top of page
Search

Are DSPMs up to the challenge of the moment? A short look back and forward

DSPMs are all grown up, but are they mature enough for the moment? In their very short lives, they’ve come a long way. A brief look back at where DSPMs came from and where they need to head next.


In 2025, time spent finding new ways to describe the threat landscape will be wasted; therefore, we won’t. Evolving, dynamic, escalating, complex. Pick your favorite adjective, things are hectic for most risk, security, and compliance teams, and they don’t tend to be optimistic about the future.

And while the tools are definitely getting smarter, attackers have access to the same tech, so the stalemate continues. Attackers innovate and succeed; defenders learn and win the next battle. Attackers regroup, reinvent themselves, and succeed again, and the cycle continues. It’s not really bad news, it’s actually more like no news at all.




At the same time, what we can control are the platforms, point solutions, and best practices we bring to the hard work of protecting an organization’s assets. This includes users and their productivity, system access and availability, and assets. This last item includes data, which for many organizations is now the most critical — and attacked — asset of all.


Internal risk isn’t only about problematic users, but also about mostly productive tools.


Since the perimeter security collapse began almost 20 years ago, and the rise of software-defined networks and applications, the average security stack has become very robust. While we can debate whether reported averages like 70 are accurate, we know leaders are definitely focused on consolidation.


An adjacent problem, of course, is that installing tools is much easier than switching. Security solutions, in particular, can become deeply embedded in the business, with numerous other tools and best practices connected to a specific solution, sometimes leading to a very dangerous inertia. However, that’s not the only potential risk.


  • Organizations are dealing with too many vendors and too many solutions, and they’re rapidly trying to consolidate. However, in the meantime, you will likely notice gaps and overlaps in tooling. While the risk of gaps feels obvious, redundancy brings its own risks, including fragmentation of credentials.

  • Even a robust technology stack can be incomplete, even in the face of novel risks, new tactics, or significant changes in the business. Even as they consolidate around their favorite vendors, they remain unsure about their capabilities, with a shocking 1 in 4 being less than confident.

  • This incompleteness can create highly efficient, yet isolated, islands of automation, where the future is unevenly distributed. The 2024 SANS SOAR report found most orgs lacked both the budget and expertise to expand.


These are all risks generated by using too many tools, the wrong tools, or tools that do not work exactly as described. Sometimes, as they say, the call is coming from inside the house.


These are especially dangerous trends if we’re talking about protecting data


Despite the current hype, businesses have been using data to transform themselves long before the advent of GenAI. Much of that attention is being paid to data security posture management (DSPM) solutions, which are built to strengthen and streamline how organizations protect sensitive information.


While the category is only about three years old, what a childhood. It was created to focus on data inside the larger cloud security posture management (CSPM) space. Spiceworks described its goal in 2022 as connecting ‘data, applications, and identities to provide a comprehensive picture of a company’s security posture’.


DSPMs identified where sensitive data was and which users or applications had access to it in the public cloud. As technology and business needs evolved, DSPMs expanded from their initial cloud compliance roots to include on-premises and edge environments, offering more features and integrating with additional services. All this without even mentioning AI.


Familiar woes with new outcomes

Ultimately, in just three years, that elegant DSPM paradigm has become yet another robust platform, and we’re back to looking at some (not all) of the same challenges we already toured. 

The good news is that the relative newness of the space means organizations are smartly choosing large consolidated platforms from the start. This (mostly) solves the challenges of integrating across tech generations or vendors, as well as providing them with access to AI and ML capabilities they don’t have to build themselves.


At the same time, DSPMs are still not everything security teams need them to be, nor are they everything the business needs them to be, especially now.

  • Even with the rapid adoption of DSPM, a rather shocking 87% of respondents to this survey reported that they still found their data discovery and classification tools to be lacking. This means DSPM platforms aren’t even delivering on the basics.

  • A slightly smaller but still significant number (60%) still don’t feel confident in responding to data exposures, even with all their tooling in place. This means they’re running way slower than attackers.


Together, the challenges speak to a lack of completeness in the current DSPM paradigm. Even with all the connectivity and integration of discovery and classification tools, organizations are still unable to find all their sensitive data. And, most importantly, they’re struggling to protect the data they have.

  • They need better ways of identifying sensitive data across the entire environment, regardless of its location. 

  • They need smarter, speedier ways of protecting the sensitive data they have, especially as it moves across and between environments and user workflows.


So what happens next to DSPMs and their customers? Do we already need a new acronym?


What’s next: DSPMs have to get much better (and a little bigger)

The challenges surrounding data discovery, analysis, and classification are being addressed with smarter, more robust engines that can ingest an increasingly diverse range of file types, particularly for unstructured data. This is where AI and ML are particularly helpful in enhancing the next generation of DSPMs in their core capabilities.


It’s also where AI and ML create a real sense of urgency. Businesses are exploring new sources of data and connecting teams and workflows across organizational boundaries. Data protection should create freedom, not friction, for AI builders and users. As new AI data pipelines and MLOps platforms get built, data classification and protection get more urgent than ever.


The need to transition from discovery to remediation poses a greater challenge for “read-only” DSPM platforms. How do you secure sensitive information? How do you respond if sensitive information is breached or an attempt is made? Will that become part of the next generation of DSPMs, or will data protection remain a separate piece of the puzzle?


Like the DSPM classification gap, the AI moment puts these weaknesses in sharper focus:

  • Organizations need to be able to quickly build, scale, and evolve their operations. Data classification and protection must keep pace.

  • The demand for data will increase across the organization, and everyone will want it now.

  • Regulators and underwriters are also expecting more. They’ll want to understand how every system that touches sensitive data is protected. 


DSPM customers are also at a crossroads. Do they wait for their favorite DSPM provider to catch up to business needs? Is it time to bolt something on? Are there other options?


Two paths to a better DSPM: Confidencial's selective encryption makes the difference either way


Confidencial has been building for the next generation of DSPMs since the category dropped. 


Since the product’s origins at DARPA and SRI, tightly integrating discovery and protection has been core to our product development. Our platform is built around market-leading classifiers that go beyond standard compliance frameworks to search your unstructured data for all the secrets and protected data types you’re worried about.


But while most DSPMs work at the file level, Confidencial’s selective encryption enables organizations to granularly protect their most valuable information at the field or data object, while leaving the rest of the file unprotected. This means that a single file containing both sensitive and non-sensitive data can be more precisely protected.

  • Teams with the right access will access the whole file, sensitive information included

  • Teams without that access can access the file, but not encrypted sensitive data fields or objects


All of this encryption and decryption can be managed via role-based access controls (RBAC), which tightly integrate with the data governance decisions made during the discovery and classification phase. 


The result is the kind of automated protection you can’t get from most off-the-shelf DSPM solutions. As new data sources and files come online, access is managed via policy, not a million point solutions.


Not just smarter protection, but more persistent


Finally, it’s essential to recognize that relying solely on encryption at rest is another concept that needs to be revisited and revised, particularly in light of the ongoing prevalence of insider threats and the heightened attention to third-party risk. If it’s your data, why not embed protection that persists, even once it leaves your environment?


Confidencial’s selective, client-side encryption does just that. By embedding encryption and policy decisions into a file's metadata, the granular encryption and policy decisions remain with the file, even as it leaves the environment, with all that RBAC-backed policy in place.


Already love your DSPM? Plug Confidencial selective encryption into your platform


Everybody loves defenses in depth. If you already have a DSPM in place and are mostly satisfied with discovery, but want to integrate protection, Confidencial can add a powerful layer of integrated, embedded, and automated selective encryption to your protection platform.

  • No worries about ripping and replacing your data protection system of record

  • Get more value from the hard work security and compliance teams have already done

  • Protect your sensitive data no matter where it travels, in and out of AI pipelines

No matter which path you take to a next-generation DSPM, put selective encryption to work protecting what matters most.


No matter which DSPM you’re using, when it comes to encryption, selective is effective.  Learn more about what Confidencial can do for you.






 
 
 

Comments

bottom of page