Cloud security is challenging, but data security in the cloud is also quite difficult. As a result, enterprises require a variety of solutions. Data security posture management (DSPM) is essential for safeguarding data. On the other hand, cloud security posture management (CSPM) is crucial to secure the infrastructure. The solutions differ greatly. They cater to various requirements and have opposing points of view. However, they are both equally important for the security of your organization. Here’s why you should consider both as part of your overall cloud security strategy. Let’s contrast both.
Data Security Posture Management (DSPM)
Just with AWS, there are dozens of different ways to store data. When you include Azure, GCP, and Snowflake along with AWS, the speed of data growth multiplies and amplifies the complexity. Data is freely available to developers and data scientists in the cloud. They may now transfer, copy, and distribute data in seconds rather than weeks. Moreover, they can also create new databases as quickly and as frequently as they like.
This speed makes organizations vulnerable
While this has proven beneficial to the business, it has created a security vulnerability since when data proliferates, security is frequently an afterthought. In this modern paradigm of cloud operations, security teams must ensure that controls are strong. No one can intrude on the open use of data, especially that is not under any type of restriction by developers and data scientists.
DSPM is Independent of the structure
With DSPM, security teams now have a solution designed specifically for this situation. A solution that is fully independent of the infrastructure that stores the data. It is significant because the data security professional does not need to know if the data is currently stored in RDS, S3, or Google BigQuery.
They don’t care whether it’s on AWS, GCP, Azure, or Snowflake. What they do care about is which data holds the maximum importance, how to safeguard it, who should and does have access to that data, what the risk of exposure is, and how to mitigate it. DSPM is the security policy engine that enables security teams to implement data-centric guardrails. It avoids the complexity of cloud environments and quickly solves the challenge of continual data proliferation.
A completely automated data-centric policy engine (supplied by a DSPM) protects your data at cloud speed. It allows data security to concentrate on the data and the regulations that provide the framework for securing that data. For example, data regulations can state that personally identifiable customer data should never be public, regardless of the infrastructure on which the data is currently in store.
The DSPM solution then converts these data policies into specific technical configurations, displaying to the user where the data security policy is currently being violated, prioritizing issues for resolution, and assisting in those issues with clear, specific technical remediation instructions.
DSPM policies prioritize:
- Data exposure and accessibility
- Obfuscation of data (encryption, tokenization, anonymization)
- Environment data segmentation
- Data retention
- Control of data proliferation
With this new technology, data security practitioners only need to design a set of data-centric security guardrails and let the DSPM discover violations and monitor for data proliferation. Assume you have social security numbers publicly exposed in an Oracle database housed on an Azure virtual machine. The data security officer does not even need to be aware of the virtual machine’s existence.
The DSPM discovers the asset, discovers the sensitive data within it, and determines that a data security policy violation has occurred. It prioritizes violations based on various parameters, including sensitivity and danger, and engages relevant team members to assist with remediation.
Cloud Security Posture Management
CSPM, on the other hand, is all about infrastructure. CSPM solutions only acquire visibility into the cloud infrastructure layer by pulling metadata from the cloud provider’s API. Moreover, it often covers operations for infrastructures, such as ensuring encryption keys cycle appropriately and regularly, or that multi-factor authentication (MFA) is deploying to a vital system. CSPMs also report and advise against overly permissive account settings for identities and so on.
Although CSPMs can detect publicly exposed storage buckets, they can’t provide comprehensive information on the location of sensitive data stores in the cloud environment. For example, they don’t know whether or not data should be encrypted, how long it should be in store, or who should and should not have access to it. They do not monitor cloud access to critical data or discover evidence of data leakage or exfiltration of these “crown jewels.”
An Example
The following are some examples of where CSPM and DSPM vary. One customer has a CSPM-identified publicly exposed S3 bucket, however, the bucket is expected to be publicly exposed (public by design) because it is hosting a website. However, we discover that someone internally placed highly sensitive material in this bucket by accident, which was now publicly available. A CSPM misses this because it is unaware of the data pieces contained within. A DSPM performs the job.
Alternatively, there are circumstances where the S3 bucket is not publicly accessible, but the data pieces it contains within are. Again, the infrastructure is secure, but the data may still be accessible.
The Final Words
Both CSPM and DSPM are important for organizations. They complement one another and address the various perspectives required to effectively protect multi-cloud setups. One viewpoint focuses on infrastructure, while the other offers a data-driven perspective. Both are critical components of a defense-in-depth approach. CSPM keeps invasions out of your infrastructure and DSPM protects data and reduces blast radius even after attackers have gained access.
