Data Security Posture Management
Data Security Posture Management (DSPM) is a security discipline and category of tooling that provides continuous visibility into where sensitive data lives, who and what can access it, how it is protected, and whether that protection is adequate relative to the data's sensitivity and regulatory obligations. DSPM answers the foundational questions that most organisations struggle to answer: What sensitive data do we have? Where is it? Who has access to it? Is it properly protected?
DSPM emerged as a formal discipline in response to the explosion of data across cloud environments โ object storage, managed databases, data lakes, SaaS platforms, and development tools โ where data sprawl, misconfigured permissions, and shadow data routinely outpace manual governance processes.
Why DSPM Matters
Traditional data security assumed data lived in known, bounded locations: on-premises databases, file servers, mainframes. Cloud adoption broke this model:
- Data sprawl: Developers spin up S3 buckets, snapshot databases, export CSVs to data lakes, and share files to SaaS tools โ often without security or governance involvement
- Shadow data: Copies of production data appear in development environments, analytics pipelines, and backups, each with its own (often weaker) access controls
- Permission drift: Access rights accumulate over time โ users, roles, and service accounts retain access long after it is needed
- Misconfiguration at scale: A single misconfigured S3 bucket policy or publicly accessible database snapshot can expose millions of records
- Regulatory complexity: GDPR, HIPAA, PCI DSS, and CCPA each impose specific requirements for locating, classifying, and protecting regulated data โ requirements that cannot be met without knowing where the data is
DSPM addresses these challenges by continuously discovering and assessing data risk across the entire estate, not just at scheduled audit intervals.
Core DSPM Capabilities
1. Data Discovery
The foundation of DSPM is finding all data stores โ managed and unmanaged, known and shadow.
Scope of discovery:
| Environment | Examples |
|---|---|
| Cloud object storage | AWS S3, Azure Blob, GCS |
| Managed databases | RDS, Aurora, Azure SQL, Cloud SQL, DynamoDB, Cosmos DB |
| Data warehouses | Snowflake, BigQuery, Redshift, Synapse |
| Data lakes | AWS Lake Formation, Azure Data Lake, Databricks |
| SaaS platforms | Salesforce, Workday, ServiceNow, GitHub, Jira |
| Unstructured file storage | SharePoint, OneDrive, Google Drive, Box |
| Developer environments | Git repositories, CI/CD secrets, container registries |
| Streaming pipelines | Kafka topics, Kinesis streams, Pub/Sub |
Discovery must be agentless and read-only โ it should not require changes to the data environment and must not copy sensitive data to the DSPM platform. Modern DSPM tools use native cloud APIs and metadata scanning to enumerate data stores, then apply sampling or index scanning to classify content without exfiltrating it.
2. Data Classification
Discovery finds where data stores exist. Classification determines what sensitive data they contain.
Classification approaches:
| Method | How it Works | Strengths | Limitations |
|---|---|---|---|
| Pattern matching (regex) | Match against patterns for PII, card numbers, SSNs, etc. | Fast, deterministic, auditable | High false positive rate for generic patterns |
| Named Entity Recognition (NER) | ML models identify names, organisations, locations in context | Better accuracy for unstructured text | Computationally expensive |
| Exact data matching | Hash-compare against a known sensitive dataset (e.g. employee ID list) | Zero false positives | Requires a reference dataset to match against |
| Document fingerprinting | Detect copies or near-copies of a known sensitive document | Catches edited copies | Requires original document registration |
| Schema inference | Classify columns by name and data type (e.g. email_address, ssn, dob) |
No content scanning needed | Misses columns with non-descriptive names |
Standard classification taxonomy:
Sensitivity Levels:
โโโ Public โ Intended for unrestricted distribution
โโโ Internal โ For employees only; no material harm if disclosed
โโโ Confidential โ Business-sensitive; limited distribution
โโโ Restricted โ Highly sensitive; strict need-to-know
โโโ Regulated โ Subject to specific legal or compliance requirements
โโโ PII โ Personally Identifiable Information
โโโ PHI โ Protected Health Information (HIPAA)
โโโ PCI โ Payment Card Industry data
โโโ Financial โ Material non-public information, banking records
โโโ Legal โ Attorney-client privilege, litigation hold
Classification results should be persisted as tags or labels on data stores, feeding downstream policy enforcement and reporting.
3. Data Flow Mapping
Understanding where data moves is as important as knowing where it rests.
What to map:
- Which users and services read sensitive data stores
- Which pipelines copy or transform sensitive data and where results land
- Whether sensitive data crosses cloud accounts, regions, or organisational boundaries
- Whether sensitive data is accessible from development or test environments
Data flow risk scenarios:
| Flow | Risk |
|---|---|
| Production PII copied to development environment | Dev environments have weaker controls; developer access is broader |
| Sensitive data replicated to a different cloud region | May violate data residency requirements (GDPR) |
| Customer data shared to a third-party analytics SaaS | Third-party risk; data subject rights become complex |
| Sensitive data stored in application logs | Logs often have weaker access controls and longer retention |
| Secrets or credentials committed to a Git repository | Credential exposure; often cloned to multiple machines |
4. Access Entitlement Analysis
Having identified sensitive data, DSPM evaluates who and what can access it โ and whether that access is appropriate.
Entitlement analysis covers:
- Human identities: Users, groups, and roles with read/write/admin access
- Machine identities: Service accounts, IAM roles, application credentials
- Third-party access: External services, vendor accounts, OAuth grants
- Public access: Data stores accessible without authentication (misconfiguration)
Over-privileged access patterns to detect:
| Pattern | Risk |
|---|---|
Wildcard permissions (s3:*, SELECT *) on sensitive data |
Excessive privilege; violates least privilege |
| Stale access (no access in 90+ days) | Unnecessary standing access; dormant credential risk |
| Cross-account access without documented justification | Unexpected blast radius in a compromise |
| Service accounts with human-level permissions | Over-privilege; service accounts should have minimal, scoped access |
Public s3:GetObject on a bucket containing PII |
Direct exposure โ this is a critical finding |
| Shared credentials across multiple services | Inability to attribute actions; difficult to rotate |
Effective permissions analysis must account for layered IAM โ policy hierarchies, resource-based policies, permission boundaries, SCPs, and group membership โ not just direct assignments. The question is not "what policies are attached" but "what can this identity actually do?"
5. Misconfiguration Detection
DSPM continuously checks data store configurations against security baselines.
High-priority misconfigurations:
| Finding | Severity | Example |
|---|---|---|
| Public read/write on object storage | Critical | S3 bucket with s3:GetObject for Principal: * |
Database accessible from 0.0.0.0/0 |
Critical | RDS instance with public IP and open security group |
| Encryption at rest disabled | High | Unencrypted EBS volume, S3 bucket with no SSE |
| Encryption in transit not enforced | High | Database allowing non-SSL connections |
| No access logging enabled | High | S3 bucket with no server access logs |
| No backup policy | Medium | Database with no automated snapshots |
| Snapshot shared publicly | Critical | RDS snapshot accessible to any AWS account |
| Versioning disabled on sensitive storage | Medium | S3 bucket without versioning โ ransomware risk |
| MFA delete not enabled | Medium | S3 bucket where objects can be deleted without MFA |
| Default encryption key (AWS managed) | Medium | Should use customer-managed KMS key for sensitive data |
6. Risk Scoring and Prioritisation
Raw findings quickly number in the thousands. DSPM must prioritise by combining data sensitivity with security gap severity.
Risk score formula (conceptual):
Data Risk Score = Sensitivity ร Exposure ร Likelihood
Where:
Sensitivity = Classification level (Public=1, Regulated=5)
Exposure = Access breadth (Private=1, Internet-facing=5)
Likelihood = Presence of specific vulnerability (misconfiguration, stale access, etc.)
A publicly accessible S3 bucket containing PII with no encryption scores far higher than an over-privileged internal service account accessing non-sensitive data. This prioritisation focuses remediation effort where it matters most.
7. Compliance Mapping
DSPM maps findings to specific regulatory and framework requirements, generating evidence for audits and gap assessments.
| Regulation | Key DSPM Controls |
|---|---|
| GDPR | PII discovery, data subject rights, breach notification scope, cross-border transfer detection |
| HIPAA | PHI discovery, access controls, audit logging, encryption at rest and in transit |
| PCI DSS | Cardholder data discovery, scoping for CDE, access restrictions, tokenisation verification |
| CCPA | Personal information inventory, sale/sharing tracking, deletion capability |
| SOC 2 | Availability, confidentiality, access control evidence for Type II reports |
| ISO 27001 A.8 | Asset classification and information handling controls |
DSPM Architecture
Deployment Patterns
Agentless API-based scanning (most common):
DSPM Platform (SaaS)
โ
โโโ Cloud provider APIs (read-only IAM role)
โ โโโ Enumerate data stores
โ โโโ Read IAM policies and access logs
โ โโโ Check configuration metadata
โ
โโโ Lightweight data classification
โโโ Sample records from sensitive-looking stores
โโโ Apply NLP/regex classification models
The DSPM platform is granted a read-only cross-account IAM role. It never writes to or modifies the environment.
Key architectural requirements:
- No data egress: Classification must happen in-account or via metadata โ sensitive data must not be sent to the DSPM vendor's infrastructure
- Read-only: DSPM discovery must not create, modify, or delete any resource
- Continuous: Not a point-in-time scan โ data and configurations change constantly
- Multi-cloud: Most enterprises span AWS, Azure, and GCP; DSPM must cover all
Integration Points
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ DSPM Platform โ
โ Discovery ยท Classification ยท Entitlement ยท Compliance โ
โโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโ
โ โ โ
โโโโโโโโผโโโโ โโโโโโโผโโโโโโ โโโโโโโผโโโโโโโโโโโ
โ SIEM โ โ CSPM / โ โ IaC / CI-CD โ
โ (alerts) โ โ CIEM โ โ (shift-left) โ
โโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโผโโโโโโโโโโโโโโโโโโโโ
โ Ticketing / SOAR โ
โ (remediation workflows) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
SIEM: DSPM findings feed into SIEM as high-fidelity alerts. A new public S3 bucket containing PII should trigger a P1 incident โ not sit in a compliance dashboard.
CSPM (Cloud Security Posture Management): CSPM covers infrastructure configuration (compute, networking, IAM); DSPM focuses on the data layer. Together they provide full cloud security posture coverage.
CIEM (Cloud Infrastructure Entitlement Management): CIEM focuses on identity and access โ over-privileged roles, unused permissions, cross-account access. DSPM adds the data context: which sensitive data stores those permissions reach.
IaC scanning: Integrate DSPM policies into Terraform/CloudFormation reviews to catch data security misconfigurations before deployment โ shift-left on data risk.
Leading DSPM Vendors
| Vendor | Approach | Notable Strengths |
|---|---|---|
| Varonis | Agent + agentless; deep on-premises + SaaS coverage | File system and SaaS breadth; behaviour analytics |
| Cyera | Agentless, cloud-native | Fast time-to-value; cloud-first |
| Securiti | Unified data + privacy platform | Strong regulatory compliance mapping |
| BigID | ML-based classification; privacy focus | PII accuracy; DSR automation |
| Laminar (Rubrik) | Developer-friendly; shadow data focus | Shadow data discovery; developer workflow integration |
| Sentra | Cloud-native, data flow focus | Cross-cloud data flow mapping |
| Microsoft Purview | Native Azure; expanding to multi-cloud | Deep M365 and Azure integration |
| AWS Macie | AWS-native; S3-focused | Native, no-setup S3 classification |
AWS Macie is a good starting point for organisations heavily invested in AWS โ it provides automated PII detection across S3 with no additional tooling. For multi-cloud or on-premises coverage, a dedicated DSPM platform is required.
Implementation Roadmap
Phase 1 โ Discovery and Inventory (Weeks 1โ4)
- Connect DSPM to all cloud accounts and SaaS platforms in read-only mode
- Run initial discovery โ enumerate all data stores
- Apply classification to identify sensitive data locations
- Generate a baseline inventory: X data stores, Y contain PII, Z are publicly accessible
Quick wins to address immediately:
- Any publicly accessible storage containing sensitive data โ close immediately
- Unencrypted databases or object storage containing regulated data โ enable encryption
- Snapshots shared publicly โ restrict
Phase 2 โ Access Analysis (Weeks 4โ8)
- Map effective permissions for all identities accessing sensitive data stores
- Identify stale access (no access in 90+ days) and remove
- Identify service accounts with wildcard or excessive permissions โ scope down
- Identify shadow data in development environments โ determine if PII, enforce masking or deletion
Phase 3 โ Policy and Automation (Months 3โ6)
- Define data handling policies by classification tier (who can access, in what environments, with what controls)
- Automate alerting for policy violations (new public storage, unencrypted sensitive store)
- Integrate DSPM findings into SIEM and incident response workflows
- Integrate into IaC pipeline โ block deployments of data stores that violate baseline policy
Phase 4 โ Continuous Governance (Ongoing)
- Establish SLAs for remediation of DSPM findings by severity
- Monthly data risk review with data owners and the security team
- Quarterly access review โ revoke stale entitlements
- Annual classification taxonomy review โ update for new data types and regulations
Data Minimisation
A finding that cannot be closed by fixing a misconfiguration should prompt a more fundamental question: Does this data need to exist here?
Data minimisation principles:
- Collect only what is needed for the stated purpose โ do not accumulate data on the assumption it might be useful
- Retain only as long as required โ enforce retention policies and deletion; data that does not exist cannot be breached
- Mask or tokenise sensitive data in non-production environments โ production PII should never be present in development or analytics without masking
- Purge shadow copies โ log files, exports, database snapshots, and ETL intermediate tables accumulate uncontrolled; regularly audit and delete
- Tokenise at the edge โ capture payment card data through a PCI-compliant vault; store only a token in your own systems
-- Example: Identify tables with PII columns that have not been accessed in 90+ days
-- (Snowflake query history as an example)
SELECT
t.table_catalog,
t.table_schema,
t.table_name,
MAX(qh.start_time) AS last_accessed
FROM information_schema.tables t
LEFT JOIN snowflake.account_usage.query_history qh
ON qh.query_text ILIKE '%' || t.table_name || '%'
WHERE t.table_name IN (SELECT table_name FROM dspm_classified_tables WHERE has_pii = true)
GROUP BY 1, 2, 3
HAVING last_accessed < DATEADD(day, -90, CURRENT_TIMESTAMP())
OR last_accessed IS NULL;
Key Metrics
Track these metrics to demonstrate DSPM programme effectiveness:
| Metric | Target | Frequency |
|---|---|---|
| % of data stores classified | 100% | Monthly |
| % of sensitive data stores with encryption at rest | 100% | Continuous |
| % of sensitive data stores with logging enabled | 100% | Continuous |
| Number of publicly accessible sensitive data stores | 0 | Continuous |
| Mean time to remediate critical data findings | < 24 hours | Per incident |
| Mean time to remediate high data findings | < 7 days | Monthly |
| Number of identities with access to sensitive data | Trend down | Quarterly |
| % of sensitive data in non-production environments that is masked | 100% | Monthly |
| Stale access (90+ day dormant) on sensitive stores | 0 | Quarterly |
| Shadow data stores discovered this quarter | Track trend | Quarterly |
Hardening Checklist
| Control | Priority | Notes |
|---|---|---|
| All cloud data stores enumerated and classified | Critical | Foundation for all other controls |
| Public access blocked on all storage containing sensitive data | Critical | Immediate remediation required |
| Encryption at rest enabled on all sensitive data stores | Critical | Use customer-managed keys for regulated data |
| Encryption in transit enforced (SSL required) | Critical | Database connection strings |
| Access logging enabled on all sensitive data stores | High | S3 server access logs, CloudTrail, database audit logs |
| Stale entitlements removed (90+ day no-access) | High | Quarterly access review |
| Wildcard permissions removed from sensitive data stores | High | Replace with scoped, least-privilege policies |
| Shadow data in dev/test environments masked or deleted | High | No production PII in non-production |
| Database snapshots access-restricted (not public/shared) | Critical | Check all RDS/Aurora snapshots |
| DSPM alerts integrated into SIEM | High | High-severity findings trigger incidents |
| Data retention policy enforced with automated deletion | Medium | Reduces breach scope |
| IaC data security checks in CI/CD pipeline | Medium | Shift-left on misconfiguration |
| Sensitive data inventory shared with legal/compliance | Medium | Required for GDPR Article 30 ROPA |
| Cross-border data transfer controls validated | High | GDPR adequacy decisions, SCCs |
| Third-party SaaS data access inventoried | Medium | Shadow SaaS risk |
References
- Gartner Innovation Insight: DSPM (2022)
- OWASP Data Security Top 10
- NIST SP 800-188 โ De-Identification of Government Datasets
- GDPR Article 30 โ Records of Processing Activities
- AWS Macie โ Sensitive Data Discovery
- Microsoft Purview โ Data Governance
- BigID Data Intelligence Platform
- NIST Privacy Framework