Three points on Data Security Posture Management (DSPM)
Is DSPM the next CSPM?
In today’s post, we’ll look at one of the hottest areas in Information Security market- Data Security Posture Management (DSPM):
Where DSPM tools fit in Cloud Security?
Do we really need another *PM?
What is the likely long run future of the DSPM space?
1) Where do DSPM tools fit in Cloud Security?
Cloud security tools have three main goals-
adding defensive capabilities for cloud to account for the new types of assets that orgs have there
augmenting what cloud native providers can offer
ability to operate across multiclouds
The largest success story so far in the Cloud market has been CSPM tools, which offer perimeter defense plus threat vector analysis. CSPM tools are a good example of Cloud pushing the envelope in what is possible in security over and above traditional legacy security tools. In the case of CSPM, the tools take a traditional perimeter/edge defensive mentality and make it more powerful by adding attack vectors and deeper inspection of the attacker graph against the assets.
This outside in approach then is an evolution of the traditional DMZ model that Infosec teams have relied upon for decades. Where DSPM adds value is that it begins with not with the edge, but rather with the data assets. This is a revolutionary step forward for defenders because now there are capabilities both for defending outside in and inside out.
2) Do we really need another *PM?
We’re starting to see a crush of Posture Management tools, applications, identity, and so on, which risks blurring lines of what is really going on here. It is fair to ask - are these targeted, focus tools tuned on a specific problem or domain? Or are some catch-all grab bags?
To try to answer this start with the basics - coverage and efficacy. CSPM tools came into prominence due to giving defender teams attacker graphs overlain on asset defense, making a way to address the age old problem, “Defenders think in lists, attacker think in graphs.” So this is clearly a step forward in deeper coverage of assets and more effective controls. Will the other *PM tools be able to perform similarly? My guess is that some will succeed and some will simply repackage existing grab bags as *PM tools. The latter is just security market-ecture and will not add value.
Rather than coronating a new App/Identity/Data Posture Management as the new exciting area - each of the new *PM tools should be judged on their own merits to see if they are adding value. Some early DSPMs simply took existing CSPM findings (e.g. broken TLS) and labeled them as DSPM. There is no value add in this approach, and in fact it hinders security teams by adding cost, time, and complexity.
3) What is the likely long run future of the DSPM space?
DSPM tools have potential value add for security teams. Since the beginning of DMZ patterns, most security teams think and design/plan for outside-in controls. This is rational as a starting point, but as attackers get more sophisticated, defenders need to think beyond the edge.
Because DSPM starts with the data assets first, DSPMs can offer things a CSPM (or other security tools) cannot like data classification, scanning, and control mapping. The huge raft of security controls live on things like endpoints, networks, and apps, are all leveraged in the service of defending data. Why not try to also put better defensive posture on the asset itself?
Over the last 5-6 years, CSPM established a major market by proving coverage and efficacy step changes in ouside/in defense capability. Now is the time for DSPM to show whether it can deliver differentiated inside/out improvements by deeper data level visibility and control mapping at scale. When this is successful, DSPMs become a complement to existing controls in one of the most valuable places to defend.
But even when this is the case, any Infosec team knows there is a cost to every pane of glass in the form of an operational tail. Do people want another tool? Another vendor? Another team? Jim Barksdale said, “there are only two business models on the Internet, bundling and unbundling.”
There are probably two likely outcomes in this space, one is that CSPM tools subsume DSPMs and offer them as a bundle. The other is that we are the beginning of an step change of data/asset centric security.
I enjoyed reading this, especially as it's the data (app, business and operational) that really matters. Where do you see AISPMs, starting to emerge now as marketecture, intersecting with DSPM solutions as they evolve? Are AI data security needs sufficiently differentiated to require another *PM beyond DSPM?
Thank you for the post. I agree that there is very much the need for another *PM in this case, but for a different reasons. On-prem Data Loss Prevention (DLP) tools do not work in public cloud. The cloud service providers are now deploying the initial data discovery and classification tools to meet some of the customer demand but the tools are nascent. And there are two other capabilities DLP provided: endpoint protection and 'extrusion detection'. The former may not be necessary depending upon a customers cloud operational model, and 'extrusion detection' or the ability to detect where data is moving, and if it is moving out of your environment. This later aspect is a very hard technical challenge, one which requires more than traditional network approaches to solve, and one which Cloud Access Security Brokers (CASB) cannot tackle. There is need for a full complement of DLP tooling in public cloud (IaaS, PaaS) and DSPM is the closest solution set to address those challenges, the customer need is present _today_, and this is likely where the market heads IMO.
One aspect you did not fully flesh out: The cloud vendors attention stops with the data and applications you bring to cloud. Cloud is a shared security model, yes, but the customer must own all aspects of data protection. This is evident in the lack of security capabilities on applications, workloads and data, which is more the customers responsibility. And customers have on-prem tools that do this today that do not translate to cloud, so they are looking for 3rd party help in the data security and data security management capabilities.
Will CSPM subsume DSPM? Likely over time, yes. It's a much bigger market, has a ten (yes, 10) year head start on DSPM, and CSPM vendors will fold in as a competitive differentiator. And CSPM will continue to offer value above the cloud vendors in terms of -- as you mentioned -- multi-cloud security posture consistency, independent verification a cloud platform is configured as it should be, and filling security gaps when platform vendors have prioritized new features over reducing risks with current capabilities.
Good post!