Katrina Thompson

Data Security Posture Management (DSPM) has been in the public security eye since about 2022 when the term was coined by Gartner. However, at the time it only had about 1% market saturation. As of last year, it had no less than a full fifth (20%, per ….). 

Why the meteoric rise? Because DSPM plugs some crucial security gaps that have been hard to plug in any other way. A lot of these gaps remain because the digital terrain has become increasingly broad (think multi-cloud, remote work, and lengthening supply chains) as well as deep (shadow data, hidden APIs, petabytes of big data that need to be accounted for).

Current solutions like CSPM (Cloud Security Posture Management) and XDR (Extended Detection and Response) are great for securing the places in which data resides, but there are still areas between those places where data falls through. 

Here are just five of the most common data security gaps and how DSPM can fill them. 

1. Data transferred and stored via unconventional means 

The term ‘unconventional’ in this case is increasingly becoming conventional, but the fact remains that these are methods that most traditional security solutions fail to secure properly.

Think about when information gets copied and pasted from Box and into a company-wide PowerPoint presentation. Let’s say that the Box repository was access-protected and that the employee who accessed it had the permission to do so. Traditional security tools would call that good – all the rules are being followed. But what would track the fact that that data now resides on a PPT that was emailed to “All Users”? And how does a company track where it goes from there?

Via data lineage, DSPM tools can show organizations where their data originated, where it was moved, how it was used, and where it was seen last. This helps SOCs know when something has gone amiss and when compliance policies are breached. 

Additionally, proxies, firewalls, and CASBs (Cloud Access Security Brokers) are losing visibility into data bound for unsanctioned cloud apps (that require end-to-end encryption or certificate pinning), and DSPM can leverage data lineage and mapping to keep that information within an organization’s line of sight. 

2. Dark data 

Another place where data falls through the cracks is in the realm of dark data. Dark data is defined by Gartner as “the information assets organizations collect, process and store during regular business activities, but generally fail to use for other purposes (for example, analytics, business relationships and direct monetizing).”

This undiscovered data could be one of an organization’s biggest untapped assets. As IBM notes, “Dark data often comes about because of silos within the organization. One team creates data that could be useful to another, but that other team doesn’t know about it.” Once it is discovered and used, it can then “[go] from sitting around to providing immense value.”

DSPM tools have the capacity to uncover instances of dark data, classify them, and prepare them to be leveraged by their organizations. They can also help define the risk associated with these unbound, undisclosed assets and help data governance tools reach them. 

Keep in mind that DSPM is still very much an evolving field; some DSPM tools provide this, some don’t. In a rundown of the top ten DSPM products of 2024, data security firm Cyberhaven pointed to BigID as one vendor in particular that can offer this capability.

3. Shadow data

Shadow data, or shadow assets, are similar to dark data in that they’re undiscovered. They differ in that they might not be particularly useful to an organization. In fact, they are most likely a huge liability. 

When developers spin up APIs, for instance, some get deployed for testing and forgotten by the wayside as the rapid pace of development pushes things along. All too often, those old beta APIs are left fully functional and unprotected. Then, a nosy threat actor comes along and shows the organization what a shadow API can (still) do. 

We want to avoid these instances. However, it’s much too hard for developers to retrace their steps and find them all, much less take the time to work hand-in-hand with security to do so (even though DevOps is very much a thing. It’s just not ubiquitously adopted across all organizations yet). How hot are shadow APIs to the cybercrime economy? One report suggests that over 31% of all malicious requests (roughly 5 billion out of 16.7 billion total) targeted these unknown and unaccounted-for application programming interfaces. And there are still shadow IoT, shadow IT, shadow SaaS, and more. 

DSPM solutions are positioned to find instances of shadow data and bring them into the light. They can scan for unstructured or structured data, searching across “a variety of cloud environments and read from various databases, data pipelines, object storage, disk storage, managed file storage, data warehouses, lakes, and analytics pipelines — both managed and self-hosted,” as noted by cybersecurity company Rubrik.

4. Cloud-native data environments

This is another huge gap in which traditional security measures fall short. We all know about the shared responsibility model in which CSPs (cloud service providers) provide some pieces of the security pie, and customers are responsible for the others. That’s fine, but we also know that on-premises security still is not a direct transfer into cloud environments, and new, cloud-savvy experts are hard to come by. It seems that threat actors know this, as 82% of breaches involved cloud-stored data in 2024, per IBM’s Cost of a Data Breach Report 2024. There must be room for improvement somewhere.

DSPM is especially suited to finding data in the cloud, even across multiple cloud environments – and let’s face it, most companies are using multi-cloud these days. Per Statista, “around 57 percent of respondents stated that their organization’s primary use of multi-cloud was apps siloed on different cloud[s],” according to a 2024 survey. 

DSPM locates, identifies, and protects data assets in the cloud – any and all of them – by using a mixture of AI, machine learning, and integrations with available tools. These tools include:

• API integrations | Cloud provider APIs give DSPM solutions access to data within cloud services (Azure Blob Storage, Google Cloud Storage, Amazon S3).
• Data classification | DSPM tools take it a step further by using algorithms to classify cloud-discovered data by priority (PII, HIPAA-compliant, IP, etc.)
• Data flow analysis | DSPM technology can analyze the flow of data throughout its lifecycle in the cloud(s) and establish baselines against which it can then spot anomalies that betray unsafe practices.

And more.

5. Data transferred through the supply chain

It’s hard enough for modern enterprises to keep up with all this complexity (above) in their own environment. Now, imagine having to be responsible for making sure it’s done for everyone in your supply chain. It’s been an unspoken rule in any industry for a long time: if you take on the contractor, you assume the risk. The public certainly feels that way when a supply-chain breach brings down their favorite company (let’s talk about the attack on Solar Winds’ Orion software. No one calls it the ‘Orion attack’). 

That being said, as higher-ups like CISOs are increasingly being held as primarily responsible for securing the enterprise against even risks brought by third parties, companies need a way to keep that external data risk level under control. 

DSPM not only locates where sensitive data is stored (or where it is regardless), but it also notes which users can access it – including external third parties. Plus, with the ability to enforce security policies, DSPM tools can automatically apply data usage rules and access controls across all third-party integrations. This means that even if they weren’t handling data per your standards before, a DSPM platform can help ensure that they are now. 

A Tool for Its Time

DSPM came about because today’s complex digital landscape proved too difficult for traditional security tools to traverse. Organizations needed faster, more streamlined ways of keeping track of the Big Data they tried so hard to accumulate (and succeeded at accumulating). Between multiple cloud services, myriads of SaaS apps, and the nearly innumerable ways in which everyday employees could manipulate data (even sensitive data), there needed to be a way to track it all at scale, despite its environment. 

DSPM provides organizations with that way, filling several of the most critical data security gaps that today’s other solutions leave behind.

About the author:

An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.