Startups and well-established vendors alike have a new acronym in their arsenals: DSPM, or data security posture management, which can extend data security practices from on-premises environments to today’s cloud-based architectures.
In our increasingly cloud-powered era where IT infrastructure has become to a large degree interchangeable, what really matters from a security perspective is the data.
“Data security is the future of cybersecurity,” said Mike Tornincasa, chief business officer at Rubrik, which has transitioned from its roots as a backup and recovery vendor into a major data security player.
Notably, a central component of the data security strategy at Rubrik—as well as at a growing number of cybersecurity titans including Palo Alto Networks and CrowdStrike—is a relatively recent addition to the lengthy list of security acronyms: DSPM, or data security posture management.
[RELATED: SMBs Seeking SASE, And MSPs Are Ready To Deliver]
In the same way that cloud security posture management (CSPM) can rapidly provide a view into cloud infrastructure misconfigurations, DSPM provides visibility into the locations and security of data stored in an organization’s cloud environments.
It can provide a basis for locking down the data in the cloud at a time when cybercriminals and nation-state hackers alike are increasingly focusing on data theft.
For many organizations, DSPM represents a way to extend strong data security practices from on-premises environments into modern cloud-based architectures, said Mir Kashifuddin, data risk and privacy leader at PwC US.
“I just think it’s the new reality, and they’re looking for control at the end of the day—insight and control,” Kashifuddin said. “If you could set [DSPM] up properly, it’s kind of this running, continuous monitoring capability.”
In the wake of a massive shift by attackers in the direction of data theft and extortion attacks from “traditional” ransomware involving file encryption, many organizations are clamoring for such capabilities.
Rubrik, Palo Alto, Calif., has moved into DSPM with its acquisition, unveiled in August 2023, of a leading startup in the space, Laminar. The new capabilities are allowing Rubrik—the newest publicly traded security vendor, following its IPO in April—to help customers get ahead of the threats to data, Tornincasa said.
“We can outline for you where all of your data is so that you can take the steps proactively to secure it,” he said. “I think that having visibility into your data—understanding what you have, where it is, how it’s secured—is critical to every organization,” Tornincasa said. “I think everyone’s going to have to accelerate their journey.”
At Palo Alto Networks, meanwhile, the move into DSPM followed its $400 million acquisition of Dig Security last fall. The addition of DSPM to the Santa Clara, Calif.-based company’s Prisma Cloud offering provides partners and customers with greater controls over sensitive data through improved monitoring and assessment, according to Dan Benjamin, head of data, identity and AI security at Prisma Cloud.
The DSPM technology from Dig analyzes every data interaction and then the company can “flag when something goes wrong,” said Benjamin, who had been co-founder and CEO of Dig Security prior to the acquisition.
In other words, when anomalous data interactions take place, “we’re able to detect and respond to those in real time,” he said. “That is something that is very, very unique in the world of cloud data security.”
A number of other security vendors, both startups and well-established players, are also operating in the red-hot DSPM space. Among them is CSPM pioneer Wiz, which began offering DSPM back in November 2022, and CrowdStrike, which unveiled a deal to acquire DSPM startup Flow Security in March.
Without a doubt, there is some intermingling of terms between DSPM, CSPM and SaaS security at this point, noted PwC’s Kashifuddin.
But whatever one might call it, the larger point is that customers want greater control over—and insight into—their data that is moving to the cloud, he said.
“It may not come out as DSPM overtly. But [customers] are looking for, ‘What data do I have? Can I classify it? Can I look at who has access to that data? Can I protect it or see what’s unencrypted on the most sensitive data sets?’” Kashifuddin said. “And then, ‘Can I route that or workfl ow it to the right people to remediate?’ Because at the end of the day, you haven’t reduced your risk unless you’re actually actioning it and remediating it. So there is very real interest in that.”
