What to Look for in a DSPM Solution
Disclosure: This post may contain affiliate links, meaning if you decide to make a purchase via my links, I may earn a commission at no additional cost to you. See my disclosure for more info.
Guest post by Katrina Thompson, Data Privacy Writer
As organizations increasingly shift to cloud and hybrid environments, securing sensitive data across complex infrastructures has become a critical challenge. In this guest post, data privacy expert Katrina Thompson breaks down the essential features to look for when evaluating Data Security Posture Management (DSPM) solutions – a rapidly growing market projected to reach $175 billion by 2031. Drawing from her extensive experience writing for leading security publications, Thompson offers practical guidance for choosing a DSPM platform that provides comprehensive data protection across your entire ecosystem.
Data Security Posture Management (DSPM) solutions are everywhere these days. Projected to grow to nearly $175 billion dollars by 2031, the global DSPM market boasts a 9.23 CAGR and dozens of vendors (despite the fact that it took up less than one percent of the market across Gartner clientele as late as 2022).
With this breakneck growth and a myriad of different options out there in terms of techniques and capabilities, the road to choosing the right DSPM solution for you can be a confusing one.
Here are some facts to help you make your choice.
What is DSPM?
First things first. If you still haven’t heard of data security posture management, here is a crash course.
Gartner notes that DSPM “provides visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data stored or application is.” But isn’t that what all of my fancy cloud tools are supposed to do? You ask. Perhaps, but not in the same ways DSPM does it.
The main value add of DSPM is that it tracks and protects the data itself—not just the areas in which it is stored or the methods by which it is transferred. It can find data anywhere—even shadow and dark data—classify it, enforce policies around it, and show you where it’s been (and who has had their hands in it). That last part, known as data lineage, tracks the data’s journey from origin to its ultimate destination.
However, because the cement still hasn’t hardened in the DSPM industry, a lot is still in flux, and different vendors offer different things. Here are a few things that set the best apart:
Coverage across your specific environment(s)
DSPM can work across any environment, including cloud, remote, hybrid, on-premises, and multi-cloud. However, DSPM tools are not created equal. At this point, different DSPM vendors will limit their capabilities to large IaaS platforms only, like GCP, Azure, and AWS.
Make sure to vet your DSPM candidates for the ability to perform data scans (and subsequent classification and mitigation) across all critical domains. Think of where your data resides: email servers, SaaS platforms, cloud storage repositories, and on-premises pathways where files are shared. If you want a complete picture of all your data and where it hides, look for a DSPM solution that doesn’t limit itself to a few cloud platforms.
Robust integration capabilities
Another area in which not all DSPM vendors are alike is in how they approach implementation. Some integrate with third-party security services, and some come as part of their own security portfolios.
When you’re doing your DSPM shopping, see how far these integrations go and what they cover before diving in. While some offer widespread support for existing tools, others do not. The ones that come as part of a pre-packaged portfolio will usually have additional add-ons, which you may want to consider (anything from identity management to log analysis and detection and response).
The ability to transcend data detection alone
Data privacy and governance do not a DSPM vendor make. When you want the complete DSPM package, you want a solution that not only rambles over every environment, scanning for hidden instances of data – but one that does something about it.
The “fully-loaded” DSPM experience – no, expectation – is that it not only identifies instances of data through your enterprise but classifies it, assigns security policies based on risk, provides you with an overview of your data’s journey (data lineage), and in certain cases, even autonomously protects it. A solution that only catalogs data is just that. The right DSPM solution should do something: lifting a large part of the data security burden off your team and providing a higher level of security for your sensitive information.
Comprehensive scanning
One of the double-edged swords of AI-based technologies is that sometimes vendors can sneak under the radar and provide ‘guesstimates’ of your data status based on predictive sampling. If you want a quick idea of how to prioritize your fixes, that may be fine. But if you’re worried about complying with data privacy codes, every instance of sensitive data that is discovered apart from where it should be is another violation – and, likely, a fine.
Look for a DSPM solution that scans all your data, not just samples. This should be necessarily thorough and cover all your environments as well. As data security firm Cyberhaven notes, “This process is facilitated by integrations with all cloud service providers…involves scanning diverse cloud data storage locations and data flows to create a comprehensive inventory of data, ensuring that no data is overlooked, especially in complex multi-cloud setups.”
Heuristics are useful for drawing preliminary conclusions but not for maintaining confidence in an audit—especially when you still have hundreds of terabytes of data that haven’t been examined closely. It’s called shadow data for a reason, and a DSPM tool that leaves stones unturned in the search for all data is defaulting on one of its primary selling points—the ability to find all sensitive information anywhere and keep it safe.
Conclusion
There are as many ways of doing DSPM as there are vendors on the market right now, and many will glom on to one or two key points of data security posture management and claim to be the real thing. Especially at this point in the DSPM game, be watchful. Know what a DSPM solution should offer, then do your research so you get everything you are entitled to from your DSPM investment.
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.