access.
The demand for data for AI or ML modeling also contributes to shadow data, as organizations expand data access to more users who possess less understanding of proper data security and governance. And increased adoption of multicloud environments (use of cloud services and applications from multiple providers) and hybrid cloud (infrastructure that combines and orchestrates public cloud and private cloud environments) spreads the risk.
According to the IBM Cost of a Data Breach Report 2023, 82% of data breaches involved data stored in cloud environments, and 39% of breached data is stored across multiple types of computing environments including private cloud, public cloud, hybrid cloud and on premises.
DSPM solutions locate an organization’s sensitive data, assess its security posture, remediate its vulnerabilities in keeping with the organization’s security goals and compliance requirements and implement safeguards and monitoring to prevent recurrence of identified vulnerabilities.
Typically, DSPM solutions are agentless (meaning they don’t require deploying a separate software app to each asset or resource being monitored and protected) and provide a high degree of automation.
While security expertsmight differ on the details, DSPM generally consists of four key components:
Data discovery
Data classification
Risk assessment and prioritization
Remediation and prevention
DSPM solutions’ data discovery capabilities continuously scan for sensitive data assets wherever they might exist. This includes scanning across:
on-premises and in cloud environments (e.g. public, private and hybrid clouds).
all cloud providers—e.g. Amazon Web Services (AWS), Google Cloud Platform (GCP), IBM Cloud® and Microsoft Azure, as well as Software-as-a-Service (SaaS) providers such as Salesforce.
all cloud services—e.g., Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Database-as-a-Service (DBaaS).
all types of data and data stores—e.g. structured and unstructured data, cloud storage (file, block storage and object storage), or storage services associated with particular cloud services, cloud apps or cloud service providers.
In general, data classification categorizes data assets based on some predefined criteria. In the context of DSPM, data classification categorizes data according to its sensitivity, by determining the following for each data asset:
DSPM identifies and prioritizes vulnerabilities associated with each data asset. Primarily, DSPM looks for the following vulnerabilities:
Misconfigurations
Misconfigurations are missing or incomplete application or system security settings that leave an organization’s data vulnerable to unauthorized access. The most-cited result of misconfiguration is unsecured cloud data storage, but misconfigurations can also create vulnerabilities such as unapplied security patches and missed data encryption. Misconfiguration is widely considered to be the most common cloud data security risk and is a prevailing cause of data loss or leakage.
Overentitlements (or overpermissioning)
Overentitlements grant users more data access privileges or permissions than they need to do their jobs. Overentitlemments can be the result of misconfiguration, but they can also occur if the entitlements are intentionally escalated improperly or carelessly (or maliciously, by a threat actor), or when permissions that are intended to be temporary aren’t revoked when they’re no longer required.
Data flow and data lineage issues
Data flow analysis tracks all the places that the data have been and who had access to it in each place. Combined with information on infrastructure vulnerabilities, data flow analysis can reveal potential attack paths to sensitive data.
Security policy and regulatory violations
DSPM solutions map the data’s existing security settings to the organization’s data security policies—and to the data security requirements mandated by any regulatory frameworks to which the organization is subject—to identify where data is inadequately protected and where the organization runs the risk of non-compliance.
DSPM solutions provide reporting and real-time dashboards that prioritize vulnerabilities according to severity, so that security and risk management teams can focus on remediating the most critical issues. Many DSPM solutions also provide step-by-step remediation instructions or incident response playbooks for resolving potential risks or data security threats in progress.
Some DSPM solutions automate modifications to application or system configurations, access controls and security software settings to better protect against potential data exposure. Others can integrate with DevOps workflows to remediate potential security risks early in the application development cycles.
All DSPM continuously monitors the environment for new data assets and continually audits those assets for potential security risks.
Cloud security posture management, or CSPM, is a cybersecurity technology that automates and unifies the identification and remediation of misconfigurations and security risks across hybrid cloud and multicloud environments and services.
CSPM sounds similar to DSPM, but the two differ in focus. CSPM focuses on finding and remediating vulnerabilities at the cloud infrastructure level, more specifically in compute units (such as virtual machines or containers) and PaaS implementations. DSPM focuses on finding and remediating vulnerabilities at the data level.
The more organizations expand their cloud adoption, the more they’re likely to need both CSPM to limit or prevent unauthorized access to cloud infrastructure assets and DSPM to limit or prevent unauthorized access to the data those assets contain.
DSPM can be integrated with other enterprise security tools to improve an organization’s data security posture in particular and its threat detection, prevention and response capabilities in general.
DSPM and IAM
Identity and access management, or IAM, manages user identities and access permissions to ensure that only authorized users and devices can access the resources they need for the right reasons at the right time. By integrating DSPM and IAM, security teams can automate changes to access permissions to better protect their organization’s sensitive data.
DSPM and EDR
Endpoint detection and response (EDR) uses real-time analytics and AI-driven automation to monitor and secure endpoints and help prevent cyberthreats that get past antivirus software and other traditional endpoint security technologies. Integrating DSPM and EDR can help ensure consistency between an organization’s endpoint security, data security and compliance policies.
DSPM and SIEM
Security information and event management (SIEM) collects security-related log data and other information from across the enterprise and correlates and analyzes that data to help security teams detect threats and streamline or automate incident response. DSPM can ingest SIEM data to gain additional context and insights related to the security posture of data assets.
DSPM and DLP
Data loss prevention (DLP) strategies and tools help organizations prevent data leaks, data exfiltration (data theft) and data loss by tracking data throughout the network and enforcing granular security policies. Integrating DSPM and DLP can enrich DSPM data flow analysis to more accurately identify data security risks and attack paths to sensitive data.
Discover, classify and secure your enterprise data across cloud and SaaS environments.
Protect enterprise data across multiple environments, gain greater visibility to investigate and remediate cyberthreats, meet privacy regulations and simplify operational complexity.
Automate compliance auditing and reporting, discover and classify data and data sources, monitor user activity and respond to threats in near real time.
Secure data across hybrid cloud environments and support client’s migration and modernization journeys.
Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs.
SIEM (security information and event management) is software that helps organizations recognize and address potential security threats and vulnerabilities before they can disrupt business operations.
CSPM automates and unifies identification and remediation of misconfigurations and security risks across hybrid cloud and multicloud environments and services.