Data Security Posture Management vs Cloud Security Posture Management

Originally published by Sentra here.

It was only a few years ago that we thought ‘Cloud Security Posture Management’ was going to bring the ultimate level of security to the cloud. But we’re already discovering that while CSPM is doing a good job of finding infrastructure vulnerabilities, data breaches are still a regular occurrence for cloud first organizations. And that’s where Data Security Posture Management (DSPM) comes in.

DSPM is a category worth getting excited about and it represents a ‘business-first’ approach to cloud security. This blog will explain why.

What is Cloud Security Posture Management (CSPM)?

CSPM tools are built to secure cloud infrastructures - including IaaS, PaaS, and SaaS architectures. Misconfigurations, vulnerabilities, and basic compliance violations are identified across an organization's cloud, and alerts are generated for their SOC team members to sift through, prioritize and remediate. Most CSPMs also offer some sort of basic data discovery tools, such as discovering credit card or social security numbers.

The size of organizations’ cloud infrastructures coupled with the difficulty of finding experienced cloud security professionals has driven adoption of CSPM across most cloud-first organizations and led to an increased focus on automation and remediation of cloud infrastructure vulnerabilities. But despite additions and upgrades, CSPM essentially remains a misconfiguration detection tool for cloud infrastructure.

So what’s missing from your average CSPM? Context.

Let’s say you find a number of misconfigured cloud resources. A CSPM won’t be able to tell you what data is actually at risk. It’s data agnostic. It also won’t know what security posture it’s supposed to have - who’s the data’s original owner and who is supposed to have access to it. The result is that now you need to spend time sifting through your alerts, finding the critical data at risk.

What is Data Security Posture Management (DSPM)?

It’s this missing context that DSPM has been developed to provide. Unlike data agnostic CSPM, DSPM acknowledges the new reality that because not all data is equally valuable, they don’t all need the same security posture. But the problem DSPM solves goes beyond discovery and classification of cloud data. In order to provide actionable insights (and not just be yet another ‘alert generating security tool’), it’s not enough to find unsecured data. DSPMs can also leverage Machine Learning to understand what its data security posture is supposed to be.

Data in the cloud doesn’t stay in one place indefinitely. Data stores are continuously being replicated and moved throughout the public cloud. Data travels. But the security posture doesn’t follow the data to its new location. So if sensitive data is moved to a lower environment, it now has a weaker security posture - even though the data itself is still just as sensitive as it was before!

If an asset with sensitive data is replicated in a lower environment, a DSPM tool will not only send an alert, it will let you know how to match the security posture of the original environment and who the data’s owner is. This way, you spend less time sifting through logs trying to find out who owns the data and how exactly it's meant to be secured. Another key difference from CSPM is that as opposed to finding cloud infrastructure vulnerabilities, DSPM goes a step further and identifies data vulnerabilities. These can include:

• Exposed PII
• Exposed developer secrets, including company source code
• Privileged data that’s been replicated in a lower environment with an inappropriate security posture.

Next let's look at how they reduce the attack surface of an organization’s public cloud. CSPM reduces the infrastructure’s attack surface by helping remediate misconfigurations and vulnerabilities. In theory, this results in fewer attack paths which could lead to damaging breaches. DSPM also reduces the attack surface - but the way it accomplishes this is by reducing the risk from vulnerable and valuable data. For example, DSPM can ensure PCI data stays in a specific VPC, so attack paths can be reduced to a single VPC only. This way, even if there is an infrastructure breach, the valuable data has the right security posture and cannot be leaked.

Finally, DSPMs can also see where CSPMs can’t - including data stores like RDS instances or cloud-native databases. And of course, it needs to work at huge scales - think petabytes, not terabytes - without breaking your cloud bill. Using smart metadata clustering, these scans can provide the total visibility security teams need at a fraction of the cost of scanning every bit of data in your cloud.

On a technical level, there’s already a significant difference between the two solutions. But at its core, it's a difference of cloud security philosophy. Relying exclusively on protecting the cloud infrastructure is essentially taking ‘on-prem era’ security approaches and trying to shoehorn it into the cloud era. When everything was on-prem, security was about protecting the infrastructure by defending the perimeter. After all, if threats were stopped at the perimeter, the data was safe.

But as the cliche says, ‘in the cloud there is no perimeter’. Data is constantly being created, replicated, and moved throughout the cloud. Trying to ‘copy/paste’ from the previous era is natural, and partly effective. But it’s time to acknowledge the fact that what we’re defending isn’t a network. It’s not the ‘network’ that malicious actors are after. It’s the data. So why are we still obsessed with infrastructure? DSPM is the solution that recognizes this new paradigm.