What is Data Security Posture Management (DSPM)?

The worst time to ask big questions about your company’s data is also one of the most common times companies do so: immediately after a data breach. 

In the wake of a data breach, companies are too often scrambling to figure out where sensitive data is stored, who has access to what, how different kinds of data have been used, and whether they even have a way of monitoring the data.

Companies that only address these questions after a breach are forced into a reactive position. Instead, they should know these facts before a breach is even on the horizon, and the best way to do so is by using a data security posture management (DSPM) solution. 

This article explains DSPM as a part of a wider security posture, explores its relationship to the cloud, and identifies its main components. 

What is Data Security Posture Management (DSPM)?

DSPM is the practice of implementing automation and monitoring tools to make data more visible and a company’s current, dynamic data security posture more evident. 

DSPM became a much more popular topic when Gartner included it, for the first time, in its 2022 Hype Cycle for Data Security. Gartner explains that DSPM “provides visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data store or application is.” These four components, once understood, help explain both the usefulness and the urgency of adopting DSPM.

Where is sensitive data?

From the outside in, the question of where sensitive data is not only seems easy but also a question that companies should already have a handle on.

Unfortunately, many companies only have a superficial sense of where sensitive data is in the cloud. This impression might make them feel secure until a breach happens that reveals the truth.

Jonathan Gossels, president of network security consulting SystemExperts, explains that many companies don’t have an “understanding [of] where their sensitive data resides because they have not set policies to systematically and consistently categorize their data, and consequently, they don’t have controls in place to ensure that all categories of data are handled appropriately.”

Without policy education and control implementation, sensitive data is at risk. For example, a company can restrict access to sensitive payroll data, but if an employee with access doesn’t know better and makes a copy of the data, then a breach becomes possible. In this scenario, the employee needed to be better educated about policies, and the control needed to consider more risk cases.

Who has access to sensitive data?

Generally, access to sensitive data should be ruled by the principle of least privilege – meaning that employees should only have access to the minimum amount of data needed to do the task at hand. 

However, this principle is often harder to follow because access is a moving target. Sometimes, employees need access to more sensitive data than usual for a particular task – an audit, for example – but their new permissions remain after the job is complete. If companies don’t monitor permissions, more and more people will have access over time – perhaps without even being aware of it.

Beyond this access accretion, some employees might have indirect access to sensitive data. It might be evident that most employees shouldn’t have access to sensitive data, but what about the developers and IT professionals who manage the applications that store the data? There are numerous cases, such as a 2022 LastPass breach, where attackers stole wide-reaching developer credentials precisely because such credentials gave them significant levels of access. 

How has sensitive data been used?

It’s tempting to slip into the belief that sensitive data is merely a set of secrets to keep under lock and key. But the reality is that companies often capture sensitive data so they can use it on behalf of their customers. 

Think of credit cards: Customers want companies to retain their credit card information securely so they don’t have to enter their credit card numbers every time. Similarly, customers might even want companies to store their social security numbers as a final means of authentication if they forget their passwords. 

Companies must be able to track and monitor how sensitive data gets used to improve how they store it.

One notable recent example of a data breach is the Equifax data breach in 2017. Attackers were able to gain access to their systems due to an unpatched vulnerability in a dependency, find usernames and passwords stored in plaintext, and pull encrypted data from their network, including personal data for hundreds of millions of people.

What is the security posture of your data store or application?

This is the ultimate question that DSPM seeks to answer, and the answer comes from the weaving together of the previous questions. 

With DSPM, the previous questions become solvable, and companies can easily figure out their current security posture. From there, companies can interrogate and eventually improve their security postures.

How does DSPM relate to the cloud?

DSPM has a close relationship to the rise and growth of the cloud because the scale of the cloud is what makes DSPM necessary. 

Even when a paradigm shift is universally recognized, companies often lag between revising products to fit the new paradigm and building products from the ground up to suit that paradigm. So, while companies have recognized for years that the cloud is a significant change, there’s still a lack, particularly in cloud security, of companies building products with the capabilities and risks of the cloud as first principles. 

Galia Nedvedovich, VP of Marketing at cloud security company Sentra, explains it like this: “The way data travels in the cloud is very different from how security tools were traditionally built to protect data. Mostly they’re built to keep unauthorized users and products out of their infrastructure, but they’re not looking at the actual data.” DSPM arose because traditional security tools, with conventional assumptions, couldn’t fully address the way data moves in the cloud.

Traditional data security focuses less on the data itself and more on the perimeter around the infrastructure that stores the data. The cloud unseated those infrastructure assumptions, meaning data security had to be rethought. DSPM takes a data-centric view of data security, the result being that, despite the depth and breadth of the cloud, data is secure no matter what.

Secure your data using Snyk

DSPM is a necessary but insufficient solution to the problem of cloud-scale data security. As with most security strategies, companies need to take a holistic perspective toward their security posture and think through how they can weave various methods and products together.

A particularly useful combination is pairing a DSPM product with an enterpise level vulnerability monitoring product like Snyk. Snyk can monitor containers, code, and open source dependencies and IaC, enabling companies to quickly identify opportunities to improve their data security by fixing vulnerabilities. Snyk makes it possible to comprehensively secure a company’s applications and cloud environments.