S
Home Data Security ยท Updated 2026-07-08

Data Security Posture Management

Data Security Posture Management (DSPM) is a security discipline and category of tooling that provides continuous visibility into where sensitive data lives, who and what can access it, how it is protected, and whether that protection is adequate relative to the data's sensitivity and regulatory obligations. DSPM answers the foundational questions that most organisations struggle to answer: What sensitive data do we have? Where is it? Who has access to it? Is it properly protected?

DSPM emerged as a formal discipline in response to the explosion of data across cloud environments โ€” object storage, managed databases, data lakes, SaaS platforms, and development tools โ€” where data sprawl, misconfigured permissions, and shadow data routinely outpace manual governance processes.


Why DSPM Matters

Traditional data security assumed data lived in known, bounded locations: on-premises databases, file servers, mainframes. Cloud adoption broke this model:

  • Data sprawl: Developers spin up S3 buckets, snapshot databases, export CSVs to data lakes, and share files to SaaS tools โ€” often without security or governance involvement
  • Shadow data: Copies of production data appear in development environments, analytics pipelines, and backups, each with its own (often weaker) access controls
  • Permission drift: Access rights accumulate over time โ€” users, roles, and service accounts retain access long after it is needed
  • Misconfiguration at scale: A single misconfigured S3 bucket policy or publicly accessible database snapshot can expose millions of records
  • Regulatory complexity: GDPR, HIPAA, PCI DSS, and CCPA each impose specific requirements for locating, classifying, and protecting regulated data โ€” requirements that cannot be met without knowing where the data is

DSPM addresses these challenges by continuously discovering and assessing data risk across the entire estate, not just at scheduled audit intervals.


Core DSPM Capabilities

1. Data Discovery

The foundation of DSPM is finding all data stores โ€” managed and unmanaged, known and shadow.

Scope of discovery:

Environment Examples
Cloud object storage AWS S3, Azure Blob, GCS
Managed databases RDS, Aurora, Azure SQL, Cloud SQL, DynamoDB, Cosmos DB
Data warehouses Snowflake, BigQuery, Redshift, Synapse
Data lakes AWS Lake Formation, Azure Data Lake, Databricks
SaaS platforms Salesforce, Workday, ServiceNow, GitHub, Jira
Unstructured file storage SharePoint, OneDrive, Google Drive, Box
Developer environments Git repositories, CI/CD secrets, container registries
Streaming pipelines Kafka topics, Kinesis streams, Pub/Sub

Discovery must be agentless and read-only โ€” it should not require changes to the data environment and must not copy sensitive data to the DSPM platform. Modern DSPM tools use native cloud APIs and metadata scanning to enumerate data stores, then apply sampling or index scanning to classify content without exfiltrating it.

2. Data Classification

Discovery finds where data stores exist. Classification determines what sensitive data they contain.

Classification approaches:

Method How it Works Strengths Limitations
Pattern matching (regex) Match against patterns for PII, card numbers, SSNs, etc. Fast, deterministic, auditable High false positive rate for generic patterns
Named Entity Recognition (NER) ML models identify names, organisations, locations in context Better accuracy for unstructured text Computationally expensive
Exact data matching Hash-compare against a known sensitive dataset (e.g. employee ID list) Zero false positives Requires a reference dataset to match against
Document fingerprinting Detect copies or near-copies of a known sensitive document Catches edited copies Requires original document registration
Schema inference Classify columns by name and data type (e.g. email_address, ssn, dob) No content scanning needed Misses columns with non-descriptive names

Standard classification taxonomy:

Sensitivity Levels:
  โ”œโ”€โ”€ Public           โ€” Intended for unrestricted distribution
  โ”œโ”€โ”€ Internal         โ€” For employees only; no material harm if disclosed
  โ”œโ”€โ”€ Confidential     โ€” Business-sensitive; limited distribution
  โ”œโ”€โ”€ Restricted       โ€” Highly sensitive; strict need-to-know
  โ””โ”€โ”€ Regulated        โ€” Subject to specific legal or compliance requirements
        โ”œโ”€โ”€ PII        โ€” Personally Identifiable Information
        โ”œโ”€โ”€ PHI        โ€” Protected Health Information (HIPAA)
        โ”œโ”€โ”€ PCI        โ€” Payment Card Industry data
        โ”œโ”€โ”€ Financial  โ€” Material non-public information, banking records
        โ””โ”€โ”€ Legal      โ€” Attorney-client privilege, litigation hold

Classification results should be persisted as tags or labels on data stores, feeding downstream policy enforcement and reporting.

3. Data Flow Mapping

Understanding where data moves is as important as knowing where it rests.

What to map:
- Which users and services read sensitive data stores
- Which pipelines copy or transform sensitive data and where results land
- Whether sensitive data crosses cloud accounts, regions, or organisational boundaries
- Whether sensitive data is accessible from development or test environments

Data flow risk scenarios:

Flow Risk
Production PII copied to development environment Dev environments have weaker controls; developer access is broader
Sensitive data replicated to a different cloud region May violate data residency requirements (GDPR)
Customer data shared to a third-party analytics SaaS Third-party risk; data subject rights become complex
Sensitive data stored in application logs Logs often have weaker access controls and longer retention
Secrets or credentials committed to a Git repository Credential exposure; often cloned to multiple machines

4. Access Entitlement Analysis

Having identified sensitive data, DSPM evaluates who and what can access it โ€” and whether that access is appropriate.

Entitlement analysis covers:
- Human identities: Users, groups, and roles with read/write/admin access
- Machine identities: Service accounts, IAM roles, application credentials
- Third-party access: External services, vendor accounts, OAuth grants
- Public access: Data stores accessible without authentication (misconfiguration)

Over-privileged access patterns to detect:

Pattern Risk
Wildcard permissions (s3:*, SELECT *) on sensitive data Excessive privilege; violates least privilege
Stale access (no access in 90+ days) Unnecessary standing access; dormant credential risk
Cross-account access without documented justification Unexpected blast radius in a compromise
Service accounts with human-level permissions Over-privilege; service accounts should have minimal, scoped access
Public s3:GetObject on a bucket containing PII Direct exposure โ€” this is a critical finding
Shared credentials across multiple services Inability to attribute actions; difficult to rotate

Effective permissions analysis must account for layered IAM โ€” policy hierarchies, resource-based policies, permission boundaries, SCPs, and group membership โ€” not just direct assignments. The question is not "what policies are attached" but "what can this identity actually do?"

5. Misconfiguration Detection

DSPM continuously checks data store configurations against security baselines.

High-priority misconfigurations:

Finding Severity Example
Public read/write on object storage Critical S3 bucket with s3:GetObject for Principal: *
Database accessible from 0.0.0.0/0 Critical RDS instance with public IP and open security group
Encryption at rest disabled High Unencrypted EBS volume, S3 bucket with no SSE
Encryption in transit not enforced High Database allowing non-SSL connections
No access logging enabled High S3 bucket with no server access logs
No backup policy Medium Database with no automated snapshots
Snapshot shared publicly Critical RDS snapshot accessible to any AWS account
Versioning disabled on sensitive storage Medium S3 bucket without versioning โ€” ransomware risk
MFA delete not enabled Medium S3 bucket where objects can be deleted without MFA
Default encryption key (AWS managed) Medium Should use customer-managed KMS key for sensitive data

6. Risk Scoring and Prioritisation

Raw findings quickly number in the thousands. DSPM must prioritise by combining data sensitivity with security gap severity.

Risk score formula (conceptual):

Data Risk Score = Sensitivity ร— Exposure ร— Likelihood

Where:
  Sensitivity  = Classification level (Public=1, Regulated=5)
  Exposure     = Access breadth (Private=1, Internet-facing=5)
  Likelihood   = Presence of specific vulnerability (misconfiguration, stale access, etc.)

A publicly accessible S3 bucket containing PII with no encryption scores far higher than an over-privileged internal service account accessing non-sensitive data. This prioritisation focuses remediation effort where it matters most.

7. Compliance Mapping

DSPM maps findings to specific regulatory and framework requirements, generating evidence for audits and gap assessments.

Regulation Key DSPM Controls
GDPR PII discovery, data subject rights, breach notification scope, cross-border transfer detection
HIPAA PHI discovery, access controls, audit logging, encryption at rest and in transit
PCI DSS Cardholder data discovery, scoping for CDE, access restrictions, tokenisation verification
CCPA Personal information inventory, sale/sharing tracking, deletion capability
SOC 2 Availability, confidentiality, access control evidence for Type II reports
ISO 27001 A.8 Asset classification and information handling controls

DSPM Architecture

Deployment Patterns

Agentless API-based scanning (most common):

DSPM Platform (SaaS)
  โ”‚
  โ”œโ”€โ”€ Cloud provider APIs (read-only IAM role)
  โ”‚     โ”œโ”€โ”€ Enumerate data stores
  โ”‚     โ”œโ”€โ”€ Read IAM policies and access logs
  โ”‚     โ””โ”€โ”€ Check configuration metadata
  โ”‚
  โ””โ”€โ”€ Lightweight data classification
        โ”œโ”€โ”€ Sample records from sensitive-looking stores
        โ””โ”€โ”€ Apply NLP/regex classification models

The DSPM platform is granted a read-only cross-account IAM role. It never writes to or modifies the environment.

Key architectural requirements:
- No data egress: Classification must happen in-account or via metadata โ€” sensitive data must not be sent to the DSPM vendor's infrastructure
- Read-only: DSPM discovery must not create, modify, or delete any resource
- Continuous: Not a point-in-time scan โ€” data and configurations change constantly
- Multi-cloud: Most enterprises span AWS, Azure, and GCP; DSPM must cover all

Integration Points

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                     DSPM Platform                           โ”‚
โ”‚   Discovery ยท Classification ยท Entitlement ยท Compliance     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
           โ”‚            โ”‚               โ”‚
    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”  โ”Œโ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”  โ”Œโ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚   SIEM   โ”‚  โ”‚  CSPM /   โ”‚  โ”‚   IaC / CI-CD  โ”‚
    โ”‚ (alerts) โ”‚  โ”‚  CIEM     โ”‚  โ”‚   (shift-left) โ”‚
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
           โ”‚
    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚  Ticketing / SOAR        โ”‚
    โ”‚  (remediation workflows) โ”‚
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

SIEM: DSPM findings feed into SIEM as high-fidelity alerts. A new public S3 bucket containing PII should trigger a P1 incident โ€” not sit in a compliance dashboard.

CSPM (Cloud Security Posture Management): CSPM covers infrastructure configuration (compute, networking, IAM); DSPM focuses on the data layer. Together they provide full cloud security posture coverage.

CIEM (Cloud Infrastructure Entitlement Management): CIEM focuses on identity and access โ€” over-privileged roles, unused permissions, cross-account access. DSPM adds the data context: which sensitive data stores those permissions reach.

IaC scanning: Integrate DSPM policies into Terraform/CloudFormation reviews to catch data security misconfigurations before deployment โ€” shift-left on data risk.


Leading DSPM Vendors

Vendor Approach Notable Strengths
Varonis Agent + agentless; deep on-premises + SaaS coverage File system and SaaS breadth; behaviour analytics
Cyera Agentless, cloud-native Fast time-to-value; cloud-first
Securiti Unified data + privacy platform Strong regulatory compliance mapping
BigID ML-based classification; privacy focus PII accuracy; DSR automation
Laminar (Rubrik) Developer-friendly; shadow data focus Shadow data discovery; developer workflow integration
Sentra Cloud-native, data flow focus Cross-cloud data flow mapping
Microsoft Purview Native Azure; expanding to multi-cloud Deep M365 and Azure integration
AWS Macie AWS-native; S3-focused Native, no-setup S3 classification

AWS Macie is a good starting point for organisations heavily invested in AWS โ€” it provides automated PII detection across S3 with no additional tooling. For multi-cloud or on-premises coverage, a dedicated DSPM platform is required.


Implementation Roadmap

Phase 1 โ€” Discovery and Inventory (Weeks 1โ€“4)

  1. Connect DSPM to all cloud accounts and SaaS platforms in read-only mode
  2. Run initial discovery โ€” enumerate all data stores
  3. Apply classification to identify sensitive data locations
  4. Generate a baseline inventory: X data stores, Y contain PII, Z are publicly accessible

Quick wins to address immediately:
- Any publicly accessible storage containing sensitive data โ†’ close immediately
- Unencrypted databases or object storage containing regulated data โ†’ enable encryption
- Snapshots shared publicly โ†’ restrict

Phase 2 โ€” Access Analysis (Weeks 4โ€“8)

  1. Map effective permissions for all identities accessing sensitive data stores
  2. Identify stale access (no access in 90+ days) and remove
  3. Identify service accounts with wildcard or excessive permissions โ€” scope down
  4. Identify shadow data in development environments โ€” determine if PII, enforce masking or deletion

Phase 3 โ€” Policy and Automation (Months 3โ€“6)

  1. Define data handling policies by classification tier (who can access, in what environments, with what controls)
  2. Automate alerting for policy violations (new public storage, unencrypted sensitive store)
  3. Integrate DSPM findings into SIEM and incident response workflows
  4. Integrate into IaC pipeline โ€” block deployments of data stores that violate baseline policy

Phase 4 โ€” Continuous Governance (Ongoing)

  1. Establish SLAs for remediation of DSPM findings by severity
  2. Monthly data risk review with data owners and the security team
  3. Quarterly access review โ€” revoke stale entitlements
  4. Annual classification taxonomy review โ€” update for new data types and regulations

Data Minimisation

A finding that cannot be closed by fixing a misconfiguration should prompt a more fundamental question: Does this data need to exist here?

Data minimisation principles:

  • Collect only what is needed for the stated purpose โ€” do not accumulate data on the assumption it might be useful
  • Retain only as long as required โ€” enforce retention policies and deletion; data that does not exist cannot be breached
  • Mask or tokenise sensitive data in non-production environments โ€” production PII should never be present in development or analytics without masking
  • Purge shadow copies โ€” log files, exports, database snapshots, and ETL intermediate tables accumulate uncontrolled; regularly audit and delete
  • Tokenise at the edge โ€” capture payment card data through a PCI-compliant vault; store only a token in your own systems
-- Example: Identify tables with PII columns that have not been accessed in 90+ days
-- (Snowflake query history as an example)
SELECT
  t.table_catalog,
  t.table_schema,
  t.table_name,
  MAX(qh.start_time) AS last_accessed
FROM information_schema.tables t
LEFT JOIN snowflake.account_usage.query_history qh
  ON qh.query_text ILIKE '%' || t.table_name || '%'
WHERE t.table_name IN (SELECT table_name FROM dspm_classified_tables WHERE has_pii = true)
GROUP BY 1, 2, 3
HAVING last_accessed < DATEADD(day, -90, CURRENT_TIMESTAMP())
   OR last_accessed IS NULL;

Key Metrics

Track these metrics to demonstrate DSPM programme effectiveness:

Metric Target Frequency
% of data stores classified 100% Monthly
% of sensitive data stores with encryption at rest 100% Continuous
% of sensitive data stores with logging enabled 100% Continuous
Number of publicly accessible sensitive data stores 0 Continuous
Mean time to remediate critical data findings < 24 hours Per incident
Mean time to remediate high data findings < 7 days Monthly
Number of identities with access to sensitive data Trend down Quarterly
% of sensitive data in non-production environments that is masked 100% Monthly
Stale access (90+ day dormant) on sensitive stores 0 Quarterly
Shadow data stores discovered this quarter Track trend Quarterly

Hardening Checklist

Control Priority Notes
All cloud data stores enumerated and classified Critical Foundation for all other controls
Public access blocked on all storage containing sensitive data Critical Immediate remediation required
Encryption at rest enabled on all sensitive data stores Critical Use customer-managed keys for regulated data
Encryption in transit enforced (SSL required) Critical Database connection strings
Access logging enabled on all sensitive data stores High S3 server access logs, CloudTrail, database audit logs
Stale entitlements removed (90+ day no-access) High Quarterly access review
Wildcard permissions removed from sensitive data stores High Replace with scoped, least-privilege policies
Shadow data in dev/test environments masked or deleted High No production PII in non-production
Database snapshots access-restricted (not public/shared) Critical Check all RDS/Aurora snapshots
DSPM alerts integrated into SIEM High High-severity findings trigger incidents
Data retention policy enforced with automated deletion Medium Reduces breach scope
IaC data security checks in CI/CD pipeline Medium Shift-left on misconfiguration
Sensitive data inventory shared with legal/compliance Medium Required for GDPR Article 30 ROPA
Cross-border data transfer controls validated High GDPR adequacy decisions, SCCs
Third-party SaaS data access inventoried Medium Shadow SaaS risk

References

The Security Architecture Site โ€” for internal reference use. Back to contents