Data Security Posture Management (DSPM): Best Practices Guide for CISOs

Originally published by Varonis.

Written by Rob Sobers.

Protecting your company's data is increasingly difficult, as more and more data is created across your organization.

You're doing everything you can to prevent breaches, or if you're less fortunate, you've had a data breach and need to work out how it happened.

On top of that, you've got laws and regulations to comply with. Both broader laws like GDPR, as well as regulations specific to your area (CCPA) or industry (HIPAA).

This is why it's so important to have the right tools in place to make this as easy as possible for you.

And a good DSPM can solve a lot of these problems!

What is DSPM?

DSPM (Data Security Posture Management) as a concept isn't new, but the acronym is. Here is Gartner's definition:

"Data security posture management (DSPM) provides visibility as to where sensitive data is, who has access to that data, how it has been used and what the security posture of the data store or application is."

Often referred to as data risk assessment or data risk analysis, the goal is to get a clear picture of how secure your data is and eliminate data exposure where possible.

Is your data posture weak or strong? Why is it weak or strong? What can be improved?

But for many DSPM tools, visibility is where they stop.

A good DSPM tool not only identifies issues, like where sensitive data is exposed, but can also automatically remediate that exposure and actively protect you from breaches.

In this blog, we'll cover:

• What DSPM means
• Why it's important to use a DSPM tool
• What to consider when choosing a DSPM

By the end of this article, you'll understand what DSPM tools do and what features to look for when choosing your solution.

Breaches and compliance

Organizations are rapidly adopting DSPM solutions for three main reasons:

Breach avoidance

As a CISO, it's your responsibility to not only protect against breaches, but also report back to management exactly how you're protecting the company.

This applies just the same if you're a SOC analyst or in a GRC role within your company. You need to reassure the stakeholders that you've got everything under control.

But this is an uphill battle. Your users are creating more data all the time, and with cloud collaboration and sharing, your data security posture is getting worse, not better.

If an employee decides to go rogue, and grab sensitive data out of Microsoft 365, how would you know? Or if an attacker compromises a user or system, would you have an audit trail to identify what data was affected?

There are two sides of breach avoidance that are important to consider:

• How can I quickly detect suspicious behavior that could lead to a data breach?
• If the network is compromised (or maybe the bad actor is an insider), how can we limit the damage?

DSPM solutions should help you with data-activity monitoring that will help you detect a breach early, and also provide access control capabilities that can help you proactively limit the damage a bad actor could do.

Post-breach

When a breach happens, you need to be able to answer a few key questions:

• How did it happen?
• What was stolen?
• How can we prevent it from happening again?

And the last thing you want to hear when you're in the middle of an incident is "I don't know" to any of those questions.

Even the best investigators in the world need the right visibility. The best DSPM solutions will have an audit trail across both cloud and on-prem data to give you the fullest picture of what happened.

Compliance

Another vital reason for using a DSPM tool is to both ensure compliance and prove it.

From GDPR to the SEC, every company has data laws and regulations they have to adhere to, and many of those regulations break down to: knowing where sensitive data is, limiting who can access it, and monitoring it for threats. Sound familiar?

You're not just answerable to management here, either. Auditors will come in and expect to see you're making progress, and prove you know where all your customer data is.

For example, healthcare organizations have to carry out frequent HIPAA audits, making sure their sensitive data is only accessible to the right people.

Failure to do so can have catastrophic ramifications, with HIPAA penalties reaching as high as $16 million.

Whatever the regulation, DSPM can be a critical component to complying.

Picking the right DSPM

Considering the significant impact these three things could have on your company, it's clear that it's not just important to use a DSPM tool, but it's also vital to choose the right DSPM solution.

There are three dimensions of data your DSPM tool needs to address:

1. Sensitivity
2. Permissions
3. Activity

If any of these are missing, it’s hard to make much progress with securing data, and it becomes impossible to automate.

As more DSPM tools pop up, though, there are several key areas to look at, which will help you make the right decision.

Coverage

One of the first things you need to consider is where your organization has the highest concentrations of sensitive data and where that data is most exposed. For many organizations, this can be Microsoft 365, Box, Google Drive, GitHub, etc.

But it's not quite that simple. You also need to look at how deep that coverage goes.

Many DSPM tools go a mile wide with coverage, but only an inch deep with functionality. For example, a solution might support Box for data classification but if it can’t also monitor Box for threats, it won't help you very much.

Accuracy

This might sound obvious, but if a DSPM tool surfaces findings that aren't accurate, it can do more harm than good.

For example, if a DSPM tool audited Google Drive and reported that a certain file held patient records, but on further inspection it didn't, you'd lose trust. And without this trust, you have to spot-check the results, which defeats the point.

Accuracy is also a big factor when you're dealing with alerts.

If alerts are triggering incorrectly, you'll soon have alert fatigue. Like the boy who cried wolf.

Some DSPM vendors will only offer threshold-based alerts, which are rife with false positives. Instead, look for a DSPM vendor who can learn and baseline normal behavior and trigger alerts based on abnormal activity.

It’s definitely a bonus if the vendor also offers support for tuning alerts to ensure you’re optimizing signal-to-noise ratio.

Scale

There's a huge difference between auditing a terabyte of storage at a startup and Bank of America's six petabytes of data.

This is why scale is such an important factor and can cause a lot of problems if the DSPM tool isn't built for it.

If you're running classification or permission scans on huge amounts of data, it needs to reliably cover everything. But if the scan can't finish for whatever reason, you end up with only half the picture, and half the protection.

Remediation

The point of finding these issues in the first place is to resolve them, so you want a DSPM tool that actually helps you do this.

Built-in remediation means issues can be resolved at the push of a button, or sometimes even without any action at all. Unfortunately, not all DSPM tools give you these remediation capabilities.

You don’t want your DSPM solution to just surface findings — you want them to be able to fix the problems they find, too.

In closing

For any organization prioritizing data security, DSPM is a concept to pay attention to.

Picking the right DSPM solution can prevent breaches, help you investigate incidents quickly, and ensure you're meeting increasingly stringent regulations.