January 31, 2024 By Tom Fisher 4 min read

“A data breach has just occurred”, is a phrase no security professional wants to hear. From the CISO on down to the SOC analysts, a data breach is the definition of a very bad day. It can cause serious brand damage and financial loss for enterprises, lead to abrupt career changes among security professionals, and instill fear of financial or privacy loss for businesses and consumers.

According to an ESG report, 55% of data and workloads currently run or operate in the cloud and 43% of current on-premises apps will likely move to the cloud in the next 5 years. That means that data generation and movement within the cloud is increasing at an even more impressive rate. This has and will continue to increase the attack surface against cloud assets, especially sensitive data. If cloud data isn’t adequately secure, it’s a massive liability for any organization.

Is data security in the cloud actually a problem?

Yes, it is. It’s a BIG problem. According to Gartner, Inc., “Through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data. Cloud strategies usually lag behind cloud use. This leaves most organizations with a large amount of unsanctioned, and even unrecognized, public cloud use, creating unnecessary risk exposure. CIOs must develop a comprehensive enterprise strategy before cloud is implemented or risk the aftermath of an uncontrolled public cloud.”

You may then ask, “Well, what about encryption?” It protects the data. Doesn’t it?

Yes, it does, when it’s vigorously and thoroughly applied to all data assets. But according to Statista.com, “In 2021, approximately 55 percent of respondents who experienced data encryption issues reported that unencrypted cloud services are a problem.”

Encryption also comes with a cost, and it’s often always easy to implement, especially within the cloud. Many companies fail to build encryption into internal security processes or employ digital rights management to help control file access. Without this protection, data that is exfiltrated can and is used to steal identities and money, misappropriate secrets, and other negative effects.

What about the public cloud providers – Don’t they provide protection?

Yes and no. The best definition of what public cloud providers provide is the Shared Responsibility Model of Amazon Web Services (AWS). It specifies “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer.

That means for cloud data security, YOU bear the responsibility for protecting your data and for application, network, access and other security.

To accommodate some of these security requirements, cloud security posture management (CSPM) has emerged to address security issues created by public cloud infrastructure.

According to Gartner, Inc., cloud security posture management consists of offerings that continuously manage IaaS and PaaS security posture through prevention, detection and response to cloud infrastructure risks. The core of CSPM applies common frameworks, regulatory requirements and enterprise policies to proactively and reactively discover and assess risk/trust of cloud services configuration and security settings. If an issue is identified, remediation options (automated or human-driven) are provided.

You may have noticed that missing from that definition is any consideration for data. That could be because the general assumption is that data is protected by encryption and doesn’t need further protection. But the reality of data protection is more complex.

According to the analyst information above, not all the information traversing public cloud, multi-cloud and hybrid cloud environments is unencrypted. That, unto itself, is a serious security deficit. But, other actions, such as exfiltrating encrypted data and holding it for ransom can be equally problematic. In the cloud, data interception can be more difficult to track because of the ephemeral nature of microservices-based applications.

To address these issues, which are not handled by CSPM platforms. That’s why data security posture management (DSPM) has emerged as a rapidly growing component of enterprise security focus. Why? Because it’s focused on keeping data secure. Although other security posture platforms, such as CSPM have done a solid job in detecting and providing ways to alleviate security vulnerabilities, cyber thieves have still found ways to circumvent those vulnerability measures to instigate data breaches.

What are the differences?

CSPM Attributes

DSPM Attributes

Detect and automatically remediate cloud misconfigurations.

Provide unified data security with a single view of data security and compliance posture.

Maintain an inventory of best practices for different cloud configurations and services.

 

Generate data security and audit reports in seconds and customize reports to meet specific needs.

Map current configuration statuses to a security control framework or regulatory standard.

Understand risk by providing risk-scoring to show where high-risk activities occur and focus the investigation on high-risk areas first.

Work with IaaS, SaaS and PaaS in containerized, hybrid cloud and multi-cloud environments.

Understand threats by rating anomalies with a risk-scoring engine and give each a high-, medium-, or low-risk score. Show data source and risk information and show high-risk anomalies.

Monitor storage buckets, encryption and account permissions for misconfigurations and compliance risks.

Provide analytics for Investigating issues, detecting threats, finding anomalies and the specifics for each issue.

 

Share insights about an anomaly across multi-cloud infrastructure with compliance teams

 

Block suspicious users, prevent access to on-premises or in-cloud data sources and automatically trigger incident remediation.

Scroll to view full table

DSPM has evolved to provide additional security protections for structured and unstructured data, whether it’s encrypted or not. DSPM tracks data wherever it’s located in a public cloud, multi-cloud or hybrid cloud environment. A comparison of CSPM versus DSPM is summarized in the table above.

DSPM and CSPM are two separate yet vital components of cloud security. They provide different types of security for cloud environments which are complimentary capabilities.

Organizations shouldn’t choose one over the other, if possible. It’s crucial to deploy CSPM and DSPM simultaneously for a holistic approach to protecting your cloud and hybrid cloud environments. After all, it is better to have all your bases covered to help ensure your sensitive data is secure. But if you must choose, DSPM is the platform that protects your most crucial resource, your data.

Address data security posture management with IBM Security® Guardium® Insights SaaS DSPM. Provide compliance and security teams with essential visibility and insights to help ensure your company’s sensitive data is secure and compliant.

If you’re interested in learning more about DSPM v. CSPM, please check out this video on the @IBMTechnology YouTube channel. Ready to enhance your data security strategy? Start with IBM Security Guardium Insights SaaS DSPM.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today