As a technology and information security leader, I selected the top 10 DSPM solutions for discovering, classifying, and protecting sensitive data across IaaS, SaaS, and DBaaS environments. Explore the rationale behind each choice through the links below:
| Vendor | For | |
|---|---|---|
1. | Out-of-the-box data classifiers, cloud & data warehouse coverage | |
2. | Proactive and automated risk mitigation | |
3. | SaaS, and on-premises coverage | |
4. | Threat intelligence (DDR, UEBA) | |
5. | Data privacy management | |
6. | Out-of-the-box data classifiers (500+ classifiers) | |
7. | Discovering and classifying structured data across PDFs, ZIP files | |
8. | Companies with large budgets | |
9. | Broad DBaaS coverage | |
10. | Companies with tight budgets | |
11. | Companies with tight budgets | |
Security features
| Vendor | DDR support | Data classifiers | Petabyte scale support |
|---|---|---|---|
| Sentra | ✅ | 200+ | ✅ |
| Druva | ✅ | No information | ✅ |
| Varonis Data Security | ✅ | 400+ | ✅ |
| Prisma Cloud by Palo Alto Networks | ✅ | 150+ | ✅ |
| Securiti | ✅ | 200+ | ✅ |
| Cyera | ✅ | 500+ | ✅ |
| OneTrust Data Discovery & Classification | ❌ | 200+ | ✅ |
| Symmetry DataGuard | ✅ | No information | ❌ |
| Dig Security Platform by Prisma Cloud | ❌ | 150+ | ❌ |
| Laminar by Rubrik | ✅ | No information | ✅ |
| BigID | ✅ | No information | ✅ |
Vendors with:
- DDR (data detection and response) can monitor cloud environments storing data to:
- Compare security events that contain high-risk sensitive data.
- Prioritize risk according to data security posture and context.
- High number of data classifiers offer broader data categorization (e.g. PII, confidential data, or authorization levels).
- Petabyte scale support store and process petabytes of big data..
Security service integrations
Vendors with:
- IAM integrations can verify and identify the people & devices trying to log in or access resources. For more: RBAC
- DLP (data loss prevention) integrations can enforce rules to prevent data exfiltration.
- UEBA (user and entity behavior analytics) integrations can provide data insights into user and device activity rather than relying on policy-based insights.
Coverage
| Vendor | Databases & data warehouses |
|---|---|
| Sentra | Snowflake, Databricks, BigQuery, Amazon Redshift, MongoDB Atlas, and more |
| Druva | Oracle, SQL Server, and cloud-native databases |
| Varonis Data Security | Amazon Aurora, Amazon DynamoDB, CosmosDB, DocumentDB, IBM DB2, MariaDB, MongoDB, MongoDB Atlas, Oracle, MSSQL, PostgreSQL |
| Prisma Cloud by Palo Alto Networks | Snowflake, PostgreSQL, MongoDB, MySQL, MariaDB, MSSQL |
| Securiti | Amazon DynamoDB, Amazon Redshift, Amazon S3 |
| Cyera | Snowflake, and more |
| OneTrust Data Discovery & Classification | Amazon DynamoDB, Amazon RDS, Apache Cassandra, IBM Netezza, Microsoft SQL Server, MongoDB, Microsoft Azure Cosmos DB, MySQL, Oracle RDBMS, PostgreSQL, PrestoDB, Redis, SAP HANA, Apache Hive, IBM DB2 |
| Symmetry DataGuard | Amazon Redshift, Amazon S3 |
| Dig Security Platform by Prisma Cloud | MySQL, Aurora, Postgresql, Amazon S3 |
| Laminar by Rubrik | Snowflake, MySQL, and more |
| BigID | Amazon S3, Redis, MySQL, Snowflake, MongoDB Atlas |
Pricing
Vendors indicate that pricing is variable and dependent on the number of data sources, apps, and connectors, deployment type, and level of services and support.
| Vendor | AWS Marketplace pricing |
|---|---|
| Sentra | $50,000 – $500,000 (per year) |
| Druva | $1,500 – $215,000 (per year) |
| Varonis Data Security | $310 – $750 per dimension* |
| Prisma Cloud by Palo Alto Networks | $9,000 – $18,000 (per year) |
| Securiti | $2.80/hr |
| Cyera | $50,000 – $500,000 (per year) |
| OneTrust Data Discovery & Classification | $10,000 – $24,000 (per year) |
| Symmetry DataGuard | $100,000 – $250,000 (per year) |
| Dig Security Platform by Prisma Cloud | $50,000 – $500,000 (per year) |
| Laminar by Rubrik | $10,000 – $250,000 (per year) |
| BigID | $15,000 – $175,000 (per year) |
Insights come from AWS Marketplace1 .
*A dimension (e.g. Varonis for AWS) may contain multiple features and quantities (for example, a single dimension may represent 5 users and 10GB of storage).
Top 10+ DSPM vendors reviewed
Data security posture management (DSPM) vendors help companies by providing network visibility into where to find sensitive data, who has access to it, and how it has been used across the cloud.
These vendors focus on discovering your data regardless of whether these data locations are structured or unstructured, or reside at shadow data repositories.
Sentra
Out-of-the-box data classifiers, cloud & data warehouse coverageSentra is a cloud data security posture management (DSPM) solution. It is widely used in the financial services, healthcare, retail, and logistics industries. With Sentra, SecOps can use 20 pre-built or custom integrations for broader data security (e.g. Datadog for enterprise monitoring, Trellix for data loss prevention).
Organizations can leverage Sentra to:
- Protect their sensitive data
- Personal data covered by global privacy regulations (GDPR, HIPAA, PCI, and NIST) needs protection, such as PII, PCI, and PHI. For more: Data compliance.
- Proprietary data such as customer data, HR data, or intellectual property.
- Leverage automated data discovery and classification to gain valuable insights from data at a petabyte scale.
- Establish data access governance (DAG) to manage excessive permissions and unauthorized access. For more: RBAC.
Sentra provides broad coverage for IaaS, PaaS, SaaS, and on-premises settings. This enables security and IT teams to get access to their data repositories, reduce shadow data, and ensure compliance.
Microsoft ecosystem:
- Cloud Services: Azure
- Collaboration Tools: Microsoft 365, Teams
- File storage: OneDrive, SharePoint
Amazon AWS ecosystem
- Cloud services: Amazon AWS, EC2
- Storage solutions: S3
Google ecosystem
- Cloud services: Google Cloud Storage
- Database solutions: BigQuery, Cloud Bigtable, Cloud SQL, Cloud Spanner
- Data processing: Dataflow
Data warehousing and analytics:
- Data warehouses: Snowflake, Databricks, Amazon Redshift
- NoSQL Database: MongoDB Atlas
Druva Data Security Cloud
Best for proactive and automated risk mitigationDruva Data Security Cloud is a cloud-native platform designed for enterprise data protection and management. It offers features such as data backup, recovery, archiving, and governance across various environments, including cloud applications (Microsoft 365, Google Workspace, Salesforce), endpoints (laptops, mobile devices), and virtual machines (VMs).
How Druva handles sensitive data:
Druva lets you define sensitive data using custom rules or predefined compliance templates (e.g., HIPAA, PCI). It then scans backed-up data across endpoints and cloud apps to detect policy violations. When issues are found, it flags them and enables actions like quarantine or disabling restores/downloads.
Features:
- Automated backups with rapid recovery
- Archiving for compliance
- Malware and ransomware detection
- Data loss prevention (DLP)
Pros
Efficient incremental backups: Detects file changes and performs only incremental backups, saving time and bandwidth.
Cloud-based file recovery: Enables full file restoration from the cloud in cases of laptop loss or theft.
Cons
Not a dedicated “data labeling” service; no deep data discovery or classification capabilities.
No multi-cloud visibility
Varonis Data Security (DSPM)
Best for SaaS, and on-premises coverageVaronis Data Security (DSPM) platform identifies insider threats and cyberattacks by analyzing data, account activity, and user behavior. Varonis Data Security (DSPM) informs where sensitive data is concentrated and automatically corrects overexposure, getting users to the least privilege without human action.
Features:
- Data discovery and classification: Continuously search cloud and on-premise data storage using built-in and custom classifiers. The solution displays data exposure details, allowing users to prioritize the cleanup of at-risk sensitive data.
- Access intelligence: Get a real-time visual picture of who has access to sensitive data. Determine a user’s impact radius based on their access permissions.
Integrations: Salesforce, GitHub, Zoom, Active Directory, Azure AD, Nasuni, NetApp, IBM QRadar, Panzura, NETGEAR, Splunk, CorteXSOAR, CyberArk.
Deployment: Cloud, on-premise Windows, on-premise Linux, Red Hat Enterprise Linux, Oracle Solaris.
Pros
DSPM: Some customers appreciate that the platform can quickly provide information on massive data sets, including significant classifications for understanding the environment’s security posture.
Transparent data flow reporting: Some IT specialists conclude that the platform has a transparent reporting system, which enables users to combine data flows into a single reporting system.
Cons
Sluggish data management: According to some users, the software is slow, particularly when pulling up data and loading it into the management panel.
Complex usage: Some reviews highlight that the product is complex to use.
Read more: AI-SPM (AI-Security Posture Management)
Prisma Cloud
Best for threat intelligence with DDR, and UEBAPrisma Cloud (DSPM) enables enterprises to leverage data discovery, categorization, and monitoring capabilities. Prisma Cloud (DSPM) offers privacy and compliance posture by identifying how sensitive data is copied or consumed across your cloud environments. With Prisma Cloud (DSPM) administrators can analyze how regulated data moves via various cloud services.
Features:
- Automatic data classification: Use over 100 pre-built classifiers to detect, customize, and create personally identifiable information (PII), financial information, health records, developer secrets, and compliance-related data.
- Malware prevention: Prisma Cloud DSPM detects malware through automated detection and data in cloud storage scanning.
Integrations: Splunk, Tenable, Webhook, Qualys, ServiceNow, PagerDuty, Okta, Jira.
Deployment: Cloud, SaaS, Web-based.
Pros
DSPM: Users say that Prisma Cloud (DSPM)’s capability to illustrate the posture of cloud accounts across cloud platforms is quite valuable for daily operations.
Creating rules: Some users mention that setting up rules is easy.
Cons
Cloud scanning performance: Some critics point out that the ability to scan large cloud systems can be slow.
Internal documentation: Some IT users claim that understanding the documentation takes significant time and effort.
Securiti
Out-of-the-box data classifiers (500+ classifiers)Securiti (DSPM) allows enterprises to discover shadow and cloud-native data assets across over 200 platforms. Securiti (DSPM) has received numerous industry and analyst awards, including “Cool Vendor in Data Security” by Gartner and “Privacy Management Wave Leader” by Forrester. Securiti (DSPM) Data Command Center helps enterprises to:
- Classify sensitive data on a large scale, including structured and unstructured data.
- Employ over 700 pre-defined criteria and sensitive data to prioritize and reduce misconfiguration.
Features:
- Data streaming: Control over sensitive data as it flows across cloud streaming systems including Confluent, Kafka, Amazon Kinesis, and GCP PubSub.
- Data privacy graph: Track an individual’s data via a People Data Graph.
Integrations: AWS, Microsoft 365, Salesforce, WorkDay, GCP, Intercom, Oracle, MongoDB, IBM, Asana Premium, Presto, Okta, Drift.
Deployment: Cloud, on-premise Windows, on-premise Linux.
Pros
Data scanning: IT users indicate that the product can connect to and scan several data sources. The visualizations are simple to understand.
Deployment: Security managers note that they quickly deployed thousands of structured and unstructured data repositories in public cloud environments in days.
Cons
Scanning unstructured data stores: Technical managers say that scanning unstructured data stores requires improvement. The software could be more effective with scanning undetected file types or large data stores (e.g., S3 buckets).
Data scan results: Users expect to see incremental changes at each scan rather than the entire scan results.
Cyera (DSPM)
Cyera (DSPM) is an AI-powered platform that discovers, analyzes, and categorizes data across your organization’s data landscape, with no agents.
Features:
- Data Detection and Response (DDR): Get alerts when data is moved, used, or located improperly.
- Data Access Governance (DAG): Enforce data access policies with customized controls over which identities have access to specific data.
Integrations: Google Cloud Platform, Slack, AWS, Bitbucket, Splunk APM, ServiceNow, Collibra, IBM Security QRadar SIEM, Oracle Cloud Infrastructure, Wiz.
Deployment: Cloud, SaaS, Web-based.
Pros
Data management: Cybersecurity consultants argue that the most valuable features are data discovery, categorization, and (DSPM).
Data matching: Users express that Cyera (DSPM) can match and identify massive complex data, including Canadian-specific health data, US patient data, and other mixed business data from over 17 different businesses.
Cons
On-premise coverage: Users think that the solution may expand its data security services to on-premises.
Reporting: Some users complain that reporting is still in its early stages and that there isn’t enough helpful dashboarding/KPI information.
OneTrust
Best for discovering and classifying structured data across PDFs, ZIP filesOneTrust Privacy & Data Governance Cloud (DSPM) helps companies to continuously analyze data and security posture, ensuring that data posture is understood based on data type and location.
Features:
- Data scanning and mapping: Apply scanning and data mapping to monitor changes and spot data movement.
- Data discovery: Discover unknown data and determine whether it is sensitive data or creates a data security concern.
- Data minimization: Identify and eliminate redundant, outdated, and trivial data.
Integrations: ALTR, Amazon Athena, Amazon DynamoDB, Apache Hive, Apache Kafka, Auth0, Broadcom, HubSpot, Google Cloud Platform, IBM Security, MongoDB, Okta.
Deployment: Cloud, on-premise Windows, on-premise Linux.
Pros
Customizable DSPM procedures: IT directors credit customizable DSPM procedures that match our organization’s privacy and regulatory standards to manage data assets.
Data flow audits: Customers indicate that the product maintains a comprehensive audit database for data flow, making it simple to set policies for data management.
Cons
Integrations: Some software engineers claim that integrating the platform with current systems can be complex, requiring time and effort to explore and execute efficiently.
Navigating workflows: Some reviewers state that navigating the product is not intuitive, and it takes time to grasp the flow.
Symmetry DataGuard
With Symmetry DataGuard, companies can deliver data detection, categorization, and protection capabilities to gain network visibility into your organization’s data risk posture.
Companies can also install access restrictions, monitoring, and automation features via Symmetry DataGuard (DSPM) to mitigate the risk associated with the frequency of security events.
Integrations:
Features:
- Data detection and response: Monitor unexpected data access patterns.
- Access controls: Manage data maps based on role (RBAC) or mandatory access control (MAC).
Read more: RBAC use cases, RBAC examples.
Integrations: Asana, Azure, IBM Radar, Splunk, Elastic, OneDrive, AWS, Google Cloud Platforms.
Deployment: Cloud, on-premise Windows, on-premise Linux, air-gapped (deploying software by physically isolating a secure computer network).
Pros
Data classification: CISOs note that Symmetry DataGuard (DSPM) provides a large collection of sensitive data types.
Data visibility: Customers express that Symmetry Data Guard (DSPM) provides clear insights on where sensitive data is, who can access it, and how it is used.
Cons
Performance: Some reviews highlight that Symmetry DataGuard (DSPM) has performance latency that may create a load on your database and system.
Integrations: Some users conclude that support for integrations such as “Azure integrations” is limited.
Dig Security
Dig Security Platform by Prisma Cloud, acquired by Palo Alto Networks in 2023, prioritizes data risks, analyzes data flows, and visualizes access governance to provide data security posture management across any cloud.
Features:
- Microsoft 365 data security: Gain transparency into where sensitive data is stored, how it’s classified, and who has access to it across several OneDrive accounts and SharePoint sites.
- Audit your organization’s categorization and encryption method.
- Connect with Azure Information Protection to discover mislabeled files.
- File share scanning: Scan and classify documents in your on-premises file shares, to gain insights into the structure of your shared folders.
- Contextualize and prioritize data risks hidden in millions of unstructured documents.
- Map user permissions and explain who may access what.
Integrations: AWS, Azure, Google Cloud Platform, Oracle Cloud and Snowflake.
Deployment: Cloud-native.
Pros
Data discovery: Users argue that the product eliminates laborious data asset searches, providing cloud-native flexibility.
Threat detection: Audit managers emphasize that threat detection capabilities provide strong protection against cybersecurity threats.
Cons
Data source connectors: Reviewers expect to see more data source connectors for data discovery and classification (e.g. Amazon FSx, Amazon EFS).
On-premise data server support: Some customers say that there is no support for local data stores, such as on-premise servers.
Laminar
Laminar by Rubrik delivers DSPM solutions by enhancing data visibility and control to limit the risk of data exfiltration and mitigate the effects of cyber attacks.
Features:
- Data geolocation mapping: Gain visibility on data store geolocations and data mobility between cloud environments and geographies.
- Data-centric network segmentation: Receive notifications if a user inserts sensitive or restricted data in untrusted or unauthorized environments, and then either delete the data from the segment or authorize the new environment.
Integrations: Microsoft 365, Microsoft SQL Server, NetApp, Microsoft Azure, AWS, SAP HANA, Zscaler.
Deployment: Cloud, on-premise Windows, on-premise Linux.
Pros
Data discovery and classification: IT specialist complimented Laminar’s data discovery and classification features, stating that the product acquires and updates their company’s sensitive data accurately.
Automated reporting: VPs conclude that Laminar’s automated reporting tools offer useful value-added features.
Cons
Pricing: Some engineers convey that the product is expensive and not suitable for small-size companies.
Integrations: Some users claim that Laminar has strong coverage throughout Snowflake, but it could enhance integration with other data warehouse providers such as Databricks and Dremio.
BigID
BigID can be deployed on several environments, including IaaS, PaaS, SaaS, code repositories, big data, and NoSQL pipelines, and on-premises.
Features:
- AI-augmented discovery: Find, inventory, and categorize all of your data using agentless, AI-augmented data discovery and NLP customization to detect shadow data.
- BigID AI Copilot:
- Gather all data relevant to the business.
- Receive recommendations for data mappings.
- Use Generative AI to generate table descriptions.
Integrations: Hadoop, GitLab, AWS, Oracle Database, SAP HANA, Kafka, Microsoft MySQL, Hive, Google Cloud Platforms, MongoDB.
Deployment: Cloud, on-premise Windows, on-premise Linux.
Pros
Data discovery: Users say that BigID offers a valuable approach to securely handling their company’s data and gaining insights about data gaps and duplicates.
Ease-of-use: Reviews reveal that the product is easy to use and provides a smooth user experience with its Microsoft integrations.
Cons
Data visibility: Some developers assert that BigID provides lower when compared to other cloud and shadow IT applications. They stated that some of their SaaS platforms did not connect with BigID.
Pricing: Customers say that BigID is expensive compared to other alternatives.
How to select the right DSPM tool
1. Coverage
When looking at the present DSPM industry, much of the attention is focused on the data associated with infrastructure platforms such as Azure Blob, S3, data lakes, and databases – where people develop various products and solutions.
However, DSPM encompasses much more, since sensitive data can be spread throughout SaaS, PaaS (e.g., Amazon RDS), and IaaS (e.g., virtual machines running databases) systems.
Organizations with multi-purpose apps might have their “sensitive data” in workflows between these apps. These organizations may select a DSPM tool that covers IaaS, PaaS, and SaaS environments.
Figure: Three key domains: File, SaaS, and IaaS, where sensitive data is stored
Source: Varonis2
2. Accuracy
Some DSPM tools will only provide basic policy-based alerts, which may provide insufficient analytical results. Some DSPM vendors may provide more comprehensive capabilities that provide more accurate results.
For example, DSPMs that have a user and entity behavior analytics (UEBA) capability will learn and baseline regular behavior while also generating notifications for unusual activity.
Thus, selecting a DSPM tool that offers integrated UEBA or threat intelligence integrations can help your organization gain more accurate data insights.
3. Scale
Organizations that are assessing large volumes of data (e.g. banks, retailers, insurance companies, Fortune 1000) should select a DSPM tool that can perform classification or permission scans on a petabyte scale.
3 DSPM-like solutions to watch out for
1. Vendors specializing only in data privacy
Discovery-only DSPMs lack the context required to determine whether sensitive data is at risk. These solutions assess data security posture by counting sensitive data findings, but they do not account for exposure levels, issue resolution, or data threat detection. Discovery-only DSPMs are just data catalogs.
2. IaaS-only DSPM
Several DSPM companies focus on the top three IaaS platforms (AWS, Azure, and GCP) while ignoring other essential data domains such as cloud file storage, on-premises file shares, SaaS apps, and email. Coverage of databases in multi-cloud systems is critical; search for a DSPM vendor who covers all of your data domains.
3. DSPM without real-life cybersecurity expertise
Data security vendors should have research teams and real-life case studies dedicated to discovering vulnerabilities, tracking threat actors, and building new threat models..
For guidance on choosing the right tool or service, check out our data-driven sources: network security policy management (NSPM) tools and incident response tools.
Comments
Your email address will not be published. All fields are required.