How to Implement a DSPM Framework
The never ending increase in data’s volume, variety, velocity, and veracity has never been more true than today. Cloud native and hybrid data source proliferation has multiplied security concerns and exposed key unprotected data. According to a recent survey only 4% of 1500 IT and security leaders believe that all of their cloud data is secured.
This low level of protection has been a driver for the emergence of Data Security Posture Management (DSPM) which has recently leapt onto the scene identifying security gaps and remediate over-exposed data. Unfortunately, many new vendor enterent’s offerings are incomplete, with minimal discovery and classification capabilities, limited de-risking and remediation, poor ability to map user access privileges, and lean data flow tracking.
So what exactly does robust DSPM provide that security teams are lacking? It starts with five key elements for DSPM:
Tools have existed for some time in each of these areas. What’s new are offerings that focus specifically for cloud and hybrid data environments. Traditional data discovery tools tend to be limited in scope when it comes to cloud data types. So where do we start with DSPM?
Discover Your Data
What data is within the cloud and hybrid ecosystem? What is the sensitivity level of the data?
The fundamental non-negotiable first step in securing sensitive cloud data is to know where the data resides and what it contains. Ironically, only 7% of IT and security leaders are confident that they can manage sensitive data across SaaS. BigID offers the only DSPM solution that is able to discover over 70 cloud data sources whether SaaS applications such as Salesforce, Box, or Office 365; IaaS such as AWS, Azure, or GCP; or streaming data such as Kafka and Kinesis. This is a stark difference from some of the new entrant DSPM vendors that support as little as four data sources. In addition to numerous data types, BigID supports Discovery with the following product offerings and apps:
- Data Discovery Foundation
- Auto Discovery Apps
- Data Inventory
- Sensitivity Classification
- Metadata Exchange
- Cyberark & Hashicorp Apps
BigID leverages multiple classification techniques to confidently identify sensitive or critical data across the environment. These include traditional classification techniques such as regular expression (regex) and pattern matching, layered with patented NLP and ML techniques to classify and categorize more types of data, more accurately, at scale. Data that is found with PI, PII, PHI, PCI, privacy or other security concerns can then be labeled with the appropriate level of sensitivity. Sensitivity classification is critical to DSPM in order to ensure the security posture.
Map User Access to Data
Who can see the data? What are the inappropriate permissions? Do external or public users have access?
BigID access governance discovers open access and over-privileged users and over-exposed data.These threats are then swiftly addressed and privileges revoked utilizing:
Soon organizations will be able to remove all concerning external or public access to files at scale. In addition, BigID has just introduced new capabilities to reduce risk by making it easy to lock down access to sensitive data in cloud file repositories like M365, Google Workspace and AWS S3. Building on its existing data access intelligence and remediation capabilities in the multi-cloud and hybrid cloud, BigID now adds full automated end-to-end remediation to ensure cloud data risk from open and over-privileged file access is quickly closed, preventing insider threats, data leaks and dangerous breaches.
Track Data Flows
What is the source of the data? How does the data flow down to data use cases?
BigID’s lineage integrations enable customers to know their data flows and protect their most sensitive data. BigID not only does deep metadata discovery, but also searches the data itself and provides ML-augment inferences about the data sensitivity, data type, and data residency. This detailed data context is married with comprehensive lineage metadata to display the richest graphical display of data/metadata available for cloud data sources. This is all accomplished with our core platform supported by the following features/apps:
- Data Lineage
- Correlations
- Breach Investigation App
Leveraging BigID advanced graph technology, personal, sensitive and dark data can be mapped back to a person or entity providing greater context, awareness and for control if a security incident happens. 62% of organizations report that they are likely to experience an attempted cloud data breach next year, and with breach investigation organizations can quickly and accurately identify impacted individuals. BigID continues to expand its real-time capabilities such as the ability to automatically discover discrete accounts across AWS, detect dark data, and monitor changes on the fly.
Protect Against Data Exposure
How do I mitigate these security concerns for cloud and hybrid data sources? Can I confidently get rid of data I’m not using but is a security concern?
BigID targets the control of user access and data usage as an important part of the enforcement of DSPM. However, privileges, access, usage and the data all change which requires the ability to detect a threat before or as it happens. In addition, utilizing remediation and access intelligence, over-exposed and over-privileged data is easily mitigated. BigID apps that are targeted for the control of data exposure are:
- Data Remediation App
- Data Labeling App
- Data Deletion App
- Access Intelligence App
- Snowflake Access & Masking App
A best practice for protecting the data is developing governance and retention policies. When it comes to actual data usage, differential backup systems tell us that as little as 5-10% of the data is ever used. In addition, 27% of tech professionals believe that more than 50% of their data is “dark data”. On top of that, 48% of organizations have a high level of concern that the dark data will continue to proliferate. BigID’s discovery across cloud native and hybrid-cloud platforms reveals the extent of ROT (redundant, outdated, trivial) data that can be cleaned up. Using the BigID industry first data deletion app, duplicate and stale data can easily be deleted greatly reducing the attack surface and thus assisting in better access management.
Assess and Report
How do we ensure not only DSPM but also create ongoing visibility to management?
DSPM forms the basis of a data risk assessment to evaluate the implementation of data security governance policies. BigID provides a user-friendly dashboard to always provide a view into the security posture of cloud data. In addition, a business-friendly pdf data risk assessment is automated that includes the business process taken to ensure DSPM and also includes: data sources, classification highlights, sensitivity classes, sensitivity classification results, data risk scoring, and overall posture management. BigID provides effective DSPM assessment and reporting through:
- Case Management
- Hotspot Reporting
- Policies
Setting policies for access and retention greatly reduce DSPM exposure. BigID has a track record of effectively discovering and classifying data from gigabytes up to many petabytes. As such, Hotspot Reporting was introduced this year to quickly point where sensitive data likely resides so that data security controls can be worked there first.
DSPM in Action
Cloud data security has been a focus of BigID for years. BigID as a SaaS based solution addresses the fundamental needs in securing cloud, hybrid and on-premise environments. Beyond DSPM, customers can also tackle broader data security, privacy, data governance and compliance concerns with the BigID Data Intelligence Platform.