Alex - stock.adobe.com
If you pay attention to cloud security, you may have heard about a new category of security tools called data security posture management, or DSPM. These tools ensure sensitive data always has the correct security posture -- meaning correct security controls and policies -- regardless of storage location, or whether the data is original or a copy.
How is this different from cloud security posture management (CSPM)? CSPM ensures infrastructure always has the correct security posture. So, while CSPM focuses on protecting cloud infrastructure, DSPM focuses on securing data.
An easy analogy is to look at the modern automobile. It has door locks, alarms, glass break sensors, keys and video cameras that are all designed to protect the car from break-ins, theft and vandalism. Security is present, regardless of the presence and location of the occupants, and is analogous to infrastructure security. Ensuring that you lock the doors and enable the alarm every time you park your car is the automobile equivalent of CSPM policies.
The modern automobile also has seat belts, air bags, seat occupancy sensors and child safety seat tethers designed to protect the occupants. These controls may be dependent on the presence and location of the occupants and are akin to data security. Ensuring that passengers put on seat belts, air bags are disabled for small occupants in the front seats and a child safety seat is tethered is the automobile equivalent of DSPM policies.
DSPM in practice
Organizations can define DSPM policies to ensure all sensitive data is protected, including governance and compliance demands for specific data types. For example, you could require that all personally identifiable information (PII) be encrypted. For compliance, you could require that all credit card numbers be masked, displaying only the last four digits.
When a developer creates a database, DSPM helps ensure any PII fields are encrypted. But what happens when the developer makes a copy of the production database for testing new features or extracts the contents into a file for an extract, transform and load operation? Are the PII fields in the copies also encrypted?
DSPM policies are independent of the infrastructure. They let you define how the data should be secured, regardless of the storage type or location. When data moves or is copied, the appropriate security controls and policies move with the data.
When defining DSPM policies, you don't need to know the difference between controlling access to an object store bucket or configuring encryption on a column in a database. You only need to understand what data you have and how you want to secure that data.
Are CSPM and DSPM friends or enemies?
CSPM helps secure cloud infrastructure, including VMs, containers, lambda functions, databases and other managed services. Using CSPM, infrastructure security professionals define the proper settings and configuration of the infrastructure. These policies are indifferent to the data stored inside the infrastructure. When data moves, infrastructure policy does not.
Conversely, DSPM helps secure data, regardless of the data storage infrastructure, such as object stores, databases or files. Using DSPM, data security professionals define the proper security policies for the data. These policies are indifferent to the infrastructure. When the data moves, the data security policy moves with the data.
DSPM and CSPM both scan the infrastructure configurations and relevant context for policy violations. They protect different assets, however, using different controls and remediation workflows. Most importantly, their security policies have different subjects. Thus, they solve different problems for different users with different controls and workflows. The combination of the two is harmonious.
Why DSPM and CSPM matter
The cybersecurity industry has been around for more than 40 years and has splintered into many different subsegments, from endpoint security to network security to cloud infrastructure security. Along the way, the industry lost sight of the fact that the ultimate goal of the attacker is to gain access to sensitive data.
Instead of following the industry and dividing your efforts into protecting your infrastructure, endpoints, networks and various other IT components, keep your attackers in mind, create a data-centric cybersecurity strategy and use the appropriate tools to comprehensively secure your data, which includes cloud security. As part of that strategy, use the synergistic combination of CSPM and DSPM for data security, recognizing that these tools can work together as layers in your defense-in-depth cybersecurity strategy.