As companies generate massive amounts of data daily, they increasingly turn to multiple cloud platforms, such as AWS, Azure, and Google Cloud, to store essential data and enable collaboration across their organization. However, this flexibility comes with inherent risk.
Just like with SaaS environments, the biggest target in IaaS environments is always data, requiring organizations to protect sensitive data perfectly every time. At the same time, a threat actor just needs to be right once.
No matter where it lives, your data is always at risk — and data is where the damage happens.
Although standard security tools offer some protection, they often fall short of keeping sensitive information secure. Native solutions tend to be siloed and only address one part of the infrastructure, resulting in disparate security controls.
Infrastructure tools are a helpful protection layer but lack data context, making it difficult to know what is at risk and who the actors are. And passive data security posture management (DSPM) solutions provide limited context, offering static risk analysis that can help spot potential issues but don't actively protect your sensitive data.
In this post, we’ll show you the gaps you need to be aware of when evaluating a DSPM solution, why IaaS automation is so crucial, and how you can prepare your org for the future of DSPM.
The challenges of passive DSPM solutions
Passive DSPM tools identify where your sensitive data is stored but do not provide steps for correcting issues or preventing data breaches. Instead, they generate a list of thousands of potential vulnerabilities without context to discern whether someone is exploiting a vulnerability.
IT and security teams must then make sense of this extensive list, reviewing each file, object, and database individually to determine what needs immediate attention and how to fix the issues manually. In the world of rapid cloud growth, this quickly outpaces what can be reasonably accomplished with manual effort alone.
Sample scanning
Most passive DSPM vendors rely on sample classification. Although this may be suitable for databases — once you've scanned a few hundred or thousand rows, you may not need to scan the next million rows to understand the data — object storage and elastic block storage are different beasts altogether. Sensitive data can be located anywhere, and it’s crucial that you have a complete picture of these environments.
When trying to turn sampling into a full scan, most passive DSPMs take weeks or even months to finish, but having a months-old scan won’t satisfy most auditors or CISOs.
Additionally, scanning a small set of objects and then using that information to extrapolate what's in the next five petabytes is risky because, as we mentioned before, an attacker only needs to be right once.
Accurate classification
Another characteristic you want to consider when choosing a DSPM vendor is accuracy. Having to weed through false positives and negatives can be frustrating, which is why mileage matters. Varonis has been classifying data since the early 2000s, and our methodology of pattern matching, regular expressions, and advanced techniques has been refined over time to ensure accuracy.
While some newer technologies rely solely on machine learning, we have found that ML can be a black box that produces inaccurate results, leaving customers with no way to remediate issues. Machine learning may be helpful in handling novel data types, but when it comes to sensitive data, a more tried and true approach is needed.
Moving from passive to active DSPM
The future of cloud data security lies in being proactive.
Active DSPM solutions don't just flag risks; they take steps to address them. While knowing where your sensitive is located is an important first step, it’s critical to move beyond just an inventory or catalog of sensitive data to detect active threats, right-size permissions, and auto-remediate vulnerabilities.
Only by using automation and actively remediating issues can your cloud environment become safer over time.
There is often hesitation associated with automating changes in IaaS for fear of disrupting critical workloads. However, many risks can be remediated automatically with low impact to the business; you’ll want to automate those policies with high-security value and zero business impact.
A leader in DSPM
Varonis goes beyond just identifying risks to actively protecting sensitive data. Our incident response team works directly with our customers around the clock, our forensics team performs malware reversing and forensic analysis, and our research team constantly produces new threat research.
This knowledge helps us answer questions such as, “Is there a data breach going on? Is this a security incident, or has data been affected?” Additionally, our MDDR (Managed Data Detection and Response) service offers an industry-leading SLA of 30 minutes for ransomware and 120 minutes for all other attacks.
Although DSPM is a newer term, Varonis has practiced data security posture management since our inception. Contact your Varonis representative to learn more about improving your DSPM, or see Varonis in action by scheduling your 30-minute demo.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
