6 Data Security Posture Management (DSPM) Use Cases
Network security statistics show that the human factor accounts for ~80% of breaches. Protecting your organization’s data entails more than merely preventing the cyber attack vectors. It is also important to minimize the exposure of sensitive information within the company’s own network.
Data Security Posture Management (DSPM) is essential for strengthening an organization’s cybersecurity posture in the face of data breaches. DSPM vendors and network security software may identify and categorize structured and unstructured data across several cloud service platforms, providing network insight into sensitive data and user access levels.
This article gathers the top 6 real-world DSPM use cases, highlighting how security teams can use them to discover security and privacy issues across business processes.
1. Data discovery
Organizations can use DSPM solutions to enable network visibility into their cloud data inventory, including numerous services that contain sensitive data across IaaS, PaaS, and DBaaS environments. This could include cloud warehouses such as Google BigQuery or Snowflake, databases on virtual machines, and object storage such as Google Cloud Storage.
For example, DSPM companies can detect shadow data assets, such as unsupervised databases residing across their environments.
Figure 1: Shadow IT discovery
Source: Cloudflare1
Real-life case study
Uniper is an energy transition company headquartered in Germany and operating in more than 40 countries. Uniper provides energy supply for more than 1,000 wholesale and industrial customers.
Challenges
- Insufficient data discovery: Uniper required an easy approach to make data discoverable and available to anyone, whether at their workstation or on mobile devices.
- Slow data access: Uniper employees had to make critical judgments quickly in a complicated, high-stakes, and rapidly changing operating environment. However, the time spent searching for and accessing data slowed decision-making.
- Lack of continuous data flow: Uniper engineers needed to retrieve data flows from power plant setups to maintain quality controls; however, they were limited to data from a single plant database. Engineers lacked a centralized dataset that was continuously updated.
Solutions and outcome
Uniper signed a contract with Cognizant, a network security software company, to improve the speed and quality of decision-making by making business data more easily discoverable. Cognizant used the DSPM solution to create a data search engine.
- Improved data discovery: Uniper and Cognizant collaborated to identify data owners and create an inventory of shareable data throughout the enterprise. This helped to classify and share datasets, improving data discovery.
- Fast data access: Before the DSPM implementation, Uniper spent 70% of its decision-making time seeking information. The new platform delivers faster results from a larger set of shared datasets and sources, reducing search time by 10%.
- Automated data labeling: Uniper added automated features to increase platform value and usage. The features included AI/ML-driven recommendations for relevant data sources and a rating system to help users choose the best datasets from search results.2
Read more: AI-SPM (AI-Security Posture Management)
2. Data classification
Organizations can manage all of their structured and unstructured data by using DSPM products. DSPM can identify and classify data by scanning the entire network to locate data across the cloud, physical endpoints, employees’ devices, and other locations.
For example, organizations may categorize data by type, such as accounting information, marketing information, and intellectual property. Other businesses may categorize data in accordance with applicable standards, such as the Health Insurance Portability and Accountability Act (HIPAA).
Additionally, organizations can leverage AI data classification by combining data classification software with DSPM vendors that offer automation capabilities using machine learning, AI, and pattern recognition to evaluate structured and unstructured data and determine its type and sensitivity.
Figure 2: Data classification template
Source: Simmons University3
- Yes – use permitted.
- Caution – this service with the regulated data type is permitted with caution and, where necessary, approval.
- No – use prohibited.
Real-life case study
First National Bank is a financial service organization based in St. Peter, Minnesota, with branches in Gaylord, Belle Plaine, and Mankato. The bank secured its sensitive data and rebuilt its Active Directory in three weeks using an IT audit solution.
Challenges
- Data classification: First National Bank classified its data to verify sensitive financial information, including income, Social Security numbers, and employment history.
- Complex Active Directory data flow: Rebuild Active Directory to minimize complexity and increase security.
Solutions and outcome
The Bank implemented a network security solution to secure its sensitive data.
- Data security posture management (DSPM): First National Bank discovered, classified, and protected sensitive data. For example, the solution ensured that data was stored only in secure areas and that only authorized users could access it. The Bank gained insight into where data is stored and what information is encrypted, relocated, or cleaned.
- Faster detection of suspicious activity: First National Bank detected suspicious behavior in all business-essential IT systems daily by receiving activity reports and notifications based on data types. For example, the new solution sent access notifications to the IT risk management and executives when a user applied modifications to highly sensitive financial files.4
3. Data loss prevention (DLP)
Organizations can use DSPM for data loss prevention (DLP) to prevent unauthorized access, data leakage, theft, and malicious processing of sensitive data. Administrators can set DLP policies that specify how users should handle corporate data.
For example, your organization’s internal auditors can maintain a list of credit card numbers by data type (e.g., credit card numbers) assigned by their DSPM solution.
Furthermore, if a user attempts to send credit card numbers via email to external parties, the DLP software can block the email transaction.
Note: Organizations that plan to enforce more detailed DLP policies can use identity and access management (IAM), including role-based access control (RBAC), to limit data access to authorized individuals.
Read more: Open source RBAC tools, RBAC examples, RBAC use cases.
Real-life case study
Alloy is a major cybersecurity risk management and compliance solution for banks and fintech. The company required a data loss prevention (DLP) solution to prevent the theft of sensitive data, including Social Security numbers, tax IDs, and other client information.
Challenges
- Ineffective insider threat management: Alloy’s legacy systems were inefficient in preventing insider attacks and accidental loss via endpoints and USB drives.
- Lack of network visibility: Alloy lacked visibility into data transfer activities such as email, printing, and portable media, and expected to improve endpoint data security.
- Low user-activity transparency: Alloy required a system that provided visibility into user actions. This includes gaining insight or notifications when users:
- Access a database they have never used before and download sensitive data.
- Download large amounts of data.
- Log in to critical systems or applications.
Solutions and outcome
Alloy employed an approach that included setting policies to improve visibility into user actions, monitor data transfers, and detect specific keywords and sensitive information. The company also implemented security measures, such as blocking USB ports, to prevent data exfiltration.
- Scanned data in motion: Alloy gained detailed control via content and context inspection. For example, administrators could monitor files exchanged with coworkers, data uploaded to cloud apps, and data delivered to business partners on a single interface.
- USB and peripheral port control: Alloy scanned data in motion with the new implementation, enabling the company to identify infected devices. Thus, Alloy could lock down this equipment using vendor ID, product ID, serial number, and other attributes. For example, the software powers off the USB device when it detects malicious data, then sends a signal to the device indicating that the infected hardware is disconnected.5
Read more: DLP software.
4. Data maps and pipelines
Organizations can leverage DSPM systems to generate data maps by identifying data sources during data pipeline assessments. They can detect and identify shadow data repositories and unprotected data pipelines. They can also detect misconfigurations that may expose data to the public or unsuitable destinations, or allow third-party access.
Real-life case study
A healthcare-focused cloud services company constantly collects data from its customers, and this data flow is an important component of the onboarding process for new customers.
Challenges
- Data is distributed in multiple formats: Their consumer data was inconsistent across formats. Sometimes, consumer data was missing or poorly formatted. Some clients manually entered their information using varying standards. Duplicate records existed.
- Overhiring and excessive software implementation: The company addressed the “distributed data” issue by hiring more staff to process customer information using tools such as Microsoft Excel. However, this did not resolve their issue. Despite rising prices, data quality issues persisted. Even with more people, the data flow slowed the new customer onboarding.
Solutions and outcome
The company officials implemented an automated solution to assess their data workflow, data quality issues, and sample data input procedure.
- Streamlined data pipelines: The company designed the new implementation in 4 weeks and cut customer data preparation time by 75% in 6 months.
- Data scans and categorization: The application scanned a set of Excel and delimited-text files provided by the company and determined their structures. For example, if most of the data in a column appears to be email addresses, the software applies an “email” filter.
- Data identification and mapping: An Excel spreadsheet created to define business rules. The program read the source data and corrected common data-quality issues it identified. For example, if a numeric column in the file contains a string value, the software marks the cells red to indicate unrecognized data quality issues.6
5. Data security policy enforcement
DSPM solutions will alert you and flag security violations for remediation based on data location, movement, or type. DSPM allows organizations to:
- Data monitoring: Monitor security posture drift against prebuilt policies aligned with best practices, governance structures, and privacy laws.
- Network security policy management: Customize existing policies or develop your own to meet specific corporate needs.
- Incident response automation: Integrate with your existing ticketing and workflow applications to receive violation notifications and remediation guidance.
With automated data security policy implementation, organizations can target violations such as:
- Overexposed data: public reader access, excessive user access, third-party access, and underused internal access. Read more: Third-party risk management.
- Unprotected data: missing encryption at rest, masking, encryption in transit, unencrypted credentials, and activity logging.
- Misplaced data: European Union citizen data outside of GDPR countries, and personal, healthcare, and banking information in less secure settings (e.g., development, test, and staging).
- Redundant data: failed backups and sensitive data in dismissed assets.
Real-life case study
A telecommunications company offers cloud-based call-tracking and analytics solutions.
Challenges
- Lack of multi-cloud security: The customer’s multi-cloud design includes Microsoft Azure and Amazon Web Services (AWS) to improve overall security. Their cloud workloads and sensitive data are prone to misconfiguration and being shared by other organizations.
- Lack of automated data security policies: Initially, the company used a single AWS account and followed naming and tagging guidelines to distinguish production and development workloads; however, as their network grew, they failed to divide their environments.
- SOC 2 network audit: The company needed to prepare for the SOC 2 audit. Thus, the company must provide regular operational data reports to the IT advisory committee.
Solutions and outcomes
The company implemented a new architecture that enabled vulnerability management and policy automation across multi-cloud and multi-account environments. The company claimed that its internal security score has increased from ~15% to ~50%. The following outcomes have been achieved.
- Automated data security policy implementation: The company used AWS Control Tower to create several organizational units (OUs) and AWS accounts, each with a distinct purpose. This helped pre-configure data security policies to ensure secure account setup and maintenance on organizational units.
- Vulnerability monitoring: The company used AWS Inspector, an automated vulnerability scanner, to continuously scan its cloud workloads. This approach helped to detect and address any vulnerabilities.7
Read more: Network security policy management tools.
6. Data-centric environment segmentation
Organizations segment their network environment to control traffic flows between the subnets; however, network segmentation cannot be manually implemented and enforced in dynamic cloud systems. DSPM helps organizations segment cloud environments and implement location restrictions to meet security and regulatory requirements.
Real-life case study
Careem is a transportation and delivery services application with operations in more than 70 cities, covering 10 countries. Careem replaced its existing security architecture, which includes more than 50 firewalls and dozens of virtual private network (VPN) equipment, with a zero-trust approach.
Challenges
- Low granularity across internal apps: Careem needed a solution with granular segmentation features in its new system to securely allow acquired employees quick access to internal apps while also providing existing Careem colleagues secure access to acquired corporate assets.
- Lack of customized access controls: The company needed conditional access controls for applications based on dynamic security posture evaluations of endpoint devices.
Solutions and outcome
Careem eliminated VPN-related issues and costs by implementing a zero-trust approach. The company reported that its Net Promoter Score (NPS) among our colleagues and service representatives increased by 70%.
- Improved cloud workload security posture: Careen expanded its new network implementation by integrating A DSPM vendor into workload communications. This helped the company to correct misconfigurations, secure sensitive data, and enforce least-privileged access across Careem’s AWS environments.
- Automated access controls: Careem allocated user access controls based on data classification. This helped the company determine who should have access to sensitive data and at what level. For example, unauthorized visitor devices are directed to the secure gateway. Similarly, unidentified devices are put into the “denylist” zone. Thus, Careem achieved significant resource savings by dividing its network, approximately 20,000 development hours annually.8
Read more: Network segmentation tools, examples of network segmentation.
Top 6 security risks that DSPM can mitigate
1. Shadow backups
Consider a database containing sensitive data that has been duplicated to an unencrypted Amazon Cloud Storage bucket not maintained by the core technical team.
DSPM can automatically analyze all Amazon cloud objects containing sensitive data, classify them (PII, PCI, HIPAA, etc.), assess the risk, and notify the security team.
2. High-risk data flows
Consider a sensitive data record acquired via a web app, saved in Azure Cosmos DB, backed up to Azure Blob Storage, and then enriched and connected to SQL Server for analytics.
In such a case, the organization will lack insight into each service’s security posture. For example, it could be difficult to observe who has access to sensitive data at each stage.
DSPM helps map data flows between services and storage locations, highlighting who has access to data, when it is accessed, and related details.
3. Data leak caused by an unsupervised database
Assume that an operational database is replicated into a Windows virtual machine during a database migration. The security team may be unaware that this VM is running a database.
DSPM can detect when a VM is running across a database and notify the security team in real time, enabling them to take action to prevent exfiltration.
4. Snapshot leakage
Consider a company with an isolated, unused database currently shared with an unknown user.
DSPM solutions can detect when an unused database is shared and notify security personnel.
5. Broad user access permissions
An administrator who grants permissions to a large number of users for a specific project may fail to revoke those permissions.
DSPM tools can identify data stores containing client records and enable security teams to determine who has access to them. Thus, security teams can observe that a database containing confidential data has been shared with an entire team or company in a workspace and determine whether these rights are required.
6. Sensitive information copied by an outsider
Consider a data engineering team utilizing AWS Glue (a data integration tool) to migrate sensitive data to a BigQuery database. The company also uses the same connection to move several customer records from BigQuery, which is shared with outside vendors. In this situation, it may be difficult to track the data movement.
DSPM solutions can detect product and vendor data and who accesses each data store, enabling security teams to track sensitive data movements.
4 key takeaways about DSPM solutions
1. Organizations will adopt DSPM solutions to address shadow data
By 2026, more than 20% of companies will have adopted DSPM technology to address the urgent need to discover previously unknown data repositories, also referred to as “shadow data”.
DSPM vendors will become key players in detecting and mitigating shadow data risks. Gartner estimated that DSPM had less than 1% market penetration and expects it to reach 20% over the next several years.9
2. Existing data security technology cannot meet cloud needs
Traditional data security solutions (e.g., cloud service providers or CSP-native tools) designed for steadier, slower on-premises systems can be insufficient to track these cloud deployments since these tools:
- can’t execute frequent reconfiguration
- only identify data in known repositories, leaving shadow data vulnerable.
3. DSPM vendors are critical for strong multi-cloud data security
By 2027, 75% of employees will acquire, change, or develop technology outside of IT’s visibility, up from ~40%. Shadow data is becoming more recognized as a risk by security specialists.10 The production of shadow data is unavoidable; companies need to build centralized visibility that allows security experts to view multi-cloud and create automated rules for data governance.
DSPM solutions provide a unified management console for assessing data risk across several cloud repositories. This central console is one of the most significant advantages of a DSPM solution. It gives a unified picture of your multi-cloud ecosystem.
These centralized data capabilities will enable security teams to detect and classify data, and then continually customize policies. This will ensure organizations have precise data maps that indicate who may access and use the data asset.
4. Data assets are a critical component of DSPM vendors
Compare DSPM solutions to determine their capacity based on your business’s needs. Ensure the DSPM solution includes several data discovery and classification features to provide comprehensive protection.
When researching DSPM solutions, seek vendors that offer multiple data assets, such as databases, files, and analytics pipelines. Also, verify that the DSPM tool supports multiple subsets of each integration, such as numerous self-hosted databases with distinct setups, and various file formats such as JSON or Office.
Key software to integrate with DSPM vendors
- NCCM software: Control and manage changes in network infrastructure.
- Network security policy management solutions (NSPM): Create, develop, and manage policies and procedures for protecting an organization’s network and data from restricted user access.
- Network security audit tools: Detect risk factors, vulnerabilities, and risky activities to help organizations reduce the effect of most cyber attack vectors.
- SDP software: Distribute access controls to internal applications based on a user’s identification.
- Open source RBAC tools: Assign user access roles and duties based on permission levels to avoid loose network access.
- Open source microsegmentation tools: Isolate a network into segments and implement security rules according to each section’s requirements.
- Network performance monitoring tools: Monitor and evaluate network performance to identify and resolve issues such as excessive latency, dropped connections, and poor throughput.
Further reading
- Role-based Access Control (RBAC)
- Network Segmentation: 6 Benefits & 8 Best Practices
- 80+ Network Security Statistics
AIMultiple can assist your organization in finding the right vendor.
Reference Links
Cem's work has been cited by leading global publications including Business Insider, Forbes, Washington Post, global firms like Deloitte, HPE and NGOs like World Economic Forum and supranational organizations like European Commission. You can see more reputable companies and resources that referenced AIMultiple.
Throughout his career, Cem served as a tech consultant, tech buyer and tech entrepreneur. He advised enterprises on their technology decisions at McKinsey & Company and Altman Solon for more than a decade. He also published a McKinsey report on digitalization.
He led technology strategy and procurement of a telco while reporting to the CEO. He has also led commercial growth of deep tech company Hypatos that reached a 7 digit annual recurring revenue and a 9 digit valuation from 0 within 2 years. Cem's work in Hypatos was covered by leading technology publications like TechCrunch and Business Insider.
Cem regularly speaks at international technology conferences. He graduated from Bogazici University as a computer engineer and holds an MBA from Columbia Business School.
Be the first to comment
Your email address will not be published. All fields are required.