By Katrina Thompson
Nothing is more discouraging than building a sandcastle only to have the waves come in and knock it down. Or spending all afternoon weeding your lawn only to have the weeds grow back in just a few weeks. And yet, this is the natural course of things. Things tend towards entropy (the tendency to break down), and an organization’s data security stance is no different.
Left to its own devices, data security tends to drift because, like a lawn, it is a living, breathing thing. Changes are being made every day as systems are being introduced and updated, new devices are being added, old users are being taken away, and a million things are (potentially) falling through the cracks in the process: non-revoked permissions, misconfigured controls around new applications, rogue IoT devices, and more.
To maintain data security resilience, we must always have a foundational level of protection regardless of these changes. But doing that is hard, if not next to impossible, given human teams and the current gamut of security tools.
However, new solutions like Data Security Posture Management (DSPM) have appeared to bridge that gap between what is necessary and what is possible. Perhaps unsurprisingly, it takes an entirely different approach.
Here’s how DSPM does what it was designed to do: help organizations maintain data security resilience in today’s uniquely complex digital era.
The Failure of Traditional Tools
Usually, if you want visibility over your data assets, you look within each “box” within which it is stored. This could be databases, repositories, systems, applications, software, servers, and more. However, sometimes data has a way of finding itself in places we don’t think to look – what then?
As noted by the Cloud Security Alliance (CSA), “Neither legacy security solutions, such as Data Loss Prevention (DLP), nor CSP-native tools, are sufficient for protecting sensitive multi-cloud data. They require constant re-configuration to keep pace with dynamic cloud use and can only detect data in known repositories — leaving shadow data unprotected. Many of them also remove data from your environment, creating additional exposure.”
For example, sensitive data could get copied from an internal report and sent via WhatsApp. Healthcare data could be accessible by an API you forgot about in the beta phase a long time ago. Someone could have sent you something containing the company’s intellectual property or a sensitive document on a merger, and you could have yet to delete it from your inbox. These are all security liabilities that, if found by the wrong parties, could undermine data security resilience.
DSPM: No More Visibility Gaps
A good DSPM tool is environment-agnostic and can scan for all sensitive data across disparate environments – perfect for how modern companies run. In today’s multi-cloud era, this can be especially useful. As noted by data security firm Cyberhaven, “the DSPM tool should be compatible with multiple cloud providers (AWS, Microsoft Azure, Google Cloud) and offer features like cloud-native data discovery.”
DSPM uses AI and machine learning to scan assets for keywords, patterns, or other signs that would indicate that the data inside is sensitive. In this way, it can spot sensitive data even when stored in non-sensitive data and can also dredge up shadow IT, shadow APIs, shadow SaaS, shadow data, and more.
DSPM: Automated Security Assessment and Classification
Finding data is only step one. Data security means finding where that data is unprotected, where controls don’t measure up, and where weaknesses exist that could undermine the safety of the whole.
As IBM states, “DSPM solutions locate an organization’s sensitive data, assess its security posture, remediate its vulnerabilities in keeping with the organization’s security goals and compliance requirements, and implement safeguards and monitoring to prevent the recurrence of identified vulnerabilities.” That’s a lot. In essence, it preserves data security resilience by being a full-service data security suite – finding data, classifying it, and helping you enforce policies around it once they have been created by your team.
Obviously, more stringent security controls will be applied around more sensitive data. Once those controls are established, a DSPM platform will automatically scan the assets in your environment and spot areas of vulnerability and non-compliance, even recommending remediation steps.
DSPM: Preventing Security Drift with Enforcement
These first essential functions – finding data, classifying it, and pointing out problems – are essential for a foundation of strong security. However, to maintain data security resilience, these steps must be taken repeatedly and proactively. Because a modern digital organization is a constantly changing thing, it’s not enough to ‘set it and forget it.’
This is why DSPM’s ability to monitor and map data across complex cloud environments, provide organizations with data lineage (or a history of where the data has been and how it’s been used), and even execute basic remediation steps are also key to ongoing data security.
Resilience means coming back when something goes wrong. In many cases, DSPM tools can autonomously bring elements within your security architecture into alignment with your existing policies, performing essential security tasks like fixing misconfigurations, preventing unauthorized access, and patching vulnerabilities.
DSPM is equipped to protect sensitive data in today’s multi-faceted environments in a way few other traditional tools can, no matter how advanced they might be.
About the author
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.
Cyber Security Review online – November 2024