In our blog on top predictions for 2023 and beyond, we predicted the blurring of lines between Cloud Security Posture Management (CSPM), Cloud Infrastructure Entitlement Management (CIEM), and Data Security Posture Management (DSPM).The Data Security Posture Management world is new and exciting—and one that Symmetry Systems has been pioneering since 2018. Given the need for advanced data security solutions, the recent announcements in late 2022 by a number of CSPM vendors of their entry into the DSPM space hardly come as a surprise.
The fact that our prediction is already coming to fruition even before 2023 gets started suggests that the blurring of CSPM, DSPM, and CIEM was entirely predictable. In this blog, we explore why this was so predictable and the implications of this convergence, particularly for organizations trying to understand what truly differentiates Data Security Posture Management.
Why was the convergence so predictable?
The process of predicting the future is wrought with omens, conjecture, and a little crystal gazing, making it, in many ways, implicitly unpredictable. There are usually many months, sometimes even decades, before the accuracy of the prediction can really be fully assessed. Was a prediction wrong, because you thought something would happen a lot sooner than it did? Can you claim it was right regardless of when, because it did materialize? At Symmetry Systems, we’ve tried to make sure our predictions are time bound to make them measurable.
There were a number of data points that the Symmetry team gathered over the last two years that pointed to this CSPM-CIEM-DSPM convergence. The most obvious is the continuing adoption of modern data privacy laws and mandates around the globe, including the increasing number of changes to state and federal privacy regulations in the U.S. Regulations are always powerful forcing functions, and the majority of privacy and security regulations remain solely focused on protecting specific datasets, rather than securing cloud infrastructure. Within the scope of this regulatory background, it is worth remembering that CSPM, CIEM, and DSPM tools are tackling the ongoing data breach business problem. This business problem is what organizations truly care about, regardless of whether the cause of that “problem” is due to cloud infrastructure misconfiguration, poor identity and entitlement management, unprotected data stores, or lack of data governance. An oversimplified view of the differences between these products could be seen as the granularity and focus of each product—with the most granular focus on the data objects and expanding to the identities who access them or the infrastructure they are stored in.
This was most apparent to the team at Symmetry Systems after installation of DataGuard with customers who had pre-existing installations of CSPM tools. In those instances, a number of the misconfigurations of individual data objects had not been previously identified by the CSPM solution, simply because CSPM tools are not designed to identify and/or remediate such issues. Only a granular understanding of the data at risk and activity being performed on the data would enable identification. While CSPM solutions are unable to operate at this level, the process is relatively straightforward for DSPM solutions and DataGuard. The failure of CSPM solutions to detect misconfiguration on individual data objects is clearly feedback that some CSPM vendors have heard and acted upon.
CSPM has focused on identifying and prioritizing remediation of cloud infrastructure vulnerabilities. It has been an undoubted success in addressing the majority of those issues, but granular problems such as configuring access controls to protect specific data objects at scale remain.
Analyst research seems to corroborate this trend. Fernando Montenegro, Senior Principal Analyst at Omdia, highlighted in Dark Reading that CSPM has driven the cloud security conversation significantly forward, and that as a result, organizations can now focus on the things that matter most to their organization’s security, such as data. The analysis offered by Montenegro on the results of the Omdia Decision Makers Survey (see image below) indicates that “customers are indeed seeing value from the CSPM tooling for configurations and compliance, but they now have heightened concerns on data security, security operations, and making sure their teams are skilled in cloud technologies.” These concerns are focus areas for DSPM solutions like Symmetry Systems; but of course should be a focus for every vendor in the cloud security space.
Source: Omdia via Dark Reading
Underlying all of this is the inherent belief at Symmetry Systems that data is the single most important asset that most organizations have and, therefore, should be treated with the respect it deserves. Organizations that realize this are adopting a data-centric security strategy—one that focuses first on protecting the data itself, rather than securing just the systems and networks on which the data is stored or transmitted. Maintaining a security posture—without understanding the data first–could rapidly become yet another compliance-driven exercise.
It is apparent that customer needs and regulatory interests are becoming more data-centric, and as a result, vendors (at least ones that listen to their customer needs) will focus more on the challenges of securing data with precision, at scale, to meet their customer needs!
How to differentiate DSPM
The speed of previously CSPM-focused entities’ entry into the DSPM space should be seen as an indication to organizations serious about cloud security that DSPM is a necessary addition to the tools that an organization requires to manage cloud security. It does mean that the buying cycle is likely to be drawn out even further as organizations have more noisy vendors and venture capitalists to sift through, as well as alternative approaches to consider to determine where the most effective use of their investment will be.
The entrance of CSPM vendors into the DSPM space will inevitably lead to some vendors failing. A related prediction that we highlighted in the blog—The Symmetry of Space and Time: 16 Data Security Predictions for 2023 and Beyond—predicated that any DSPM solution that limits its focus to purely replicating the CSPM approach to analyze the location and sensitivity of data will fail as they will now more than likely get this capability from their existing CSPM vendor without the need for additional effort or supply chain risk from another vendor.
As more solutions emerge in this space and try help organizations secure their data with precision and scale, it will become even more important to understand how these solutions may differ in their approach and which will best suit the organization’s needs.
We believe that there are three interdependent areas that really stand out as differentiators in this space that should be understood when evaluating DSPM solutions:
#1—Visibility into data activity and data flow at the data object layer
The real value from Data Security Posture Management is in understanding, in fine granular detail, what is happening to your data. Without this, enhanced CSPM solutions claiming to be DSPM are really only the equivalent of adding a few more windows to your house. You might be able to see a little more of what is stored inside your house, but you still can’t see what is happening inside on a daily basis. A comprehensive data inventory or catalog is an essential context that is necessary to ensure security posture is based on business risk of the underlying data. However, understanding where your data is flowing to and from and what other operations are being performed on data within a data store will give you insights that can drive your data security program to the next level. It is important to understand how much visibility into actual data operations will be provided. Sadly, not every data store will have readily available APIs to query or even logging turned on.
#2—Data classification at scale
In addition to discovery of data, Data Security Posture Management solutions need to be able to scale their classification of data to billions of data objects across thousands of different data store types. At Symmetry Systems, we know that this is a hard challenge and requires both machine learning capabilities and the ability to analyze data flows across your environment to reduce the false positives plaguing existing data loss prevention (DLP) solutions.
#3—Customer-native vs SaaS deployment
The above points to the need to collect and parse a whole lot of data—essentially creating a big data problem about big data. Customers that are focused on protecting their business-critical data don’t want to take on additional and unnecessary third-party risk with traditional SaaS deployment. We have observed that organizations that truly care about their data, want to keep it close, particularly when handling the firehose of data generated by data analysis operations and data classification at scale. A preferred method, a customer-native approach, which deploys within the customer’s cloud providing full control and visibility of their data, is a blueprint for all security tools.
Regardless of our beliefs, in overhyped but emerging markets like Data Security Posture Management, there will always be hyperbole, so conducting proof of concepts is absolutely essential to understand whether the technical claims made by others in this market are actually achievable or on the roadmap. As with all technical decisions, organizations should consider the benefits and concerns outlined above in light of their own needs.
Learn more about DSPM
If you want to learn more about DSPM and compare our capability at the forefront of Data Security Posture Management with the capabilities that CSPMs can currently provide, please do not hesitate to reach out to me or the Symmetry team You can also read more our predictions for 2023 and beyond here..