DSPM tools help security teams to look at the entire data environment and find shadow data, reducing the risk of data loss
Data security posture management (DSPM) explained
Data security posture management (DSPM) tools help security teams to look at the entire data environment and find shadow data, reducing the risk of data loss.
Tracking down sensitive data across your cloud estate can be vexing. By its very nature, cloud computing is dynamic and ephemeral. Cloud data is easily created, deleted, or moved around. Correspondingly, the cloud attack surface area is equally dynamic, making protection measures more difficult. Over the past few years, DSPM tools have been developed to discover both known and unknown data, provide structure, and manage the security and privacy risks of potential data exposure.
[ Download our editors’ PDF data security posture management (DSPM) buyer’s guide today! ]
In this buyer’s guide
- Data security posture management (DSPM) explained
- What to look for in data security posture management (DSPM) tools
- Leading vendors for data security posture management (DSPM)
- Essential reading
“This is important, so enterprise security managers can look at their entire data estate and identify where threats originate and locate and reduce riskier behaviors,” said Paul Stringfellow, an analyst with GigaOm Research who has studied the genre.
If this sounds familiar, you might be mistaken to think this is just another attempt to segment the data loss protection (DLP) marketplace. However, DSPM tools are not your father’s (or mother’s, for that matter) DLP: They don’t wait for data to be stolen or exported but provide a more comprehensive case.
Part of the problem is that, as Gartner reports, “traditional data security products have an insufficient view to discover previously unknown, undiscovered, or unidentified data repositories, and they fail to consistently discover sensitive data.”
Another issue is that data usage can be messy: many businesses have numerous silos of different applications, let alone different security applications, that don’t necessarily put protecting this data front and center. They don’t always have consistent protections either as data spreads across clouds and applications.
DSPM is supposed to be the locator function. Fixing the problems that it finds is really the province of a whole collection of older security tools with various acronyms, such as security orchestration, automation, and response (SOAR), security information event management (SIEM) , cloud-native application protection platforms (CNAPPs) , and the like. Some of the DSPM vendors either integrate or incorporate these “fix-it” tools with their products. All are pricey. Plan on spending at least $100,000 annually.
The enemy targeted by DSPM tools is called “shadow data,” elements which have been created by developers or backup processes, or old data repositories that are outdated and left lurking about on some cloud container that has long been forgotten, not updated or unaccounted for.
The goal of DSPM products is to seek out and find this shadow data and also complement the more expansive cloud security posture management (CSPM) tools. But instead of focusing on protecting cloud infrastructures, DSPM tools look exclusively at the role of data and how it is consumed by various cloud services.
Take as an example the 2022 case of a Pegasus Airline developer who misconfigured the settings of an AWS storage container, resulting in exposing millions of personal data files. This calamity could have been detected and secured properly, because the DSPM provides the context of this container. In many cases, the two types of tools are sold by some of the same vendors and complement each other.
DSPM tools have caught on quickly: As late as 2022, Gartner found a miniscule market penetration of less than 1% across its clientele. Gartner is now predicting the DSPM market to increase to “beyond 20% in coming years due to the urgent requirements to identify and locate previously unknown data repositories and to mitigate associated security and privacy risks.”
What to look for in data security posture management (DSPM) tools
DSPM tools require a significant amount of staffing resources to evaluate because they touch on so many different aspects of an enterprise’s IT infrastructure. And that is a good thing, because you want them to seek out and find data no matter under what digital rock it could be hiding. So having a plan that prioritizes which data is most important will help focus your evaluation. Also, a good thing is to document how each DSPM creates its data map and how to interpret it and subsequent dashboards. Finally, you should understand the specific cloud services that are covered and which ones are on the vendor’s near-term product roadmap.
DSPM products are focused on finding your data, no matter where it might reside and whether these locations are well documented or unstructured, or are the shadow data repositories that were initially created by departmental teams outside IT’s purview, left to fester or be forgotten.
How each vendor describes where it goes looking for data is instructive. Every vendor supports some visibility into some of the cloud data repositories of Amazon Web Services, Google Cloud, and Microsoft Azure. But that doesn’t mean that they cover every service offered by each of the cloud providers that deals with data. For example, AWS has its S3 storage, Relational Database Service, Redshift’s cloud data warehouse, Athena serverless SQL queries, and ElasticSearch managed data services, among several other places that operate on data. DSPM provider Securiti takes pains to delineate which services are covered in each cloud platform, but other DSPM providers are not as transparent. One approach is how Varonis uses a “universal data connector” that can seek out a wider range of structured data destinations, both cloud-based and on-premises.
Some of the vendors acknowledge cloud services that they don’t support. Sentra doesn’t cover data stored by Azure Synapse Analytics, Symmetry doesn’t handle any mainframe databases nor cover data stored by ServiceNow and Salesforce, and Wiz doesn’t support data stored in Databricks, AWS’s Redshift or on Azure SQL servers with Transparent Data Encryption enabled with a customer-managed key. Again, this is a very dynamic situation as vendors are adding coverage areas continually as their customers demand them.
But tracking down data is just the beginning of the DSPM process. Once found, it has to be cataloged, evaluated, and summarized in various dashboards. That could be tricky if done without tight security controls, which is why most DSPM vendors claim that “customer data always stays within the customer’s environment.” This typically means collecting metadata, rather than the actual data itself, using read-only access to the apps, services, and database structures. Vendors refer to this as “agentless” or “using API access.” This approach has the advantage of being able to scan huge volumes of data quickly to understand the nature of its usage and potential risk factors.
Once discovered and the metadata collected, the next step is to perform regular scans to see what changes have been made: Has data been copied to some dark corner of your cloud estate? Has someone just changed access rights to allow for greater or insecure access? These tools provide a single point of view across all the various cloud and on-premises data locations. The key word here is “regular.” Scans have default periods (such as daily or weekly) and can be activated when new data repositories are found.
Another aspect of searching for data is how data is consumed in your production environment, including data pipelines, lakes, and warehouses. This can involve creating data maps to classify this landscape as well as facilitating audits to enumerate who has access to which data resource and under what specific circumstances it was shared across your enterprise. Maps are not just pretty pictures but important visualizations that often show where shadow data was abandoned, for example.
On top of all these activities there is the entire field of data governance. This means these products assign risks and apply consistent security policies to manage your entire data collection, and work with other security tools to enforce these policies and remediate problems.
Each DSPM tool has several components, including agents and agentless collectors (useful for tracking on-premises data), a centralized management dashboard, scanners that detect and prioritize data collections, maps of data lineage and usage, and compliance assessments.
Most vendors offer their DSPM product in one or both wider contexts: to integrate with third-party security services (such as offered by Securiti and Wiz) or as part of their own security product portfolio with other add-on modules that include identity management, cloud management, detection and response, and log analysis tools (Cyera, Plo Alto Networks, Varonis, and Wiz).
The specifics on these integrations are worthy of examination, as some vendors such as Varonis and Palo Alto Networks have wider support, while others such as IBM and Normalyze are more limited or just getting around to implementing them. Understanding the scope, integration level, and what other protective features are included, and which are available at an extra cost will take some effort to figure it out.
Products can be deployed as a complete SaaS cloud-based solution, run from on-premises servers or private virtual machines, or in some combination.
Finally, there is the issue of pricing. Few vendors were willing to share this information, indicating that prices are flexible and depend on numerous factors. However, numerous vendors offer annual subscriptions on either or both the Amazon and Azure marketplaces, which typically start at $30,000 but can quickly move into six figures. The summary table in the vendor section shows the various products and services offered, with links to the marketplace subscriptions where available.
Leading vendors for data security posture management (DSPM)
The market space of DSPM is evolving quickly. Most of these products didn’t exist a few years ago, and vendors are adding features, integrating with other security tools, and forming various alliances with each other. And the acquisitions have begun: In 2023, IBM acquired Polar Security, Palo Alto Networks acquired Dig, and Rubrik acquired Laminar Security. Certainly, more such unions are to be expected.
Based on our own research and research from Gartner, GigaOm, IDC, and other analyst firms, we’ve identified a dozen DSPM tool providers worth investigating. We also contacted three vendors for this article that did not respond to our inquiries, so they are not detailed here: Flow Security, Rubrik, and Theom.
| DSPM vendors in summary | |||||
| Vendor | Product | DDR* companion product | Security products integration | Data classifiers | Marketplace pricing link |
| Concentric | Semantic Intelligence | Yes | 30+ | 160+ | — |
| Cyera | Data Security | Limited | 12+ | 500+ | AWS |
| Eureka Security | Eureka Data Discovery | Yes | 12+ | Info not provided | AWS |
| Normalyze | Cloud Platform | Limited | 12+ | Info not provided | — |
| OneTrust | Privacy and Data Governance Cloud | Limited | Numerous | 200+ | — |
| Palo Alto Networks | Prisma Cloud DSPM | Yes | Numerous | 100+ | — |
| IBM | Guardium Insights SaaS DSPM | No | Limited | Info not provided | AWS |
| Securiti | Data Command Center DSPM | Yes | Numerous | 350 | — |
| Sentra | Cloud Native Data Security | Yes | Numerous | 250+ | AWS |
| Symmetry Systems | DataGuard DSPM | Yes | 12+ | 60+ | AWS |
| Varonis | Data Security | Yes | Numerous | 100+ | AWS, Azure |
| Wiz | DSPM with Advanced License | Yes | 60+ | 110 | AWS |
| *data detection and remediation | |||||
Concentric Semantic Intelligence: It combines DSPM with threat detection, integrates with a variety of security tools, covering both unstructured and structured data with deep data coverage of AWS services.
Cyera Data Security Platform: Cyera’s platform has a network module for scanning on-premises files and has integrations with Netskope, various specialized data catalogs (such as Collibra, DataHub, and Secoda), Splunk, Tines, and Wiz. It has a very actionable series of dashboards.
Eureka Data Discovery: Eureka combines DSPM with threat detection and integrates with data lakes and warehouses like Atlas, Salesforce, ServiceNow, Snowflake, and Jira-based ticketing systems. By default, new data is scanned within 24 hours while existing data is scanned for changes every 14 days.
IBM Security Guardium Insights SaaS DSPM: IBM acquired Polar Security in 2023 and is still incorporating it into its full Security Guardium security product. It only scans cloud data, and there are preset sensitive data definitions.
Normalyze Cloud Platform: Normalyze scans both cloud and on-premises data sources and does include auto-remediation when identifying misconfigurations. It integrates out-of-the-box with SOAR, third-party ticketing, and notification and automation platforms including Atlassian Jira, ServiceNow, and Slack.
OneTrust Privacy and Data Governance Cloud: OneTrust can scan more than 200 different data sources across both cloud and on-premises, but it doesn’t identify user account-level access. It integrates directly with Databricks and Snowflake to orchestrate dynamic access controls, as well as with other security tools such as data catalogs, DLP, and ITSM.
Palo Alto Networks Prisma Cloud DSPM: Prisma integrates with SIEM, workflow and ticketing solutions, and single sign-on (SSO). It comes with more than 100 prebuilt data classifiers. It supports Microsoft 365, Snowflake, and on-premises file shares. Palo Alto Networks acquired Dig Security last year and incorporated it into the Prisma product.
Securiti Data Command Center DSPM: Data Command Center adds a variety of breach and compliance management features to its tool, and it supports data streaming technologies such as Confluent, Google PubSub, Kafka, and Kinesis. It comes with 350 content classifiers that support multiple languages along with more than a thousand predefined detection rules. It integrates with a wide collection of cloud-native security services, cloud access security brokers (CASBs), CNAPPs, CSPMs, cloud infrastructure entitlement management (CIEM) systems, DLP systems, intrusion detection systems (IDSs), Kubernetes security posture management (KSPM) systems, SIEM systems, and compliance tools.
Sentra Cloud Native Data Security Platform: Sentra has deep support for most of the variety of cloud computing services along with support for containers and virtual machines. It has its own data detection and response (DDR) tool for near real-time detection and a series of very actionable dashboards. It integrates with data management (Coralogix, DataDog, and DataHub), email, ITSM (Jira, PagerDuty, and ServiceNow), CNAPP (Wiz), collaboration (Atlan, Azure Boards, Monday.com, Slack, and Teams), IAM (Active Directory and Okta), incident response (Seemplicity), SIEM (Splunk), and on-premises file shares.
Symmetry Systems DataGuard DSPM: DataGuard has text-heavy dashboards as well as an add-on policy enforcement module. It integrates with a wide collection of security tools including SIEM (Chronicle SIEM, LogRhythm, Securonix, Splunk, and SumoLogic), SOAR (Google Chronicle, Microsoft Sentinel, Prisma Cortex XSOAR, and Tines), ticketing systems (Jira and ServiceNow), and notification systems (PagerDuty and Slack).
Varonis Data Security: Varonis has been in the data security business for more than a decade and provides integrations with SIEM (like Splunk), SOAR (like Palo Alto XSOAR), firewalls, VPNs, web proxies, DNS services, Active Directory, Entra ID, Microsoft Purview Information Protection, and Okta.
Wiz for DSPM with Advanced License: Wiz offers two licensing plans, but the full collection of DSPM features is available only on its more expensive Advanced plan. Wiz adds a lightweight agent called Runtime Sensor for detection and response. In addition to the usual cloud data sources, it also scans a variety of on-premises databases, such as MongoDB, MySQL, and PostgreSQL, as well as their cloud versions. Wiz also integrates with more than 60 security products.
