According to Gartner’s State of Cloud Data Security Report 2023, a whopping 77% of organizations experienced a cloud data breach in the past year. The fact that 60% of enterprise data is cloud-based makes this issue even more alarming.
Data security starts with discovering and knowing exactly what data the company owns and where it resides. However, as data explodes in volume and becomes ubiquitous, spread across complex multi-cloud, edge, and local environments, shadow data has become a major concern. It refers to hidden or unknown data and files that an organization lacks visibility into and, therefore, cannot formally manage or track.
The quest to secure data where it lives has led to the evolution of different data security approaches and solutions. For decades, organizations have relied on Data Loss Prevention (DLP) tools to prevent unwarranted data exfiltration. However, security professionals are now leaning more towards Data Security Posture Management (DSPM). So, is DSPM the ultimate silver bullet for data security? Or, are we still on the lookout for a next-gen data security solution – a new acronym in the cybersecurity alphabet soup?
In this blog, we discuss:
The factors behind the slump in DLP.
If DSPM lives up to the hype.
The next trends on the data security horizon.
Traditional DLP Must Evolve
Traditionally, DLP products continuously monitor and analyze data activity across networks, endpoints, and emails. Such products identify sensitive content in data streams (as opposed to data stores), understand the context of data use and transmission, and detect suspicious activities or policy violations based on that contextual awareness. If DLP detects something unusual, it can block data transfer (which can be disruptive if a false positive), quarantine the data, and alert security personnel to take further action, depending on predefined policies.
Overall, DLP implements a reactive approach to data security and gets into action only when a data transmission event occurs. Anyone with access to the system (e.g., insiders) can manipulate the data it holds unless there are other access control measures in place. At the same time, the notoriously high rate of DLP false positives can be an obstacle to legitimate data exchanges. Essentially, DLP prioritizes data confidentiality over integrity and availability, both of which are key pillars of data security.
DLP’s woes are exacerbated as more and more data is accessed, manipulated and shared within the cloud. Users no longer need to rely on email transmissions and network activity – users and applications can access and manipulate data without network uploads and downloads. Besides, the ubiquitous nature of cloud architectures means that sensitive data could be anywhere, leaving gaping holes in DLP hyper-fixated on network flows.
It also doesn’t help that the prevalence of encryption and obfuscation techniques has made DLP inspections more complex and resource-intensive (if even possible), to the point that the cost of DLP implementation, operations, and maintenance has become unviable for SMBs struggling with limited security budgets. For enterprises capable of splurging, DLP’s inability to keep pace with the sheer volume and rapid exchange of unstructured data, combined with the high false positive rates, is becoming a deterrent.
DSPM’s Hype Cycle and the Breaking Points
So far, DSPM has been primarily all about data identification, discovery, and classification, and in some cases (properly) managing its access control. DSPM platforms help organizations understand where their sensitive data resides across on-premise, hybrid, multi-cloud environments, and remote devices. They identify who has access to such data and if it’s being used properly as intended, providing the holistic picture security professionals need to assess and manage their data landscape.
Beyond uncovering obscure data stores, DSPM highlights the security and access policy flaws and misconfigurations within data handling practices. It helps identify risks and prioritize them based on the likelihood of exploitation and the potential damage they can cause. These insights help security teams with strategic security planning, decision-making, and resource optimization.
Overall, DSPM offers visibility into shadow data and provides the framework for managing and strengthening the data security posture. That’s as far as most current DSPM solutions go. However, data discovery isn’t the ultimate goal for data-centric security – it’s only the first step. What actually matters is how organizations translate the insights from DSPM to reduce risk and improve their data security posture. Ideally, DSPM should integrate governance enforcement and risk mitigation capabilities.
This gap creates the need for a next-generation DSPM with real-time monitoring and analytics to provide a detailed overview of all data movement and usage patterns, no matter where the data goes. In addition, it must offer real-time, proactive intervention capabilities, such as:
Automatically enforcing granular data controls as soon as data is created or ingested.
Allow admins to instantly revoke access directly from the DSPM console when needed.
Confidencial’s Approach to Next-Generation Proactive DSPM
Confidencial’s automated, proactive data protection and built-in cryptographically enforced access control can be best described as a next-generation proactive DSPM. Keeping in line with traditional DSPM, Confidencial’s solution still performs the expected steps:
Proactively scans unstructured data across clouds, on-premise, SaaS, various platforms, and remote devices.
Identifies and classifies sensitive data in documents and other files into different classes, such as sensitive, confidential, internal and public, and also does it at the object level and with subclasses clarifying the exact nature of the data.
That’s not all. It then surpasses traditional DSPM by performing the following:
Enforce advanced cryptographic controls at the document, paragraphs, or data field level if desired.
Embeds cryptographic access controls within the file’s metadata for lifelong protection and to ensure consistent protection wherever such files are moved or transferred.
Maintains detailed logs of access and key usage for data and document traceability.
Allows admins to revoke access from any location, device, or user at any time, even if such files and documents have moved outside the organization’s domain.
Confidencial's approach can be viewed as providing individual armors for data objects, rather than simply protecting the castle walls housing such data. Even if the data accidentally or maliciously lands in the wrong hands, unauthorized users will not be able to access the sensitive parts of the data. Detailed activity logs allow organizations to prove exactly what was accessed in accidental leak scenarios. When integrated with workflow applications and collaboration platforms, Confidencial can ensure that protection is embedded within documents. from the moment they’re generated and through all subsequent shares and collaborations.
Confidencial adds a protection and monitoring factor to DSPM’s data discovery and classification, effectively creating a next-gen DSPM. It basically offers what DLP and DSPM hope to achieve combined, but even better. It’s proactive DLP and next-gen DSPM in one.
Don’t believe us? See with your eyes and schedule a live demo today.
Comments