Tracking down sensitive data across your cloud estate can be vexing. By its very nature, cloud computing is dynamic and ephemeral. Cloud data is easily created, deleted, or moved around. Correspondingly, the cloud attack surface area is equally dynamic, making protection measures more difficult. Over the past few years, tools called data security posture management (DSPM) have been developed to discover both known and unknown data, provide structure, and manage the security and privacy risks of potential data exposure.
“This is important, so enterprise security managers can look at their entire data estate and identify where threats originate and locate and reduce riskier behaviors,” said Paul Stringfellow, an analyst with GigaOm Research who has studied the genre.
Why DSPM should be on your radar
If this sounds familiar, you might be mistaken to think this is just another attempt to segment the data loss protection (DLP) marketplace. However, DSPM tools are not your father’s (or mother’s for that matter) DLP: They don’t wait for data to be stolen or exported but provide a more comprehensive case.
DSPM tools have caught on quickly: As late as 2022, Gartner found a miniscule market penetration of less than one percent across its clientele. They are now predicting this to increase to “beyond 20% in coming years due to the urgent requirements to identify and locate previously unknown data repositories and to mitigate associated security and privacy risks.” Part of the problem is that, as Gartner reports, “traditional data security products have an insufficient view to discover previously unknown, undiscovered, or unidentified data repositories, and they fail to consistently discover sensitive data.” Another issue is that data usage can be messy: many businesses have numerous silos of different applications, let alone different security applications, that don’t necessarily put protecting this data front and center. They don’t always have consistent protections either as data spreads across clouds and applications.
DSPM is supposed to be the locator function. Fixing the problems that it finds is really the province of a whole collection of older security tools with various acronyms, such as SOAR, SIEM, CNAPP and the like. Some of the DSPM vendors either integrate or incorporate these “fix-it” tools with their products. All are pricey. Plan on spending at least $100,000 annually.
DSPM tools target shadow data
The enemy targeted by DSPM tools is called “shadow data,” elements which have been created by developers or backup processes, or old data repositories that are outdated and left lurking about on some cloud container that has long been forgotten, not updated or unaccounted for.
The goal of DSPM products is to seek out and find this shadow data and also complement the more expansive cloud security posture management (CSPM) tools. But instead of focusing on protecting cloud infrastructures, DSPM tools look exclusively at the role of data and how it is consumed by various cloud services.
Take as an example the 2022 case of a Pegasus Airline developer that misconfigured the settings of an AWS storage container, resulting in exposing millions of personal data files. This calamity could have been detected and secured properly, because the DSPM provides the context of this container. In many cases, the two types of tools are sold by some of the same vendors and complement each other. “CSPM solutions do not discover data while DSPM starts with data, expands into access, and identifies all risks,” according to a Normalyze fact sheet.
One further point: The market space of DSPM is evolving quickly. Most of these products didn’t exist a few years ago, and vendors are adding features, integrating with other security tools, and forming various alliances with each other. And the acquisitions have begun: last year Palo Alto Networks acquired Dig, Rubrik acquired Laminar Security and IBM acquired Polar Security. Certainly, more such unions are to be expected.
12 top DSPM tools
- Concentric Semantic Intelligence
- Cyera Data Security Platform
- Eureka Security
- IBM Security Guardium Insights SaaS DSPM
- Normalyze Cloud Platform
- OneTrust Privacy and Data Governance Cloud
- Palo Alto Networks Prisma Cloud DSPM
- Securiti Data Command Center DSPM
- Sentra Cloud-Native Data Security Platform
- Symmetry Systems DataGuard DSPM
- Varonis Data Security
- Wiz for DSPM
Concentric Semantic Intelligence
It combines DSPM with threat detection, integrates with a variety of security tools, covering both unstructured and structured data with deep data coverage of AWS services.
Cyera Data Security Platform
Cyera’s platform has a network module for scanning on-premises files and has integrations with Netskope, various specialized data catalogs (such as Collibra, Secoda, DataHub), Wiz, Splunk and Tines. It has a very actionable series of dashboards.
Eureka Security
Eureka combines DSPM with threat detection and integrates with data lakes and warehouses like Snowflake, Atlas, Salesforce, ServiceNow and Jira-based ticketing systems. By default, new data is scanned within 24 hours while existing data is scanned for changes every 14 days.
IBM Security Guardium Insights SaaS DSPM
IBM acquired Polar Security last year and is still incorporating it into its full Guardium security product. It only scans cloud data and there are pre-set sensitive data definitions.
Normalyze Cloud Platform
Normalyze scans both cloud and on-premises data sources and does include auto-remediation when identifying misconfigurations. It will add security integrations later this year.
OneTrust Privacy and Data Governance Cloud
OneTrust can scan more than 200 different data sources across both cloud and on-premises but doesn’t identify user account-level access.
Palo Alto Networks Prisma Cloud DSPM
Prisma integrates with SIEMs, workflow and ticketing solutions, SSOs, and comes with over 100 pre-built data classifiers. It supports Snowflake, Office 365 and on-premises file shares. It acquired Dig Security last year and incorporated it into their Prisma product.
Securiti Data Command Center DSPM
Data Command Center adds a variety of breach and compliance management features to its tool, and it supports data streaming technologies such as Confluent, Kafka, Kinesis, and Google PubSub. It comes with 350 content classifiers that support multiple languages along with more than a thousand pre-defined detection rules. It integrates with a wide collection of cloud-native security services, CASBs, CNAPPs, CSPMs, CIEMs, KSPMs, SIEM, DLP, IDS, and compliance tools.
Sentra Cloud-Native Data Security Platform
Sentra has deep support for most of the variety of cloud computing services along with support for containers and VMs. It has its own data detection and response tool for near real-time detection and a series of very actionable dashboards. It integrates with data management (DataDog, DataHub, Coralogix), email, ITSM (Jira, PagerDuty, ServiceNow), CNAPP (Wiz), collaboration (Atlan, Azure Boards, Slack, Teams, Monday.com), IAM (Okta, AD), IR (Seemplicity), SIEM (Splunk), and on-premises file shares.
Symmetry Systems DataGuard DSPM
DataGuard has text-heavy dashboards as well as an add-on policy enforcement module. It integrates with a wide collection of security tools including SIEMs (Splunk, Chronicle SIEM, SumoLogic, LogRhythm, Securonix), SOARs (Prisma Cortex XSOAR, Google Chronicle, Microsoft Sentinel, Tines), ticketing systems (Jira and ServiceNow), and notification systems (Slack and PagerDuty).
Varonis Data Security
Varonis has been in the data security business for more than a decade and provides integrations with SIEMs (like Splunk), SOARs (like Palo Alto XSOAR), firewalls, VPNs, web proxies, DNS services, Active Directory, Entra ID, Microsoft Purview Information Protection, and Okta.
Wiz for DSPM
Wiz adds a lightweight agent called Runtime Sensor for detection and response. In addition to the usual cloud data sources, it also scans a variety of on-prem DBs, such as MySQL, PostgreSQL, MongoDB as well as their cloud versions and integrates with over 60 different security products. The full DSPM feature set is only available with an advanced license plan.
*Vendors we contacted for this article but didn’t respond were Flow Security, Laminar Security/Rubrik, and Theom.
Common features and benefits of DSPM tools
DSPM products are focused on finding your data, no matter where it might reside and whether these locations are well documented or unstructured, or are the shadow data repositories which have been initially created by departmental teams outside IT’s purview, left to fester or be forgotten.
How each vendor describes where it goes looking for data is instructive. Every vendor supports some visibility into some of the cloud data repositories of Amazon Web Services, Google Cloud Platform, and Microsoft Azure. But that doesn’t mean that they cover every service offered by each of the cloud providers that deals with data. For example, AWS has its S3 storage, Relational Database Service, Redshift’s cloud data warehouse, Athena serverless SQL queries, and ElasticSearch managed data services, among several other places that operate on data. Securiti takes pains to delineate which services are covered in each cloud platform, but this is not as transparent as it could be for other DSPMs. One approach is how Varonis uses a “universal data connector” that can seek out a wider range of structured data destinations, both cloud and on-premises-based.
Some of the vendors acknowledge cloud services that they don’t support. Sentra doesn’t cover data stored by Azure Synapse Analytics, Symmetry doesn’t handle any mainframe databases nor cover data stored by ServiceNow and Salesforce, and Wiz doesn’t support data stored in Databricks, AWS’ Redshift or on Azure SQL servers with Transparent Data Encryption enabled with a customer managed key. Again, this is a very dynamic situation as vendors are adding coverage areas continually as their customers demand them.
But tracking down data is just the beginning of the DSPM process. Once found, it has to be cataloged, evaluated, and summarized in various dashboards. That could be tricky if done without tight security controls, which is why most DSPM vendors claim that “customer data always stays within the customer’s environment.” This typically means collecting metadata, rather than the actual data itself, using read-only access to the apps, services, and database structures. Vendors refer to this as agentless or using API access. This has the advantage of being able to scan huge volumes of data quickly to understand the nature of its usage and potential risk factors.
Once discovered and the metadata collected, the next step is to perform regular scans to see what changes have been made: Has data been copied to some dark corner of your cloud estate? Has someone just changed access rights to allow for greater or insecure access? These tools provide a single point of view across all the various cloud and on-premises data locations. The key word here is “regular.” Scans have default periods (such as daily or weekly) and can be activated when new data repositories are found.
Another aspect of searching for data is how data is consumed in your production environment, including data pipelines, lakes, and warehouses. This can involve creating data maps to classify this landscape as well as facilitating audits to enumerate who has access to which data resource and under what specific circumstances it was shared across your enterprise. Maps are not just pretty pictures but important visualizations that often show where shadow data was abandoned, for example.
On top of all these activities there is the entire field of data governance. This means these products assign risks and apply consistent security policies to manage your entire data collection, and work with other security tools to enforce these policies and remediate problems.
Each DSPM tool has several components, including agents and agentless collectors (useful for tracking on-premises data), a centralized management dashboard, scanners that detect and prioritize data collections, maps of data lineage and usage, and compliance assessments.
Most vendors offer their DSPM product in one or both wider contexts: to integrate with third-party security services (such as offered by Wiz and Securiti) or as part of their own security product portfolio with other add-on modules that include identity management, cloud management, detection and response and log analysis tools (Cyera, Varonis, Wiz and Palo Alto Networks).
The specifics on these integrations are worthy of examination, as some vendors such as Varonis and Palo Alto Networks have wider support while others such as IBM and Normalyze are more limited or just getting around to implementing them. Understanding the scope, integration level, and what other protective features are included, and which are available at an extra cost will take some effort to figure it out.
Products can be deployed as a complete SaaS cloud-based solution, run from on-premises servers or private virtual machines, or some combination.
Finally, there is the issue of pricing. Few vendors were willing to share this information, indicating that prices are flexible and depend on numerous factors. However, numerous vendors offer annual subscriptions on either or both the Amazon and Azure marketplaces, which typically start at $30,000 but can quickly move into six figures.
Wiz offers two licensing plans and the full collection of DSPM features is only available on its more expensive Advanced plan. A summary table shows the various products and services offered, and links to the marketplace subscriptions.
How to evaluate DSPM products
DSPM tools will require a significant amount of staffing resources to evaluate because they touch on so many different aspects of an enterprise’s IT infrastructure. And that is a good thing, because you want them to seek out and find data no matter under what digital rock it could be hiding. So having a plan that prioritizes which data is most important will help focus your evaluation. Also, a good thing is to document how each DSPM creates its data map and how to interpret it and subsequent dashboards. Finally, you should understand the specific cloud services that are covered and which ones are on the vendor’s near-term product roadmap.