By Ron Reiter , co-founder and CTO  of Sentra, finalist of the Best Cloud Data Management Solution at The Cloud Awards 2022-2023

In today’s competitive technological and economic landscape, keeping up with the most innovative IT practices is no longer just a “want” – it’s a need. Cloud computing makes it possible for businesses to scale quickly, enable remote access, and optimize deployment of new IT solutions. But as cloud adoption increases across all industries, so does the overwhelming volume of data created.

As a result of cloud computing, business leaders can now use massive amounts of data to support a range of applications, services and systems. This data can move seamlessly from an organization to its users, to third-party vendors, and even across national borders. While data can move, it can also hide. Even if an organization thinks it knows where to find its valuable data, there could be copies or fragments of that data in different places – living under the surface and far from the security team’s reach, called shadow data.

The ripple effect of data shared with third-party vendors (which may then be shared with those vendors’ third-party vendors, and so on), combined with a lack of visibility across all data stores, lakes and warehouses, creates a constant struggle for organizations still using legacy IT and outdated access control practices that can’t reliably identify or monitor valuable data.

To solve these data challenges, organizations must adopt a holistic, cloud-centric security strategy taking into account the unique security requirements of each organization and the specific security risks associated with cloud adoption. Enterprises can now effectively protect their most valuable asset – data – with data security posture management (DSPM).

Why Cloud-First Enterprises are Adopting DSPM

As organizations begin to understand the value of their data and the potential security risks, they’re taking proactive measures to reduce attack surfaces, improve visibility, and control data access. Increasing cloud complexity prompted many organizations to implement cloud security posture management (CSPM) solutions to secure their cloud infrastructure. But with so much data produced each and every second, enterprises are now turning to DSPM for a more all-encompassing approach for protecting cloud data. By automating the detection and protection of cloud data, DSPM solutions help discover, classify, assess, prioritize, and remediate data security issues at scale.

These organizations are often responsible for dozens of cloud-based apps, creating a massive volume of data across a potentially multi-cloud ecosystem. This makes data protection significantly more complicated in a number of ways, including:

  • Organizations using public cloud environments and hybrid IT platforms may create inconsistencies in security policy;
  • The public cloud allows people to share, access and collaborate with data, so there’s more risk of unauthorized or accidental data breaches (it’s hard to monitor and track who accesses sensitive data when there are multiple users and/or systems);
  • Cloud data may be subject to different data protection compliance policies and regulations, such as HIPAA and the General Data Protection Regulation (GDPR), depending on where it is physically stored;
  • The highly distributed nature of cloud computing makes it difficult for organizations to know exactly where their applications are located, and more importantly, where their data resides; and,
  • Security responsibilities in a shared environment may cause misunderstandings and leave gaps in security coverage, exposing data stores to cyber threats.

What DSPM is and How it Works

A DSPM approach to cloud security focuses on securing the sensitive data itself, rather than the infrastructure or applications in the cloud. In order to accomplish this, DSPM first discovers sensitive data (including shadow or abandoned data). AI models then classify the data types, assess the data’s security posture, and determine how to remediate the situation if data is not adequately protected.

Agentless data discovery is a faster, easier way for organizations to gain insight into their multi-cloud environments. Organizations can automatically discover all their data stores without impacting workloads or having to configure credentials and connections manually. With this approach, enterprises can get a clearer picture of their data stores and make informed decisions about their data management strategy.

The use of cloud-native data classification ensures that sensitive data is properly identified and protected. This includes not only personally identifiable information (PII), but also other types of sensitive data such as financial information, healthcare records, developer secrets, and proprietary information such as:

  • Customer data
  • HR records
  • Intellectual property

Managing data risk, ensuring data privacy, and complying with data protection regulations depends on accurate data classification. An automated process can quickly improve efficiency, reduce errors, and identify and remediate potential data breaches. Additionally, security posture assessments help identify vulnerable data assets such as:

• Encryption flaws

• Compliance violations

• Improper backups and logging

• Misconfigurations

These sensitive assets are then protected with detailed data security controls, no matter what infrastructure or application they’re stored on. As a result, critical data can be kept confidential, secure and available, in compliance with regulatory requirements.

Another important component of an effective DSPM solution is the ability to monitor access to sensitive data. If third-party apps gain unexpected access to sensitive data, the system sends alerts to security teams. The tool can also monitor identity and access management (IAM) identities and roles, detect dormant data and inactive users, and identify potential vulnerabilities such as users who don’t use multi-factor authentication (MFA) or who don’t have access keys.

A reliable DSPM platform will also track data movement across cloud data stores — including when it’s processed by pipelines, migrations and backups. Security teams can define policies to create alerts when sensitive data is copied or moved between regions, environments, and networks. By having visibility into data movement, organizations can gain a comprehensive understanding of potential security risks and bring together multiple data owners for easier remediation.

This helps organizations to ensure the security and compliance of their sensitive data, no matter where it’s stored or how it’s being used. A DSPM multi-cloud security solution should work across a wide range of cloud service providers including AWS, Azure, Databricks, GCP, Oracle Cloud andSnowflake

Identifying meaningful risk across the enterprise –– from data breaches and data exfiltration to shadow data –– is impossible without combining metrics from data sensitivity, data lineage, and other risk factors. Implementing a DSPM solution can help organizations improve their overall security posture and reduce the risk of security incidents. By entrusting data management to a DPSM platform, security leaders can instead focus on managing security operations and resolving incidents effectively.