There are plenty of technology acronyms in the alphabet soup of the cybersecurity industry, but DSPM is the latest one leading the charge; its recent buzz has brought scrutiny to various security concepts that have cluttered the meaning behind data security posture management.
DSPM provides visibility into where sensitive data is located, who has access to it, how it's being used, and how the security controls and permissions are configured on the data stores or applications hosting the data. For anybody familiar with Varonis, this should ring a bell.
If we think about all these layers before the data — the firewalls, the endpoints, the gateways, etc. — this is where traditional security efforts have been focused. The firewalls, endpoints, and gateways are an obstacle for attackers to overcome and pass through, on the way to the real target — the data living in traditional data stores, and in SaaS applications.
To maintain a strong data security posture, you must protect the data where it lives. That way, if there is a failure or gap at one of those other layers, security is maintained because the core data is locked down.
So now that we’ve covered what DSPM is, let’s demystify the myths surrounding it.
Do you prefer listening to reading? Hear Mike Thompson, Security Architect Manager at Varonis, and me give the full breakdown of what DSPM is and the myths surrounding it in this recording.
Myth #1: DSPM is a completely new concept.
Truth: The concept of DSPM has been around for years.
Although DSPM is a new term, discovering and protecting sensitive data is not a new concept. However, having a name to define the methodology is helpful.
In the past, most organizations were not used to thinking with a data-first approach. DSPM, as a term, has opened new ways of thinking about security for people who maybe haven't used this approach previously.
Many DSPM vendors can show you where you have sensitive data and whether it’s at risk, but they can’t fix that data exposure.
At Varonis, discovering where sensitive data lives, mapping out the access and permissions, auditing who’s accessing the data, and then taking steps to remediate it and lock it down, has been a part of our mission from the very start.
Even if DSPM is a new term for old concepts, it helps frame the conversation and gets everyone working toward the same goal: securing valuable data.
Myth #2 DSPM is all about cloud infrastructure and DevOps.
Truth: DSPM is about data, and data is everywhere.
When looking at the current DSPM market, much of the focus is on the data that is attached to infrastructure platforms such as Azure Blob, S3, data lakes, and databases — the core back end where people build different products and solutions.
But DSPM is more than that. Certainly, the infrastructure and development are part of the methodology, but if we think about where data lives, it doesn't just live in infrastructure platforms. Some of the most critical data lives in SaaS, where users are in control, and SaaS also has a wide attack surface.
Salesforce, for example, is the back end of many different applications, from finance to healthcare and everything in between, and it’s not just used for sales. A lot of sensitive data can end up here. Users can export that data and upload it to Box, then share it with others, and this cycle continuously repeats itself.
On the traditional data storage side, think about Google Workspace, Box, or Microsoft 365. These are collaborative platforms where data ends up. But DSPM is not just about the application that data comes into, it’s also about your data’s lifecycle.
If we think about this from the DevOps side, where teams are building applications that live on this infrastructure, where does that code potentially live? The source code could live in something like GitHub, and that would be another layer needing protection in your data security posture management strategy.
When it comes to understanding the lifecycle of your data, remember these two things:
- Think critically of everywhere your data might live. At Varonis, we talk to teams who often have a narrow view of where data is located and don’t always account for what the interaction between their platforms might be. Be open-minded, and don't assume that where you think data lives is the only place it lives.
- Each platform is unique. From permissions models to auditing capabilities, the way each system is updated and maintained is very different. Salesforce, Google Workspace, and Zoom are all important applications, but they have almost nothing in common. They each have their own security challenges that we need to be able to address individually for each platform.
While much of DSPM focuses on the cloud, it's also important to remember that on-prem is not going anywhere. We can't discount this in terms of your overall posture management.
The same challenges exist for on-prem, but on a different scale. The data on-prem is still massive and the permissions can potentially be complex, even if we've been living with NTFS permissions for years.
Myth #3: DSPM is all about discovery.
Truth: Discovery is only the first stage.
Discovery is at the top of everyone's mind, and rightfully so. It’s crucial to understand where your data is stored, what type of data is being stored, and how your users are interacting with it. However, that is just the first stage.
Companies have enormous amounts of data that grow larger each day. Sorting through one file at a time is not effective or realistic. Automated data discovery gives you additional context to make more informed decisions about what your security policy should look like and how you will execute it.
Without discovery, organizations can’t make decisions based on the reality of their environment. However, data discovery alone is not the goal — it is just one step and one component in the process to identify and reduce risk.
What truly matters is how you take those findings and translate them into actual risk reduction and an improved security posture. By formulating policies that your organization can execute — which won’t just live on paper — you’ll be able to keep your data under control.
To effectively choose where to focus your efforts, prioritizing the sensitivity, permissions, and activity of your data is essential. Ask questions like, “Who can access sensitive data and what can they do with it? Who’s not accessing this data? And who in the company is sharing this information outside of the company to perform their job?"
Myth #4: Coverage is king.
Truth: Having deep visibility helps reduce risks.
This myth is the sibling to myth #3 on discovery we covered above. Performing discovery and finding data on every conceivable platform only gets an organization so far.
While it is important to think critically about where your data lives, if you don’t have deeper visibility into the platforms and SaaS apps hosting the data, it will be difficult, if not impossible, to measure and reduce the risks around it. You don’t want to check off a box that you’re technically covering everything, when there is not any context given to help reduce risks.
There's a balance to be had between having visibility in a lot of different areas, and having deep visibility that's actually going to make you have effective security controls.
If you don't have an in-depth layer of visibility and ways to make security actionable, you're missing the posture management side of DSPM. It’s not just about discovery. Proper security must be focused further down and taking the next step to secure your data beyond the surface level.
Myth #5: Workflows equal fixing problems.
Truth: Workflows often fix surface level problems, not the root cause.
The fact that a help desk ticket is opened and closed does not mean a problem was truly solved. Workflows and plans are important, but the execution is what matters.
Workflows leave room for human error, whether it be misjudging the scenario or only fixing the symptom, not the root cause. It’s important to figure out what your process looks like, and stress test the outcomes of workflows implemented.
As your data grows, you’ll want to ensure your workflows take the scalability of your data into account. SaaS platforms are built for high levels of collaboration, in which your data lives and is shared.
Automation can help combat threats to your data and make judgment calls when humans can’t, like shutting down access to specific files on the spot if a user’s activity is suspicious.
Varonis’ approach to DSPM
At Varonis, we’ve always been all about the data.
With sensitive information stored in numerous places and the constant uptick in collaboration amongst organizations, your blast radius is only growing. The damage a particular user could do if they were compromised or made a simple mistake keeps growing larger and larger.
Data is like water, and if you have any cracks, it will leak out. Even if you had a security team of 1,000-plus people, trouble would still be present due to human errors. Security teams need a platform dedicated to all aspects of cybersecurity, including a reliable DSPM solution.
Varonis protects your data wherever it lives, whether it is in your SaaS repositories, on-prem, private cloud repositories, infrastructure as a service, and/or structured databases. We want to make sure that you have holistic visibility across all areas because data is going to end up in all these places.
Varonis’ customizable DSPM dashboard allows organizations to easily assess their data security posture with an intuitive and customizable interface. Easily spot risks such as sensitive data exposure, misconfigurations, policy violations, suspicious data activity, stale and risky user identities, and more.
Our DSPM dashboards give you and your auditors a real-time, prioritized view of data risk and how it’s changing over time.
Our Data Security Platform not only gives you a high-level view of your risks, but our automation also fixes what it discovers. Our solution has ready-to-go remediation policies built-in and uses least privilege automation so you can discover risks in your environment on day one that will send public and org-wide data exposure packing. Fix misconfigurations with the click of a button thanks to automated posture management.
Today’s cloud platforms have their own unique security posture challenges, including separate user identities. Varonis allows you to monitor the identities of your users in all the areas your data lives so you can spot malicious activity instantly and understand the typical behaviors in your environment.
Our Proactive Incident Response team watches your data from day one, so you can put your focus elsewhere and avoid redundant alert emails and notifications. Our analysts leverage our collective security experience and raise not just alerts, but incidents that may require investigation.
Varonis comes with ready-made remediation policies that you can personalize for your organization. You define the rules, and our robots will do the rest.
During a recent webinar, Varonis’ Mike Thompson and I outlined the exact data security strategy we’ve used with 7,000-plus CISOs and how our Data Security Platform is the top choice for organizations looking to prioritize deep data visibility, classification capabilities, and automated remediation for data success.
Watch the full session to learn more insights around DSPM and how the right solution can help improve your organization's security posture.
Ready to take action? We recommend getting started with our world-famous Data Risk Assessment to see where your environment is most at risk and increase the protection of your security posture.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Kilian has a background in enterprise security engineering, as well as security solution selling. Kilian is a Certified Information Systems Security Professional (CISSP) and creates internal and public content on topics related to cybersecurity and technology best practices.