Data Security Platforms: 9 Key Capabilities and Evaluation Criteria
Published 09/19/2023
Originally published by Dig Security.
Written by Yotam Ben Ezra.
What makes a cloud data security platform?
Recent years have seen a flurry of new technologies and vendors - first in CSPM, then DSPM. Dozens of products have emerged, in addition to existing DLP vendors releasing cloud features and offerings. But do any of these tools provide comprehensive data security in the cloud?
To help you answer this question, we’ve created this guide – covering the current market landscape, key capabilities, and differentiators to look out for when evaluating data security tools. It’s based on the same learnings and conversations with the industry that have shaped our own product roadmap...
First, let’s quickly review the problem space.
Data Security in the Cloud: A New Set of Challenges
Cloud architecture and usage patterns present a unique set of security challenges.
The elasticity of cloud services enables users to spin up new data services effortlessly, which leads to sprawling environments where data continuously flows between object storage, managed services, and unmanaged databases. Since much of the infrastructure is provided by the cloud service providers (CSPs), the possibility of installing monitoring agents is inherently limited.
At the same time, data is seen as a competitive advantage. Companies collect and retain more data than ever, and ‘democratize’ access to data by giving more teams and principals access to analytics tools. While this serves important business goals, it also heightens the risk of unauthorized access to sensitive information.
These factors dictate the requirements from a data security platform: it needs to be agentless, provide robust monitoring and access governance over sensitive data, and be capable of processing vast volumes of data. Most cloud security tools will claim to tick these boxes, but things get a bit trickier when you drill down.
The State of the Cloud Data Security Market
A complete analysis of the data security market is beyond the scope of this article. However, we can delineate the following categories that are currently at play:
- Legacy DLP: Focused on protecting endpoints, networks, and traditional on-premises infrastructures. These tools are often poorly adapted to the challenges presented by cloud environments.
- CSP-native security tools: These tools are often limited by features and coverage, and would not offer the possibility to enforce the same policies and controls in other clouds, DBaaS, and SaaS.
- CSPM: A relatively new category of security solutions designed to identify misconfigurations and analyze risk in the cloud environment. CSPM tools provide visibility into the cloud infrastructure services, but are not aware of the context and content of the data itself, which makes prioritization of risks difficult.
- DSPM: Cloud-native tools that discover and classify sensitive data within cloud data stores. They scan an organization’s cloud at regular intervals (e.g., every 24 hours) and help to identify specific threats to sensitive data. However, the batch-based nature of these systems makes them prohibitively expensive for real-time threat detection.
- DDR: Building on the inventory of sensitive data provided by DSPM, DDR solutions augment them with real-time monitoring capabilities based on streaming analysis of cloud data events. This allows the tools to surface critical incidents related to sensitive data within minutes of their occurrence.
- Data privacy solutions: These tools are focused on identifying sensitive data for regulatory compliance purposes, and offer little by way of increasing security. In most cases they require agents to be installed on the asset being monitored.
Cloud Data Security Emerging Categories
Agentless | Data-Centric | Real-Time | Multi-Cloud | |
CSP-native | ✔️ | ✔️ | ✖️ | ✖️ |
DLP | ✖️ | ✔️ | ✔️ | ✖️ |
CSPM | ✔️ | ✖️ | ✖️ | ✔️ |
DSPM | ✔️ | ✔️ | ✖️ | ✔️ |
Data Privacy | ✖️ | ✔️ | ✖️ | ✔️ |
Data Security Platforms | ✔️ | ✔️ | ✔️ | ✔️ |
If this is beginning to sound like acronym soup, don’t worry. In the next section we’ll drill down a bit further to try and put some substance and explain what these tools actually do.
The 9 Core Capabilities for Cloud Data Security
In our conversations with enterprise buyers, we’ve identified 9 security gaps that are top of mind when it comes to cloud data – and which correspond to the required capabilities from a data security platform.
1. Sensitive data inventory
This is almost a preliminary requirement for a data security product – the ability to discover and classify sensitive data. Having an up-to-date inventory of sensitive data is the foundation of all other data security capabilities, as it contextualizes security efforts and enables enterprises to focus their time and resources on the data that poses the largest risk in case of breach.
Key considerations for data inventory include speed - the time it takes to perform an (agentless) scan your cloud environments and detect sensitive data; scale - the ability to efficiently scan petabyte-scale datasets without impacting performance; and accuracy - identifying all relevant records (including enriched or transformed items), while minimizing false positives.
2. Posture management
Managing data posture means analyzing data risk and continuously assessing the configuration of cloud resources that store or move sensitive data, and the security controls that apply to them. The data security platform detects and flags misconfigurations, vulnerabilities, and deviations from best practices that put sensitive data at risk. It should also provide automated or semi-automated remediation paths.
3. Cloud data compliance
Compliance to standards (e.g., GDPR, HIPAA, PCI-DSS, SOC 2) is a priority for companies of all sizes, as can be seen from the rapid growth of the GRC market. Security tools address cloud data compliance by mapping sensitive data assets to relevant compliance standards, and highlighting the necessary controls such as encryption, access control, or data retention policies. They also monitor data movement to identify flows which violate residency or isolation requirements.
4. Access governance
Effective access governance ensures that sensitive information is accessible only by authorized accounts (individuals or software tools) and follows the principle of least privilege. Data security platforms reduce the risk of unauthorized access by providing visibility into user permissions, helping admins monitor and control access to sensitive data, as well as quickly identify gaps between who has access to a particular dataset versus who actually accesses it.
5. Real time monitoring and alerting (DDR)
Businesses can’t accept a mean time to detect (MTTD) of days or weeks for a breach incident. Real-time monitoring and alerting capabilities help identify and contain attacks almost immediately. Since agent-based solutions often aren’t viable, data security platforms need to use alternative methods, such as monitoring cloud logs, to identify anomalous access patterns or suspicious behavior related to sensitive data. Swift detection enables security teams to mitigate threats more effectively.
6. Shadow data detection
Shadow data refers to unknown, hidden, or overlooked copies of sensitive information that may not be properly secured and monitored. A data security platform detects and classifies shadow data across structured and unstructured storage – enabling security teams to address potential vulnerabilities and reduce the risks associated with unmonitored environments.
7. Malware analysis
Both internal and external users might need permissions to store data in a company’s cloud object storage (S3 / Azure Blob / Google Cloud Storage). For example, an automated machine learning tool might allow user input in the form of XLSX files. However, this can lead to malware-infected files being uploaded to cloud storage. The data security platform should scan existing and incoming files for known malware signatures and identify malicious files in object storage, so that they can be properly isolated and investigated.
Users need to be able to upload data (partners / users). But this data can be infected.
8. Data hygiene
Enforcing best practices is key to any security strategy. In the context of sensitive data, this includes measures such as managing retention policies, redundancy measures, and backups. Data security tools help streamline this process by alerting security teams or data owners when best practices are not being followed.
9. Support for multi-cloud environments
Businesses are increasingly storing data across multiple public cloud platforms (e.g. Azure + Snowflake). To streamline operations and reduce complexity, data security platforms should allow organizations to apply the same security policies and threat modeling across multi-cloud environments. This functionality is typically missing from the native tools provided by cloud service providers.
Additional Evaluation Criteria and Differentiators
Once you’ve determined that a set of data security solutions have the key capabilities that support your use case, you’ll want to evaluate them based on the following differentiators:
Threat model
The most robust engine will not deliver on security requirements without an accurate and up-to-date threat model. Check that the solution is backed by a strong research team with a proven track record of identifying new threats to cloud environments. You’ll also want to ensure that the underlying model is continuously updated based on new attack vectors and weaknesses revealed in previous attacks.
Breadth of coverage
Determine whether the platform you’re evaluating provides comprehensive coverage across the diverse array of data stores that your organization currently uses or plans to use in the future. This can include IaaS, PaaS, and DBaaS. You should also consider the velocity in which new sources are added, and whether the team behind the platform is staying current on the latest risks and vulnerabilities associated with each data store.
Implementation
Consider the resources you’ll need to spend on implementation and the effects a security tool may have on your existing systems. A data security platform automates the API connections and other deployment prerequisites will reduce the burden on your team. Agentless deployment is faster and minimizes the permissions required - and it’s often the only feasible option when you don’t have access to the physical servers (as is the case with most PaaS and DBaaS).
The platform should be designed to operate out-of-band and without requiring a live database connection, so that it continuously monitors your infrastructure without directly impacting your data services' performance. The ability to do so without requiring database credentials can expedite implementation and evaluation.
Security
It goes without saying that your data security platform should be… secure. Check whether any sensitive data leaves your account for scanning or classification (it shouldn’t). Verify that the vendor has the necessary certifications (ISO 27001, SOC 2 Type 2, etc.)
Integrations ecosystem
You’ll want your data security platform to integrate with other parts of your security stack. The most relevant would typically be SOAR, SIEM, and SOC solutions, as these will enable you to act on the insights surfaced by the data security tool. Integrating with your Identity Provider (IdP) helps provide a rich view of active identities for each data asset, adding a valuable context layer for making informed access decisions for sensitive data.
Related Articles:
Modern Day Vendor Security Compliance Begins with the STAR Registry
Published: 12/20/2024
Texas Attorney General’s Landmark Victory Against Google
Published: 12/20/2024
10 Fast Facts About Cybersecurity for Financial Services—And How ASPM Can Help
Published: 12/20/2024
How to Demystify Zero Trust for Non-Security Stakeholders
Published: 12/19/2024