One of the technologies that have recently emerged in the field of data security is called “Data Security Posture Management” (DSPM). Through AI/ML techniques, these technologies allow us to identify and classify our most sensitive data, as well as to assess and remediate risks.
Within the DSPM tools and processes, there are others already present in the field of Data Centric Security (data discovery, classification, DLP, etc.).
In this article we will see how they are related and more specifically we will describe:
- What is Data Security Posture Management (DSPM)?
- Data Security Posture Management Challenges, Objectives and Benefits
- How does DSPM work?
- How does DSPM relate to other Data-Centric Security technologies?
- Artificial Intelligence, Machine Learning, and innovations in the field of DSPM.
What is Data Security Posture Management (DSPM)?
“Data Security Posture Management” refers to the process of discovering and identifying where an organization’s most sensitive information is located, assessing the security risk associated with it, monitoring user activity on it and protecting it or reducing the risk of information leakage or loss.
In August 2022, Gartner identified Data Security Policy Management as an emerging and transformational technology in the Hype Cycle for Data Security. According to Gartner, Data Security Posture Management provides visibility into where sensitive data is located, who has access to it, how it is used, and what the security posture of the application or system where it is stored is. It requires an analysis of the data flow to determine its sensitivity and is the basis for a Data Risk Assessment (DRA) to evaluate the implementation of Data Security Governance (DSG) policies.
Data Security Posture Management Challenges, Objectives and Benefits
Rapid data growth, migration to the cloud, and regulatory compliance.
Nowadays, data is found in multiple platforms and storage systems. We store sensitive data in unstructured format on platforms such as Microsoft 365, Box, SharePoint, or any type of document management either in Cloud or On-Premises. On the other hand, we have sensitive data in CRMs such as Salesforce and other types of SaaS applications, and there are more and more resources in Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Database as a Service (DBaaS), etc. platforms that store sensitive information in both structured and unstructured format.
Companies are challenged by the rapid growth of information stored in these systems, and how to assess and prioritize the security and privacy risks to which this data may be subject. Among the data may be personal information, financial data, or sensitive information subject to certain regulations (GDPR, HIPAA, PCI, etc.).
Information identification, classification and leakage management tools have traditionally focused on controlling data within the organization’s perimeter, but migration to the cloud and the wide variety of existing systems mean that these systems have become limited.
Data Security Posture Management Objectives
The objectives of the set of tools and practices that make up Data Security Posture Management are:
1. Mitigate the risk of information leakage. All the following steps of information identification, classification, etc. have the final objective of providing a way to avoid data leaks or security breaches of the most sensitive information of the organization.
2. Improve compliance with regulations specific to a given industry (e.g. PCI, Defense-NIST), territory or data type (e.g. GDPR).
3. Automate and improve the efficiency of security teams in facilitating data leakage risk mitigation and regulatory compliance by trying to reach data held by an organization in any location or platform.
Benefits of Data Security Posture Management
The benefits offered by Data Security Posture Management are logically in line with the objectives discussed above:
1. Prioritize those points in the corporate environment that must be secured due to the weaknesses found and the risk of critical data leakage.
2. Simplify compliance and weakness identification in an efficient and automated way across the different equipment, storage systems, IaaS, PaaS, DBaaS, etc. platforms used by the organization.
How does DSPM work?
To achieve the objectives and benefits discussed above, a Data Security Posture Management software provides the following capabilities:
1. Data discovery and identification: DSPM tools provide real-time visibility into where critical information is in the organization’s various storage systems and systems.
In addition to NAS systems, PCs, etc. and on-premises equipment, it offers visibility over data stores in the cloud both at the document management level, such as databases, or Amazon S3 or similar systems in Azure, Google Cloud or other clouds.
In IaaS, PaaS or DBaaS systems, organizations have their data distributed in virtual machines, instances, and systems that are redundant, can be copied between different availability zones in the cloud or backed up in parallel systems.
The challenge of being able to scan all these repositories and have real-time visibility of the sensitive data in them is complex.
2. Classification of sensitive data: The objective of data classification is the prioritization of which information is more important and we must protect first or take special security measures on it.
Among all the systems and platforms in an organization, it is necessary to focus at the security level on those that are most critical (e.g. a company’s key intellectual property) or subject to regulations on which the company’s operation depends and whose non-compliance could impact the business.
DSPM software allows us to classify this data by performing this prioritization so that we can then focus on protecting the most critical data.
3. Security risk assessment: Once the data have been identified and classified, it is necessary to identify the security risk to which they are subject, especially those data that are most critical for the organization.
Information is constantly moving, and in this process, it is not enough to identify the data at rest but what potential security risks are arising due to the movement of data,either by downloading a file from the cloud or, for example, by copying data to a backup on another platform.
Within the critical data managed by an organization, this identification of risks further narrows the spectrum of those we must focus on to avoid a risk of loss or regulatory non-compliance.
4. Remediation and Data Security Policy Management: We may have visibility into where our most valuable data is, have it classified and receive alerts of high leakage risk on a certain file, but if we are not able to remediate it by applying adequate security policies on it, all previous efforts will have been for very little.
If there are public links in a certain cloud application that should not be public, it is necessary to remedy this situation, if there is critical data being downloaded from a repository and reaching partners outside the organization we must protect them, if there is duplicate data, in disuse in systems at risk we should be able to delete them, etc.
On the other hand, following the Zero-Trust security model, it should be able to maintain a least-privilege data access scheme.
A DSPM tool allows managing security policies from different platforms or connecting with third-party security platforms to remediate potential security risks on the data detected in the organization.
How does DSPM relate to other Data-Centric Security technologies?
In the following article we evaluate the different data-centric security tools, but in what ways do they compete or complement DSPM? Let’s look at some of the most relevant ones:
1. Data Discovery: These tools have traditionally focused on data discovery within on-premise repositories. They not only identify sensitive data types (e.g., personal, financial, etc.) but also identify actions on specific files (copy, delete, modify, etc.) within a network folder. These systems are attempting to embrace new file repositories in the cloud.
As previously mentioned, data discovery is part of the tools of a DSPM, which also tries to cover platforms such as IaaS, PaaS or DBaaS.
2. Data Classification: There are in-use information classification systems, where the user indicates the classification level of a file, and at-rest information classification systems, where a scan of a network folder, etc. identifies sensitive data (we refer to these as information discovery systems).
This classification is an important part of a DSPM as seen above. To increase efficiency and task automation, the classification provided by a DSPM is automatic as in discovery systems, but we must not forget the importance of the classification of data in use where the user who manages the information catalogs it as Confidential, Internal Use, etc.
3. Data Leak Prevention (DLP): These are tools focused on the prevention of data exfiltration outside the organization’s security perimeter: endpoints, email systems, USB copies, uploads to web systems, etc.
They are focused on on-premises infrastructure and are not applicable to cloud systems, however, they can be an important component in the remediation process: Once information risks have been identified, it is necessary to establish remediation and data security policies to minimize the possibility of suffering a security breach.
One variant is the CSP-Native DLP (Cloud Security Platforms DLP) which is halfway between a cloud DLP and a CASB. They are DLP functionalities offered by cloud platforms such as M365, Google Workspace, etc. There are also native DLP solutions or specific DLP functionalities in public cloud vendors such as AWS, Azure, or Google Cloud.
4. Cloud Access Security Broker: CASBs perform sensitive information identification tasks in SaaS applications (e.g. M365, Google Workspace, Salesforce, etc.), and allow establishing security policies on this data at rest and in transit: blocking downloads, copies, etc.
They focus on SaaS applications and not on logically on-premises data or virtual machines stored in an IaaS, PaaS or structured data in DBaaS. Like DLP for On-Premises, in the DPSM scope, they can cover the remediation step by establishing security policies in SaaS where most risks have been detected on the data.
5. Encryption: As we show in this article, one of the most common ways to protect data at rest is encryption. This can apply to unstructured data such as files on a NAS, data in on-premises databases or in PaaS systems. It also allows protecting information in transit such as encryption in email and, on the other hand, encryption is also the basis of privacy preservation techniques that allow mitigating information leaks about data in use.
As seen above, DSPM without the remediation and security policy management part is worth very little. This is why encryption is an important tool when it comes to protecting data in any location.
6. Enterprise Digital Rights Management (IRM/E-DRM): The importance of protecting documents, files, or unstructured data in any location through IRM/E-DRM is also mentioned in the previous articles. Unlike file encryption, an IRM/E-DRM solution allows the protection of documentation in use. Here you will find how to deploy an Enterprise Digital Rights Management Solution Successfully.
A user can open a document protected by IRM only if he has permissions and with the permissions that the owner of the documentation has granted him (e.g. only view and edit, but not print or copy and paste, etc.). In addition, it is possible to have traceability over the data in any location and the possibility to revoke or block access wherever the file is.
A DSPM system can control structured data in repositories or platforms controlled by the organization, but what happens when the data has been downloaded from the cloud by third parties, emailed to a provider, etc.? To maintain control over these and have a least-privilege access strategy these technologies are key in the remediation section of a DSPM platform.
There are also other tools and processes called CSPM (Cloud Security Posture Management), but they are really focused on protecting the infrastructure and not the data, unlike a DSPM. In the case of DSPM all the risks are focused on infrastructure and communications management without getting to the content and sensitivity of the data.
Finally, Software-as-a-Service (SaaS) Security Posture Management (SSPM) refers to a set of tools for maintaining security in SaaS applications and services by indicating exposure to different types of attacks (e.g., risks in the field of identity management, vulnerabilities, etc.). Unlike the DSPM, they do not focus on the content and sensitivity of data but on the other threats that affect access to a SaaS application.
Artificial Intelligence, Machine Learning, and innovations in the field of DSPM.
The growth in the volume of data managed by organizations makes it necessary to have more efficient systems in place to detect where the most valuable information is and to discern the most pressing risks to our data.
It is in these points where Artificial Intelligence and Machine Learning techniques can offer differential value over “legacy” solutions:
- Thanks to AI/ML algorithms, it is possible to identify more precisely where the organization’s most sensitive information is located.
- Through training with data models of different types of information, it is possible to quickly identify data that specifically affect certain regulations.
- Finally, among all the alerts that appear in an organization about data, machine learning techniques can help discern the most critical ones for the organization.
A DSPM system must have AI/ML techniques in the area of identification, data classification (such as that used by SealPath Data Classification), and information risk identification.
On the other hand, automation is a key process to have an efficient system for establishing protection and remediation policies. This automation allows security measures to scale at the same speed as the data and repositories managed by the organization grow.
To facilitate automation, it is important to have information discovery systems that are not agent-based and can access different Cloud systems without the need to install plugins, etc.
Data Security Posture Management tools and technologies are, as Gartner indicates, still at an embryonic stage, but it is an area where rapid growth is expected due to the increased volume of data and platforms managed by organizations.
As we have seen, DSPM is related to other data-centric security technologies, but it tries to go further and go towards data control also in PaaS, DBaaS, IaaS, etc. platforms. Really the focus is towards the cloud.
However, an organization should evaluate where it has its most sensitive data today: in on-premises repositories? In files on a platform such as Box or M365? If so, DSPM efforts should focus on identifying, classifying, mitigating, and remediating risks to the data in these repositories, relying on technical enhancements that DSPM provides such as AI/ML.
Finally, it is important to note that the data identification and classification part or the identification of risks does not in itself protect the information. The process of protecting data at rest, in transit and in use is critical if we want to keep it safe from possible security breaches.
If you want to know how SealPath can help you in the field of classification and protection of sensitive documentation driven by AI/ML contact us.