The best place to start is by examining why we’re likely asking the question in the first place. Quite simply, it’s because we still have a data risk problem to solve. But wait, wasn’t Data Security Posture Management (DSPM) meant to pick up where Data Loss Prevention (DLP) Solutions left off? That is only if you are talking about just data security. It is ‘data risk’ that we need to address and not just ‘data loss.’ Modern enterprises now operate in a highly regulated business environment where they are at risk not just from data breaches or data loss but also from how they collect, store, and use certain types of sensitive data.
Challenge
In a nutshell, the two key trends that have a direct impact on your data risk are:
1. Cloud has changed the very nature of the security perimeter. It’s everywhere and nowhere at the same time.
2. Privacy laws require us to solve new data risk problems that are nuanced and go beyond data security.
So can we use DLP, DSPM, or the two together in some configuration to solve our data risk problem? What kind of data risk coverage will that give us, and where will we be vulnerable? Before I address these questions, let’s first define DLP and DSPM.
Defining DLP and DSPM
DLP (Data Loss Prevention) protects sensitive information from accidental or intentional leakage across the enterprise data perimeter. DLP solutions monitor, detect, and control data in motion or at rest. They use content inspection to classify it and enforce the appropriate alerting or blocking policy when it’s at risk of exposure.
DSPM (Data Security Posture Management) focuses on managing an organization's overall data security posture, including monitoring and ensuring security controls and configurations. As it is a new space, there is no standardized level of content inspection or active means of protecting the data in varying circumstances.
How Do DSP and DSPM Stack Up?
As mentioned earlier, the first challenge caused by the modern cloud’s fuzzy edges confounds the data-in-motion focused design of most DLP solutions that rely on protecting a perimeter. Also, DLP solutions tend to protect data in the context of an event where data is moved or used, lacking a big-picture map of an organization’s data risk. Enter DSPM, which looks to understand your cloud data security posture rather than just cover a set of well-defined data egress routes. So far, so good.
Where DSPM falls short is in meeting the second challenge of regulatory complexity. DLP has the luxury of inspecting message by message in the context of data use and running that scenario through automated rules, which could be customized to act according to various risk scenarios. Perhaps it would redact personal information, alert on a large volume of records, or block sensitive corporate documents entirely. So DLP has the capability, to some extent, to react to different regulatory needs, but DSPM may not have that lens, depending on how it’s designed. A DSPM solution is aware of sensitive data but is focused primarily on securing it, not helping you keep it compliant.
How do we discover the nature of data risk ubiquitously across all the places that data is stored in the cloud? Because without that, we can’t know if we are dealing with some very secure but toxic sensitive personal information that we should not have collected or looking at some very realistic-looking test data used in a dev environment. But because DLP can’t comprehensively protect the scope of the modern cloud and DSPM has less awareness of data content and context, how do we accurately report what’s at risk and a targeted action plan to our board to fix it? It becomes evident that without a data discovery and intelligence layer to power our defense-in-depth strategy, our posture management might just be posturing.
I propose that we really need data intelligence that comes from discovering where all the sensitive information is stored and building an accurate, content-aware compliance (and security) profile describing it. With this knowledge, we can monitor, report, and even proactively protect against a wide variety of data risks, both security and compliance. The surface area of cloud services and regulations combined is too large to protect without a root understanding of what’s worth protecting and why. Divebell was created to address this very challenge.
Conclusion
To truly handle data risk and address the gaps left by DSPM and DLP, we need a solution with the holistic, cloud-oriented lens of DSPM, the understanding of data content and active protection measures that DLP provides, plus an understanding of modern data compliance needs. If acronyms wear you out, well, you can simply call it Cloud Data Discovery and Protection. It’s a tall order, but cloud data APIs are more standardized and scalable than ever before, and protection controls are standard in many data repositories, allowing us to scan for sensitive content and direct it to be protected effectively and efficiently. I am optimistic that even though the data risk landscape keeps getting broader and more complex, we have the tools to design a solution that brings data risk under control.
Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.