What is Data Security Posture Management (DSPM)?

6 min read
Sep 27, 2022 11:53:24 AM

Symmetry Systems DataGuard was the first platform to be described by Gartner as a “Data Security Posture Management” (DSPM) product. This recognition came in Gartner® Cool Vendors™ in Data Security — Secure and Accelerate Advanced Use Cases published on 19 April, 2022 where Symmetry Systems was named a Cool Vendor. 

Gartner cool vendors logo

Our focus has been on securing organizations from the data out; and our deployment approach within our customer’s cloud workloads or on premise. This unique approach ultimately reduces the complexity of yet another vendor with external access to your environment.  Since then, the customer demand and hype around DSPM has grown exponentially.

The recent release of the Gartner Hype Cycle™ for Data Security, 20221  also included the Data Security Posture Management (DSPM) category for the first time. It is no surprise to us that Gartner recognizes that the urgency of the problem around data security in the cloud is “encouraging rapid growth in the availability and maturation of this technology.”

So what is Data Security Posture Management or DSPM?

Gartner defines Data Security Posture Management in the Hype Cycle as a product that “provides visibility as to where sensitive data is, who has access to that data, how it has been used and what the security posture of the data store or application is.”

I love this definition because it focuses the DSPM category on providing answers to four key questions. These questions form the backbone of DataGuard:

  • Where is my sensitive data?

  • Who has access to it?

  • How has it been used?

  • What is the security posture of our data store?

Being able to provide our customers with answers to these questions as quickly as possible, and help our customers prove their data is secure, is what drives our approach at Symmetry Systems. If a DSPM product can’t provide answers to at least some of these questions, it probably isn’t a DSPM. 

At Symmetry, we emphasize further the “management” function of a DSPM. I’m a firm believer that management, especially in security, is about continuous improvement. You can’t unsee a security issue once you’ve identified it, so you better be in a position to fix it quickly. A DSPM therefore should also be able to provide meaningful guidance and even automate the improvement of an organization’s data security posture. As a result, we also focus on answering a fifth question:

  • How do we continuously improve our data security posture?

So let’s dig into these four questions and unpack why answering these questions are universal problems for every organization, and how DataGuard answers these questions as the leading Data Security Posture Management product. 

Where is my sensitive data?

As a former CISO with scars of implementing Enterprise Data Leakage Prevention (DLP), I understand how hard this question is to answer. This difficulty is increased by the factors that drive sensitivity of data. Some sensitive information is obviously easy to detect across organizations based on the content (i.e. credit card numbers, dates of birth, Social Security Numbers etc.), albeit with the potential for a high false positive rate. However most sensitive data is organizationally specific, based on both its context and content. As Gartner notes, "this requires a data flow analysis capability to determine data sensitivity.”. For example, the content of a data store containing a list of food isn’t immediately identifiable as sensitive, but with context linking this to a patient’s food allergies, the sensitivity increases dramatically. 

DataGuard answers this question using modern data classification techniques to perform an agentless scan of all data, label sensitive data and also analyze the flow of this data across an organization’s environment. 

Who has access to it?

This sounds like a simple question – and it is for a single data store – but no organization has a single data store anymore. The complexity of millions of data objects across thousands of data stores, multiplied by a seemingly infinite combination of roles, permissions for thousands of user and machine identities is pretty challenging for CISO’s to secure even when you have a “perimeter” wrapped around the corporate environment. The millions of objects form over months or years and change constantly. To simplify management of permissions to these, organizations are forced to group and nest permissions into manageable chunks of data, eroding least privilege from the onset. The challenge is increased dramatically through privilege creep, data sprawl and organizational churn, resulting in access to data that is far from ideal.

DataGuard answers this question by providing visibility into the relationship between various cloud actors such as users, groups, roles, and datastores thanks to flexible deployment models through a market leading Data Access Graph. The visualization of a sample Data Access Graph from DataGuard illustrates the scale and sophistication of our model that drives our ability to understand who has access to what data.

    Sample vizualization from DataGuard of Data Access Graph.Figure 1: DataGuard’s Data Access Graph is a deep graph of the organization's identifiable data objects, identities, and all permissions and actions from identities to data objects. 

How has it been used?

Sadly this question is usually only asked after a breach; and results in expensive digital forensic engagements to work out what happened. Unfortunately most security teams are restricted to utilizing network-centric or asset based tools with limited visibility into data stores, leaving them unable to identify what data was accessed and how. In addition, most telemetry is not specifically tied to the ultimate user, due to the use of service accounts and other machine identities to perform functions.  

DataGuard answers this question by creating data firewalls that monitor logs and telemetry which identity performed which operation on data within the data stores. 

What is the security posture of the data store?

As an analyst that focused on cyber risk management at Gartner, determining the security posture of a specific asset quickly and easily was a fever dream for most CISO’s. Although Cyber Asset Attack Surface Management (CAASM). products have made significant progress in allowing CISO’s to visualize their security posture based on the coverage of their existing security tools, these tools still lack real visibility into firstly the risk of the assets they are monitoring and secondly the identity and access management controls protecting those assets and the data within. When almost 50% of breaches involve the use of stolen credentials according to the Verizon 2022 Data Breach Investigations Report, it is clear to me that security posture without the combination of both data sensitivity and identity is meaningless. 

Summary of top causes of non-error breaches from Verizon Data breach investigation report.Source: https://www.verizon.com/business/resources/reports/dbir/ 

DataGuard answers this question by analyzing each data store against a number of security posture requirements, including but not limited to identifying:

  • Cloud misconfiguration issues

  • Least Privilege Identity and Access Management (IAM) policy issues including
    • Dormant identities
    • Dormant data
    • Over-privileged Identities
    • Over permissioned data stores
  • Compliance issues including
    • Data residency analysis
    • Compliance against a variety of industry standards 

This last requirement can be the biggest reduction in manual effort for organizations in regulated industries. Most compliance standards, frameworks and regulations require controls around data assets inventory management, access control, data flow diagrams, data access activity monitoring, and third party access control. DataGuard provides complete visibility of data governance and data access management to meet these data specific compliance requirements. 

How do we continuously improve the data security posture?

The issues identified through a DSPM can be complex with additional constraints to consider. Even something as simple as dormant data, which is obviously not being used can be tricky. Organizations may need to maintain certain data stores for data retention purposes, and maintain a legal hold for legal proceedings. As a result, deleting the data may not be the right solution, albeit the simplest.

The findings from a DSPM can be surprising and may require significant effort to unpick and re-architect to address. 

DataGuard answers this question for organizations in two complementary ways. Firstly with out of the box, recommendations and guidance on how to address the identified issues and secondly our partnerships with leading regional and national security service providers including Accenture and Trace3. If you would like to learn more about DSPM or see DataGuard in action, please do not hesitate to reach out to me or the team at hello@symmetry-systems.com or register for a demo here: https://www.symmetry-systems.com/demo.

1 Gartner, Inc. “Hype Cycle for Data Security, 2022,” by Brian Lowans. Aug. 4, 2022.

Gartner Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER, COOL VENDORS,HYPE CYCLE  and the Gartner Cool Vendors badge are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.