Organizations are holding more sensitive data. And the security, privacy, and governance of that data is coming under increasing scrutiny—from government regulators, industry mandates, and compliance entities. Moreover, that data is an attractive target for every threat actor on the planet.
To manage and secure this data, businesses are turning to tools like Amazon’s Macie, which offers automated sensitive data discovery and visibility into S3 data stores. For many businesses using AWS S3 buckets, Macie seems like an ideal solution; it’s cloud native, can identify regulated data for compliance purposes, and is relatively easy to use.
To be sure, many businesses don’t just use S3 buckets. (Their data could be stored in a lot of different locations—including cloud services like Azure or GCP and data stores like RDS, PostgreSQL, or MongoDB.) But, the argument is that there are other solutions for that.
But is it worth it—to use Macie combined with other solutions? On top of that, we have all heard that Macie is expensive. Let me share a story.
Article Quick Links
How much does AWS Macie cost? (And is it worth it?)
I heard a story the other day from a client that wanted to switch from Amazon’s Macie to a data security posture management (DSPM) solution for their data classification. Why?
They were paying over $25,000 a month for Macie. Because Macie was so expensive, they had to cap their S3 coverage based on budget, even though their S3 data was still growing.
Their initial use case was around compliance. At first, they wanted to know if they had specific regulated data types in locations where they shouldn’t be, have the ability to report the findings to the bucket owners, and then amend the issues. When we came to talk with them, their use case had expanded to include more regulated data types and the immediate need to cover all of their S3 estate, and not just a small fraction of it. In addition, the business had started using another cloud service which included a similar S3-like data storage requiring the same level of security, compliance, and governance. (It is probably worth noting that added budget for security was not in the plans.)
And what did they get from Macie for their $25K per month? A tool that:
- Provided them limited visibility into their S3 data estate; it didn’t cover their full estate due to scanning costs;
- Provided only sensitive data findings without any context, such as who could access the data, how it was being used, and by whom;
- Did not satisfy their compliance and security needs; and
- Was costly to operate.
Macie may have provided data classification services, but ultimately, this client found that it was an incredibly costly and inefficient way to do classification, security, and compliance. Already dealing with cybersecurity staffing challenges—and facing some looming budget cuts—this particular client realized they needed to get creative and find an alternative to Macie’s increasingly expensive services.
A Macie Alternative— DSPM Is the Better Choice
There are a lot of folks out there that use Macie. And I get it. They have S3 buckets and assume that a cloud native solution, like Amazon’s Macie, is going to provide them with a comprehensive (or at least sufficient) service that uses machine learning to classify and protect their sensitive Amazon S3 data.
But this is simply not the case. While we’re not here to bash Macie, we do think it is critically important for organizations to understand Macie’s limitations and recognize that technology evolves. There is another cloud native alternative out there to Amazon Macie, and it’s called Data Security Posture Management or DSPM.
Data Security Posture Management is a tool that extends the insight into what data organizations have and how this data is secured from the data—or “inside out”—instead of trying to piece it together from the perimeter in. Data security posture management (DSPM) supports a complete, data object-level understanding of:
- The data (from sensitivity to location).
- The identities that have access (permissions).
- Operations performed on the data by those identities (flows).
For each data object, DSPM uses machine learning to combine knowledge of the data, the identities, and the operations to provide unique insights, help prioritize an organizations’ data security risks, facilitate impact remediation, and support compliance, governance, and privacy.
How Does DSPM Work?
Visibility. Visibility. Visibility.
DSPM offers a more business-centric approach when it comes to data security, because it doesn’t begin with an identity. Instead security begins with the data stores and offers visibility into:
- What data is there?
- How much of that data is sensitive?
- Who has access?
- How are they using the data?
My colleague, Gopi Ramamoorty, recently wrote a great article on Cybersecurity & Data Privacy: What Are the Most Important Priorities for a CISO?. In it, he presents a perfect analogy for data-centric security:
“FedEx and UPS create efficiency, manage costs, and ensure the safety of their packages by scanning and tracking the package, *not* by scanning the people driving the trucks or planes. Businesses need to think the same way when securing their data. Scan the data first, not the identities.”
Our DSPM solution, DataGuard—the first and most comprehensive DSPM on the market, by the way—answers those key questions I mentioned above, by analyzing each data store against a number of security posture requirements and issues, including identifying:
- Dormant Data Stores—Particularly ones that are older and unused, and therefore more susceptible to attack because no one’s paying attention.
- Over-Privileged Data Stores—When widespread access is enabled, organizations are inviting trouble.
- Dormant Identities—This is the single most common data security issue we see when we do our customer scans. And like dormant data stores, dormant identities are particularly ripe for attack, since no one is paying attention.
- Over-Privileged Identities—Organizations commonly overestimate the level of access and privilege an identity needs. Granting too much privilege increases security risks dramatically.
- Delayed or Incomplete Employee and Vendor Offboarding—Departed vendors or employees still sometimes retain admin-level access to sensitive systems and data. Massive risk anyone?
- Inadequate Segregation of Duties between Development, Test and Production Environments—Failing to enforce segregation of duties between development, test, and production environments, can create security problems
- Application and Backup Misconfiguration—Misconfigurations can range from inadequate access controls and unprotected files and directories to access to unnecessary or unused features.
A comprehensive and mature DSPM solution will unify visibility into data objects across all data stores, answering the data security and compliance questions that Amazon Macie and other cloud security tools cannot.
During my discussions with this client, we spent some time discussing and then codifying what we see as the four main Macie challenges.
#1—No Actionable Insight
Macie may provide classification of data, but it isn’t going to give you the type of context needed for meaningful and actionable insights. In contrast, a DSPM solution that combines insight into permissions and operations being performed on the data will:
- Provide S3 storage data activity monitoring (DAM), including identifying dormant data or indicators of compromise (IOC).
- Help you identify your lifecycle, zero-trust, or least-privilege violations, and sensitive data access.
- Help identify and lock down excessive data access permissions and privileges.
- Detect and help manage out-of-country data operations.
- Maintain compliance with privacy regulations.
#2—Scalability beyond S3 and AWS
When it comes to DSPM, one of the most critical benefits is scalability to support the growing scope and complexity of data stores outside of just S3 and even AWS. Only using one cloud service for your data, like Amazon S3, probably isn’t going to be realistic or feasible. And the more S3 data you have, the more incredibly cost prohibitive Macie becomes. Many businesses are capping their Macie budgets because Macie just becomes too expensive to operate with large amounts of S3 data.
Macie also doesn’t support other data lakes and data store types, such as BigQuery, RDS, PostgreSQL, MongoDB, or other cloud services like GCP and Azure.
While Macie can give you classification visibility into your S3 buckets, Macie lacks critical information on who can access that data, and what actions are actually being performed on the data (e.g., cloud data activity monitoring (DAM)). This information can help organizations reduce permissions to data to be “least privilege,” determine whether dormant data exists, and whether there was any anomalous behavior or other indicators of compromise (IOC).
Macie also works with limited sets of business logic for security and compliance detections and offers no actionable insight when issues are discovered.
#4—Compliance, Governance and Observability
You need more than just classification information to be able to get a handle on your cloud data needs and to be compliant with government regulations and industry mandates, like GDPR, CPRA, HIPAA, or PCI DSS. You need to know (and prove) where you have regulated data and be able to observe changes to that data from permissions and access perspectives.
DSPM Benefits for Amazon S3 Buckets
|Affordable, cost-effective scanning and licensing model; significantly less than Macie.||No vendor risk due to ‘in-your-cloud’ deployment model.|
|Highly scalable; Supports multi-cloud, hybrid-cloud, and on-premise deployments.||Precision and accuracy with operations and activity log information ingestion.|
|Out-of-bound information collection to ensure no business process interruptions.||Rapid time to results—gain data security insights in hours from deployment.|
|Continuous data security and compliance validation.||Truly actionable insights—understand the impact of compromised identities and data quickly to take corrective or preemptive action.|
|Improve the security posture of sensitive data and cloud data stores.||Minimize the cost and risk of data exposure associated with cloud data stores.|
|Audit and compliance capabilities.||Ability to prioritize data security risks.|
|Automatic and continuous monitoring of data, with discovery of a multitude of sensitive data types in all your environments.||Proactive reduction in potential blast radius by giving organizations the ability to clean dormant data and manage unused permissions.|
|Comprehensive understanding where sensitive data is located.||Insight into what data has been accessed by which identities to address concerns around insider threats and vendor, supplier, and third-party risk.|
|Significant reduction in data sprawl by providing visibility into data dormancy and over-permissioned buckets.||Information, support, and alerts to ensure businesses can maintain least privilege access to S3 buckets.|
Learn More About DSPM and DataGuard
DataGuard—a Data Security Posture Management (DSPM) solution from Symmetry Systems—is an affordable, scalable, and actionable data classification tool that’s compatible with all data store types. DataGuard helps you understand what data you have, where it is located, who and what is entitled to it, how it is secured, and in what manner it has been accessed.
If you’d like to learn more about Data Security Posture Management and DataGuard, please reach out. We’d love to demonstrate how you can prioritize data security and help safeguard your most critical data assets through actionable insight and improved visibility, scalability, and compliance.