January 31, 2024 By Tom Fisher 4 min read

“A data breach has just occurred”, is a phrase no security professional wants to hear. From the CISO on down to the SOC analysts, a data breach is the definition of a very bad day. It can cause serious brand damage and financial loss for enterprises, lead to abrupt career changes among security professionals, and instill fear of financial or privacy loss for businesses and consumers.

According to an ESG report, 55% of data and workloads currently run or operate in the cloud and 43% of current on-premises apps will likely move to the cloud in the next 5 years. That means that data generation and movement within the cloud is increasing at an even more impressive rate. This has and will continue to increase the attack surface against cloud assets, especially sensitive data. If cloud data isn’t adequately secure, it’s a massive liability for any organization.

Is data security in the cloud actually a problem?

Yes, it is. It’s a BIG problem. According to Gartner, Inc., “Through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data. Cloud strategies usually lag behind cloud use. This leaves most organizations with a large amount of unsanctioned, and even unrecognized, public cloud use, creating unnecessary risk exposure. CIOs must develop a comprehensive enterprise strategy before cloud is implemented or risk the aftermath of an uncontrolled public cloud.”

You may then ask, “Well, what about encryption?” It protects the data. Doesn’t it?

Yes, it does, when it’s vigorously and thoroughly applied to all data assets. But according to Statista.com, “In 2021, approximately 55 percent of respondents who experienced data encryption issues reported that unencrypted cloud services are a problem.”

Encryption also comes with a cost, and it’s often always easy to implement, especially within the cloud. Many companies fail to build encryption into internal security processes or employ digital rights management to help control file access. Without this protection, data that is exfiltrated can and is used to steal identities and money, misappropriate secrets, and other negative effects.

What about the public cloud providers – Don’t they provide protection?

Yes and no. The best definition of what public cloud providers provide is the Shared Responsibility Model of Amazon Web Services (AWS). It specifies “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer.

That means for cloud data security, YOU bear the responsibility for protecting your data and for application, network, access and other security.

To accommodate some of these security requirements, cloud security posture management (CSPM) has emerged to address security issues created by public cloud infrastructure.

According to Gartner, Inc., cloud security posture management consists of offerings that continuously manage IaaS and PaaS security posture through prevention, detection and response to cloud infrastructure risks. The core of CSPM applies common frameworks, regulatory requirements and enterprise policies to proactively and reactively discover and assess risk/trust of cloud services configuration and security settings. If an issue is identified, remediation options (automated or human-driven) are provided.

You may have noticed that missing from that definition is any consideration for data. That could be because the general assumption is that data is protected by encryption and doesn’t need further protection. But the reality of data protection is more complex.

According to the analyst information above, not all the information traversing public cloud, multi-cloud and hybrid cloud environments is unencrypted. That, unto itself, is a serious security deficit. But, other actions, such as exfiltrating encrypted data and holding it for ransom can be equally problematic. In the cloud, data interception can be more difficult to track because of the ephemeral nature of microservices-based applications.

To address these issues, which are not handled by CSPM platforms. That’s why data security posture management (DSPM) has emerged as a rapidly growing component of enterprise security focus. Why? Because it’s focused on keeping data secure. Although other security posture platforms, such as CSPM have done a solid job in detecting and providing ways to alleviate security vulnerabilities, cyber thieves have still found ways to circumvent those vulnerability measures to instigate data breaches.

What are the differences?

CSPM Attributes

DSPM Attributes

Detect and automatically remediate cloud misconfigurations.

Provide unified data security with a single view of data security and compliance posture.

Maintain an inventory of best practices for different cloud configurations and services.


Generate data security and audit reports in seconds and customize reports to meet specific needs.

Map current configuration statuses to a security control framework or regulatory standard.

Understand risk by providing risk-scoring to show where high-risk activities occur and focus the investigation on high-risk areas first.

Work with IaaS, SaaS and PaaS in containerized, hybrid cloud and multi-cloud environments.

Understand threats by rating anomalies with a risk-scoring engine and give each a high-, medium-, or low-risk score. Show data source and risk information and show high-risk anomalies.

Monitor storage buckets, encryption and account permissions for misconfigurations and compliance risks.

Provide analytics for Investigating issues, detecting threats, finding anomalies and the specifics for each issue.


Share insights about an anomaly across multi-cloud infrastructure with compliance teams


Block suspicious users, prevent access to on-premises or in-cloud data sources and automatically trigger incident remediation.

Scroll to view full table

DSPM has evolved to provide additional security protections for structured and unstructured data, whether it’s encrypted or not. DSPM tracks data wherever it’s located in a public cloud, multi-cloud or hybrid cloud environment. A comparison of CSPM versus DSPM is summarized in the table above.

DSPM and CSPM are two separate yet vital components of cloud security. They provide different types of security for cloud environments which are complimentary capabilities.

Organizations shouldn’t choose one over the other, if possible. It’s crucial to deploy CSPM and DSPM simultaneously for a holistic approach to protecting your cloud and hybrid cloud environments. After all, it is better to have all your bases covered to help ensure your sensitive data is secure. But if you must choose, DSPM is the platform that protects your most crucial resource, your data.

Address data security posture management with IBM Security® Guardium® Insights SaaS DSPM. Provide compliance and security teams with essential visibility and insights to help ensure your company’s sensitive data is secure and compliant.

If you’re interested in learning more about DSPM v. CSPM, please check out this video on the @IBMTechnology YouTube channel. Ready to enhance your data security strategy? Start with IBM Security Guardium Insights SaaS DSPM.

More from Data Protection

Data residency: What is it and why it is important?

3 min read - Data residency is a hot topic, especially for cloud data. The reason is multi-faceted, but the focus has been driven by the General Data Protection Regulation (GDPR), which governs information privacy in the European Union and the European Economic Area.The GDPR defines the requirement that users’ personal data and privacy be adequately protected by organizations that gather, process and store that data. After the GDPR rolled out, other countries such as Australia, Brazil, Canada, Japan, South Africa and the UAE…

Third-party breaches hit 90% of top global energy companies

3 min read - A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.2023 industry recap:…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today