IDC Names Securiti a Worldwide Leader in Data Privacy


What is Data Security Posture Management (DSPM) – Maximizing Data Protection

By Securiti Research Team
Published April 5, 2023 / Updated August 21, 2023

Listen to the content

Reinforcing the cyber security foundation of your corporate data has become more critical than ever. This is due to the increasing number of cyber breaches, the growing complexities of the multi-cloud, the ever-evolving data privacy laws, and the ever-fragile customer trust. That is where data security posture management (DSPM) comes into play.

Your organization’s data security “posture” is like its “stance” for protecting your data landscape, especially sensitive data. Just like a martial artist’s stance determines his/her ability to defend against an incoming barrage of attacks, your organization’s data security posture determines its strength and efficiency in fending off cyber security threats.

However, setting up an optimal security posture requires more than configuring firewalls, setting up encryption, or installing anti-malware. In fact, it demands deep visibility of your entire data environment, data flow trends, access governance policies, and configuration risks.

This blog will discuss the emerging need for data security posture management, its relation with cloud security posture management, how it works, and the need to rethink the traditional, piecemeal approach to posture management.

What is Data Security Posture Management?

Given the increasing adoption of multi-cloud and the growing number of cyberattacks, it is not surprising that Gartner is raising the need for robust data security measures. Considering the urgency, Gartner has added the new Data Security Posture Management (DSPM) category to its Hype Cycle™ for Data Security 2022 report.

In its Hype Cycle™ for Data Security 2022 report, Gartner defines DSPM as a process that provides

visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data store or application is.

DSPM leads with a data-first stance for protecting cloud data. It shifts the usual inclination of organizations that treat data as the last frontier and prioritizes the protection of networks, systems, and resources. DSPM complements the latest security frameworks, such as the Center for Internet Security's Critical Security Controls, treating data security as a top priority. Additionally, even data protection laws, such as the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA), emphasize the implementation of strict security measures to protect personal and sensitive personal data.

Overall, DSPM paves a strategic path for proactively assessing everything that potentially affects the overall security posture of an organization’s data landscape. More importantly, it enables organizations to answer the top most concerning questions that make the backbone of a robust data security ecosystem:

  • What sensitive data do we have, and where is it located?
  • Who has access to the data, and what level of permissions do they have?
  • What is the lineage of the data, and how has it transformed over time?
  • What misconfigurations do exist in our multi-cloud, and how can we identify and fix them?

For a DSPM framework to be effective and inclusive, it must be able to cater to all those concerns mentioned above.

Cloud Security Posture Management vs. Data Security Posture Management

Gartner categorizes the maturity level of the technology as “embryonic”, implying that DSPM is still in its infancy. Therefore, it is common for some organizations to have difficulty telling the difference between DSPM and Cloud Security Posture Management (CSPM). While both practices involve continuous multi-cloud protection, there’s still a difference in focus.

Cloud security posture management is a set of tools designed to discover, alert, and remediate cloud misconfiguration issues and compliance risks. Every cloud service has distinct settings, also known as configurations, that determine how that service should be used. When teams try to move fast in the cloud, it is common to configure services incorrectly, thus increasing security risk accidentally. Each cloud provider and various security standards, such as CIS or NIST, provide best practices to guide how cloud services should be configured correctly. CSPM tools scan the cloud infrastructure configurations against those defined sets of best practices to identify and remediate security gaps immediately. Overall, cloud security posture management tools primarily focus on the cloud infrastructure since it practices the cloud-first approach.

However, one limitation of CSPM solutions is that they lack context around data stored in a cloud service. Without that context, it is difficult for security teams to determine whether a configuration setting poses a security risk or not. For example, if an Amazon S3 bucket is publicly accessible through a configuration setting, a CSPM solution will always alert a user that it’s a security risk. However, it may be the case that the S3 bucket contains non-sensitive data, such as marketing images supporting a website’s front end. In this case, ensuring that the data is publicly accessible is actually the correct behavior.

Due to the lack of intelligence around data, CSPM solutions can generate a lot of false positive data security alerts, diverting security attention towards issues that don’t need to be fixed. When this happens, generally, there is a risk that security owners or developers ignore alerts, and a real misconfiguration, such as a public S3 bucket with sensitive customer PII, slips through and increases the risk of a security breach.

Data security posture management complements CSPM because it has deep intelligence around organizations' data everywhere, within cloud infrastructure services and SaaS applications. DSPM takes on the “data-first” approach by prioritizing discovering sensitive data in the environment to identify potential security and compliance misconfiguration risks.

So, in the example above, a DSPM tool will only generate an alert if the S3 bucket contains sensitive data, such as customer PII that should be protected based on company security policy. Besides identifying and auto-remediating security misconfiguration risks, a DSPM solution also helps establish data access control policies. With deep visibility of sensitive data and appropriate controls, organizations can streamline their security, governance, and compliance functions.

Basically, CSPM focuses broadly on all cloud services that provide computing, storage, and network solutions and helps them configure correctly. Whereas DSPM tools focus broadly on all data systems and services within the cloud but also in SaaS applications and help configure those services correctly and enforce appropriate data access controls. Both solutions should be used simultaneously as part of an organization’s layered defense.

Importance of Data Security Posture Management

Before the inception of DSPM, CSPM was treated as a separate security function. However, DSPM provides a comprehensive approach to the overall security of a corporate’s data landscape by prioritizing the protection of sensitive data, making all its way to protecting the data system itself hosting that data. There are a number of benefits that DSPM offers:

Manage & Secure Data in Complex Environments

Hybrid and multi-cloud deployments are now the major focus of most organizations globally. To put that in perspective, CISCO cites in its 2022 Global Hybrid Cloud Trends Report that 82% of IT leaders flocked toward hybrid cloud adoption in 2022. Both hybrid and multi-cloud environments are known for their speed, efficiency, and scalability.

However, the innate complexities of these environments render many organizations unable to ensure a consistent security posture of their data landscape. DSPM helps effectively manage and protect data in such environments by providing comprehensive visibility of sensitive data and controls over sensitive data access, data governance policies, and cloud security posture.

Identify & Mitigate Data Security Risks

The benefits of the multi-cloud often triumph over the complexities, but it can certainly lead to many security risks. For starters, the lack of a centralized view of corporate data assets, sensitive data environment, and appropriate controls often challenges security teams.

Teams don’t have a complete view of sensitive data and where it exists. They are unable to monitor access to sensitive data effectively. Additionally, each cloud service provider provides different security configurations. DSPM helps identify and mitigate cloud data security risks by helping teams analyze various parameters, including the visibility of sensitive data, its access control, data flow (data transformation), and infrastructure errors or misconfigurations.

Help Businesses Meet Compliance Requirements

Almost every industry is subject to some form of data privacy and security compliance, such as the National Institute of Standards and Technology (NIST), Payment Card Industry Data Security Standard (PCI DSS), or Sarbanes-Oxley (SOX). Compliance becomes more challenging when you have national and international data protection laws like the GDPR or CPRA. Every regulatory compliance has different requirements, which can be challenging without 360-degree insights into sensitive data.

For instance, PCI DSS doesn’t impose strict requirements for cross-border transfers of sensitive data. But it does require entities to take appropriate security measures. However, GDPR imposes several strict restrictions with respect to sensitive data transfer outside the EU borders.

Businesses subject to multiple regulations may find it difficult to categorize data as sensitive or personal, and depending on it, they may have to prioritize and establish security controls. DSPM provides visibility into the sensitive data and maps the data to different regulatory requirements. With appropriate tagging and classification, businesses can effectively ensure that appropriate controls are in place with regard to security, cross-border transfer, and access policies and thus further establish compliance.

The benefits that DSPM provides don’t end here but, in fact, extend to cost efficiency, reputation management, data breach prevention, and customer trust retention.

How Does DSPM Work - Key Capabilities

Gartner’s definition of DSPM begins with the core capability of identifying sensitive data. If you don’t know what data you have in your environment and whether it is sensitive, you cannot effectively protect it. Hence, DSPM starts with discovering and classifying sensitive data.

What sensitive data do we have, and where is it located?

Data Discovery, Classification & Cataloging

Data is fragmented across hybrid or multi-cloud environments, spanning various cloud service providers, SaaS applications, IaaS systems, data lakes, data warehouses, and other microservices. To add to the complexity, data is growing exponentially in both structured and unstructured formats.

DSPM acknowledges the monolithic nature of the multi-cloud environment and its complexities. It starts by discovering sensitive data across the corporate environment and in structured and unstructured formats. It further proceeds to the classification of the data to provide it with accurate context with regard to its sensitivity.

Classification or categorization enables security teams to prioritize their focus on protecting data with high sensitivity levels, such as confidential data or sensitive data, in the context of any data protection law, such as GDPR or HIPAA. After categorization, DSPM builds an accurate data catalog or a single source of truth. The catalog provides a complete view of all the data elements that exist across the environment, along with each data element's business context, intended use, and a glossary. The data is further mapped to the relevant industry standards and jurisdictions.

Who has access to the data, and what level of permissions do they have?

Data Access Governance Insights

Managing access to sensitive data was a simple feat in on-premise infrastructures as compared to multi-cloud settings. Multi-cloud environments have many data stores, and thousands of data objects may be within them. The high volume of data is then spread across multiple cloud services, where each data store and object may have multiple users, roles, and permissions.

Every cloud provider offers native Identity and Access Management (IAM) capabilities. But, these tools are fairly limited in their scope. More importantly, most cloud-native IAM tools lack sensitive data context, which makes data protection even more difficult. The lack of insights into sensitive data access is not the only problem. There are other access governance issues as well that are dominant in the cloud, such as excessive privileged access, dormant users, publicly accessible storage with sensitive data, etc.

DSPM monitors and tracks insights into sensitive data access based on users, roles, and geographies. Using sensitive data intelligence where data is mapped with regulatory insights, DSPM sets up access policies, such as which user or role can have what level of permission to access certain data, systems, or applications. Governance teams can effectively implement a least privileged access model by monitoring certain access parameters, such as inactive users or overtime access usage.

What is the lineage of the data, and how has it transformed over time?

Data Lineage

Data transformation occurs at any given instance from the point of its creation and analysis to retention. Take, for instance, a customer’s transaction data. When a customer purchases a product, they share details like credit card number, name, address, etc. This is the source of the actual raw data. The data then proceeds to the capturing phase, which the point of sale (PoS) system captures. Data is then processed for transactions, such as tax calculations or credit card validation. The processed data is then stored in a database somewhere in the multi-cloud and then extracted for analysis, such as by the customer experience or business intelligence teams. At some point, the same data might be shared with external business partners for advertising purposes. Finally, the data is retained for a specific period for business purposes or legal compliance.

This is the transformation of just one dataset. Large-scale businesses experience hundreds or thousands of such transactions daily, and all such data might be stored and accessed in the multi-cloud. Tracking the transformation of that data can be challenging for security teams which can further create security gaps, such as who’s accessing the data or whether they have the authorization.

Data lineage is one of the core components of DSPM. It enables data and security teams to track changes to the data over time to understand better how it is processed and who’s processing it down the line. Security teams can identify gaps, detect unauthorized access, and establish optimal security policies.

What misconfigurations do exist in our multi-cloud, and how can we identify and fix them?

Configuration Risk Management

As mentioned above, multi-clouds comprise services from different cloud providers, such as AWS, Google Cloud, Azure, or Oracle Cloud Infrastructure (OCI). Every cloud service has its unique set of system settings and configurations. Moreover, every service provider may offer a CSPM tool, but it may be limited in scope. A single cloud may have a number of misconfigurations or errors, such as publicly exposed storage buckets, opened inbound or outbound ports, default passwords, disabled logging, etc. Now, scale that to multiple clouds with multiple misconfigurations, having no centralized view.

An ideal DSPM would actively integrate with myriad IaaS and SaaS services, such as Azure, AWS, GCP, Snowflake, Workday, or Office 365. It will leverage custom policies or built-in rules from a library of standard security frameworks, such as CIS, NIST, or PCI DSS, to misconfigurations related to identity access controls, encryption, network, publicly accessible storages, etc. Once the rules and policies are established, the tool can be set to automatic remediation or mitigation. For example, when the tool detects that a GCP Cloud Storage containing sensitive data elements is publicly accessible, it automatically triggers the policy to update access card settings and prevent public access.

Unify DSPM’s Core Capabilities with Securiti DataControls Cloud

Gartner cites in its Hype Cycle™ for Data Security 2022 report that it is impossible to have meaningful data insights and risks if organizations keep looking at different controls, such as sensitive data context, access governance policies, data transformation, and security configuration, through separate lenses. In fact, a lack of a centralized view will eventually create more security, governance, and compliance risks. Therefore, it is critical for organizations to unify these controls into a common view for a comprehensive view of their data risks and establish effective data management and protection strategies.

Securiti DataControls Cloud is built to replace the piecemeal data security posture management approach with a unified framework. DataControls Cloud gives deeper intelligence and visibility of a corporate’s data landscape and unified controls over their data across all clouds. This unification of data discovery, classification and cataloging, data lineage, access governance and control, and cloud security posture management, enable teams to streamline their data obligations across security, governance, privacy, and compliance functions.

In addition to unifying security controls such as misconfiguration and access, DataControls Cloud also includes breach response management. Securiti DataControls Cloud can help organizations manage risk effectively in the unfortunate event of a data breach. The tool can automatically discover impacted users/identities and impacted data. Discover global jurisdictions to comply with, and Users, Data, and Notification. Respond to incidents methodically, based on regulatory facts and data-driven insights

Moreover, Securiti DataControls Cloud enables organizations to implement privacy, and governance controls more smartly without scanning and classifying data multiple times for each team (security, privacy, and governance). The siloed approach is extremely cost-prohibitive and hampers team collaboration, making it impractical. With DataControls Cloud, organizations can unify their security, privacy, governance, and compliance controls into a common view, enabling a comprehensive understanding of their data risks and obligations.

Download DataControls Cloud brochure to learn more about our Unified Data Controls framework.

Frequently Asked Questions (FAQs) about Data Security Posture Management (DSPM)

CSPM stands for Cloud Security Posture Management. It helps teams identify and remedify misconfigurations in cloud infrastructure or resources. Data Security Posture Management (DSPM) is a broader term and it offers a data-centric approach to data protection. It helps teams get complete visibility of their data, classify sensitive data, catalog metadata, and leverage those insights to optimize access policies and controls, and mitigate risks throughout a data lifecycle. To learn more, here is the guide comparing both terms.

DSPM provides many benefits to organizations. Amongst these benefits, DSPM helps organizations get comprehensive visibility of their data risks to proactively identify them and resolve them to protect sensitive data. By leveraging data insights and mapping them to regulatory requirements, DSPM can help ensure compliance with privacy laws and compliance standards.

DSPM is a data centric approach to safeguarding data. However, apart from identifying security risks and mitigating them, it leverages the insights derived from data to establish policies and implement controls around data governance, privacy, and compliance.

There are a number of aspects that organizations should consider when opting for a robust DSPM solution. For starters, a DSPM solution shouldn’t be limited to public clouds but also cover privacy cloud, multi-cloud, and SaaS applications since data is now available everywhere in every environment. The solution should take into account the data obligation needs across various departments and offer a unified approach to meet those obligations to prevent organizational silos, cost, and complexity.

Data security posture gives an overview of the security condition and measures of an organization’s data landscape.

Security posture is a broader term and it refers to understanding the security condition of various aspects across an organization, such as its infrastructure, its data, physical security measures, etc.

Security posture management is the practice of monitoring, assessing, and optimizing a company’s security condition across various departments. It is a proactive approach to identifying risks and vulnerabilities to defend against evolving threats.

Security posture reviews provides an overview of a company’s security posture, which includes a detailed analysis of the security policies, controls, and technologies to identify areas of improvements.

Cloud security posture management (CSPM) provides organizations with tools and practices that help identify and resolve misconfigurations or gaps in an organization’s infrastructure security. SaaS Security Posture Management (SSPM), on the other hand, allows teams to discover risks and resolve them across SaaS applications.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend