Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
How the Security Platform Consolidation Trend Will Improve Cloud Data Protection
By Ravi Ithal, CTO and
co-founder of Normalyze
The hallmark trait of technology is it constantly gets
better. We've seen this for decades in the cybersecurity domain and it's
quickly happening again right before our eyes. A wide range of different
security tools are merging into a few cohesive platforms and integrating vital
functionality which heretofore was siloed, too complex, required too many
engineers to manage, and ultimately fell short of respective promises.
Our topic is the emergence of a new consolidated platform
for cloud data security and what this means for enterprises of any size. But
before plunging in, let's first assess the big picture of security
consolidation to see what's propelling these changes for better cybersecurity
in your environment.
Portfolio or Platform: Which Will Win?
Portfolio is a legacy marketing term for several "best of
breed" products addressing different aspects of a security use case. A
portfolio may address securing a vast collection of enterprise endpoints.
Another might address various aspects of network and access security. Sometimes
a portfolio has different vendors' products; and some vendors sell multiple
products as a portfolio. You can assess the value of a portfolio's real-world
integration by what degree they all use the same data and control planes - and
all managed with a single monitor. (Hint: unlikely a portfolio can do this!)
Given the giant data streams of telemetry and alerts
generated by modern cloud environments, legacy portfolios are falling short.
Silos are an especially big impediment to multicloud SecOps. Lack of 100%
integration means the portfolio approach is more onerous to use, more expensive
to operate, and provides less effective security. It's why most organizations
are switching to platforms.
Drivers for Consolidation with Platforms
According to a Gartner
study, 51% of security and risk management leaders surveyed said in
2020 they were currently planning to pursue a vendor consolidation strategy.
Consolidation is achieved by replacing a portfolio of multiple products with a
single integrated platform. In simple terms, they want to use fewer products to
achieve the same or better security outcomes. In Gartner's 2022 survey, 75% of
respondents were currently planning to achieve consolidation - a 47% increase
in just two years!
Another incentive for the platform approach is a vast
shortage of qualified security professionals. The shortage is severe. According
to an overview of studies in Fortune, companies are "desperate"
to fill more than 700,000 cybersecurity positions as of June 2022. A platform
approach allows an organization to fulfill security operations with fewer hands
required.
Budget pressure is yet another driver for consolidation.
With looming global recession, CIOs are looking for ways to slow the growth of
or reduce IT budgets such as cloud spend. Another tactic is eliminating
redundant security tools. For example, a 2021 report by IBM says 30% of survey respondents
deploy more than 50 tools and technologies for security. And 45% said they use
more than 20 tools when specifically investigating and responding to a
cybersecurity incident. Lots of opportunity for tool reduction into a few
platforms!
As a security professional, you are likely aware of two such
platforms if not already using one or both. The most mature security platform
is a Security Service Edge (SSE), which unifies web, cloud services, and private
application access for mid-size-to-larger organizations; 80% of enterprises
will use an SSE by 2025, according to Gartner. A newer security
platform is eXtended Detection and Response (XDR), which consolidates many
threat detection and response processes for endpoint, cloud, and identity; Gartner
predicts about 50% of the midmarket will use XDR by 2027.
A third security platform mentioned in the Gartner
study, but with no related taxonomy, is a Data Security Platform
(DSP). The DSP is all about securing sensitive data in the enterprise -
especially modern cloud-native environments. Gartner says the DSP will be used
by 30% of enterprises as of 2525. Since my article is about predictions, let's
now dive into how the DSP is likely to play out for securing cloud data.
DSPM: the New Platform for Cloud Data Security
Data Security
Posture Management (DSPM) is quickly emerging as the go-to platform for
automating cloud-native data security. DSPM defines a new, data-first approach
to securing cloud data. It's based on a premise that data is your
organization's most important asset. Platform-based instrumentation of DSPM
charts a modern path for understanding everything that affects the security
posture of your data. DSPM tells you where sensitive data is
anywhere in your cloud environment, who can access these data, and their
security posture. With its laser beam focus on your data, DSPM will help your
security, IT operations, and DevOps teams to:
- Discover sensitive
data
(both structured and unstructured) in your cloud environments, including
forgotten databases and shadow data stores.
- Classify sensitive
data and map it to regulatory frameworks for identifying areas of
exposure and how much data is exposed, and tracking data lineage to understand
where it came from and who had access to the data.
- Discover attack
paths
to sensitive data that weigh data sensitivity against identity, access,
vulnerabilities, and configurations - thus prioritizing risks based on which
are most important.
- Connect with
DevSecOps workflows to remediate risks, particularly as they appear early in
the application development lifecycle.
Putting the security spotlight on cloud data makes sense because its
proliferation in modern cloud organizations is rapidly increasing risks of
sensitive data loss or compromise. Volume and velocity of cloud data is
accelerating rapidly - so much so that without a tool like DSPM, organizations
find it impossible to know where all sensitive data resides within cloud
environments. It's equally impossible to protect sensitive data that's off the
radar from legacy security tools.
Data Explosion in the Cloud-Native Era
Five Key Capabilities Will Power DSPM
Posture management for data security addresses two general questions:
What are the issues, and how can we fix them? While the security industry is in
its early days of creating DSPM solutions, we can point to five domains or
capabilities that will be mandatory for a platform to automatically assess the
security posture of cloud data, detect and remediate risks, and ensure
compliance. These capabilities shall be integrated into a DSPM platform that
provides instrumentation via common data and control planes.
Modern environments will need the DSPM platform to be agentless and deploy natively in
any of the major clouds (AWS, Azure, GCP). Easy integration of your existing
tools' data will require the platform to provide 100% API access.
Naturally, the platform should also use role-based
access control to keep the management of data security posture
just as secure as the sensitive data should be. All of these will minimize
roadblocks and make DSPM quickly productive for your teams.
I predict the five fundamental capabilities of DSPM will
include:
1.
Data Discovery
Discovery capability answers the
question, "Where areare my sensitive data?" DSPM discovers cloud native structured
and unstructured data stores. It discovers cloud native block storage,
such as EBS volumes.
It discovers PaaS data
stores such as Snowflake and Databricks. DSPM should continuously
monitor and discover new data stores. And it should notify security teams on
discovery of new data stores or objects that could be at risk.
2.
Data Classification
Classification tells you if your data is sensitive and what
kind of data it is. It answers questions like "Who can access my data?" and
"Are there shadow data
stores?" Examples of classification include:
- Find sensitive data
not just "in a data store," but in specific objects, tables, and column names.
- Identify regulated
data (GDPR, PCI DSS, HIPAA, etc.).
- Find proprietary or
unique sensitive data.
- Automatically notify
stakeholders when new sensitive data is detected.
- Provide workflow to
fix false positives when data is miscategorized.
3.
Access Governance
Access governance ensures that
only authorized users are allowed to access specific data stores or types of
data. DSPM's access governance processes will also discover related issues,
such as: "Are there abandoned databases?" or "Are there excessive privileges?"
A platform's automated capabilities needs to include identification of all
users with access to cloud data stores. It should identify all roles with access
to those data stores. DSPM should also identify all resources with access to
those data stores. In relation to all of these, the platform also should track
the level of privileges associated with each user/role/resource. Finally, DSPM
must detect external users/roles with access to the data stores. All this
information will inform analytics and help determine the level of risk
associated with all your organization's cloud data stores.
4.
Detect Risks & Remediate Vulnerabilities and Cloud Misconfigurations
This domain is about functions of vulnerability
management. Risk detection is a process of finding potential attack
paths that could lead to a breach of sensitive data. DSPM detects
vulnerabilities affecting sensitive data and insecure users with access to
sensitive data. The main idea is to visually map out relationships across data
stores, users, and cloud resources to guide investigation and remediation. The
platform should enable building custom risk detection rules that combine
sensitive data, access, risk, and configurations. It should support custom
queries to detect and find potential data security risks that are unique to
your organization and environment. Security teams should be provided with
trigger notifications to specific assignees upon detection of risks. Related
workflows should automatically trigger third-party products such as ticketing
systems. To ease usability, modern graph-powered capabilities will visualize
and enable queries to spot attack paths to sensitive data.
5.
Compliance
DSPM must be able to automatically detect and classify all
data within all your organization's cloud data stores related to any relevant
laws and regulations. Examples include the European Union's General Data Protection Regulation (GDPR),
the Health Insurance
Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley
Act (GLBA), the Payment Card
Industry Data Security Standard (PCI DSS), and the new California Consumer Privacy Act (CCPA)
- all of which have mandates for securing specific types of sensitive data.
The platform should automate mappings of your data to
compliance benchmarks. Stakeholders in your organization should get a coverage
heatmap on data compliance gaps, such as misplaced personally
identifiable information (PII), shadow data, or abandoned data
stores with sensitive data. Data officers should receive a dashboard and report
to track and manage data compliance by region, function, and so forth. In
addition to ensuring security of regulated sensitive data, the platform should
also simplify and accelerate producing documentation verifying compliance for
auditors.
Tools that DSPM Will Integrate or Replace
DSPM is a relatively new concept, designed to meet rapidly
evolving requirements for securing cloud data. DSPM has entered On the Rise
"first position" in Gartner's Hype Cycle for Data Security, 2022.
Gartner assigns DSPM a "transformational" benefit rating due to the critical
nature of cloud data.
Subsets of DSPM's general functionality are seen in some
current tools for cloud security. Unfortunately, their functionality is mostly
siloed, and these standalone tools will be unable to fulfill all five major
functions of DSPM required for systematic, comprehensive, and effective
security of all cloud data.
The matrix below shows how current cloud security tools are
partially addressing the five functions of DSPM in various types of cloud data
stores. Essentially, DSPM fulfills all the squares stating "None" and may
replace tools in the other squares - especially if an organization's use cases
for particular tools are minimal. Alternately, if an organization has
significant investment in particular cloud security tools (such as populating a
CMDB with hundreds of thousands of assets, owners, business criticality, etc.),
the DSPM platform can also ingest operational data, alerts, and other metrics
from your existing infrastructure of corresponding tools for security, IT
operations, and DevOps. Use case flexibility will go a long way with DSPM!
The Future of DSPM Is Happening Now
The transition by enterprises from a legacy portfolio approach for cloud
data security to a modern, consolidated platform approach has already left the
gate for most organizations. If your environment is all or mostly cloud native,
it's likely this transition will occur quickly. As you inventory your
organization's existing tools for cloud data security and weigh their outcomes
against what DSPM can provide, it will be useful to start getting some hands-on
experience with emerging DSPM platforms. As we've all discovered with
technology, it continues to get better every year. DSPM will be the enabling
solution for helping enterprises of any size to quickly get control of cloud
data security posture and ensure safety and compliance for your organization's
most valuable asset: its data.
##
ABOUT THE AUTHOR
Ravi Ithal is CTO and co-founder of Normalyze,
a leader in cloud-native data security. He also was co-founder and chief
architect at Netskope
where he built the first cloud-access security broker and next-generation
secure web gateway, and founding engineer at Palo Alto Networks
where he built the first next-generation firewall. Follow Ravi on LinkedIn.