What is DSPM and Why Should DevOps Architects Care?

Data Security Posture Management (DSPM) is a process for securing cloud data, and it largely revolves around three key steps.


As enterprises have increasingly embraced digital transformation, DevOps has been busier than ever, delivering the innovative software and services that end users depend on. What’s interesting, however, is the way that this shift towards building applications in the cloud has started to blur the line between DevOps and security because of the proliferation of data outside of the traditional on-prem environment.

As the CI/CD cycle pushes more and more data into cloud environments, securing that data becomes an enormous challenge. DevOps teams need to understand where the data is within these cloud environments, how it is connected, who has access to it, what kind of access privileges those people have, and more.

This task is no small feat, given that “the cloud” is not a single location. The cloud could involve two or more cloud service providers such as Amazon, Microsoft, or Google; software-as-a-service providers; platform and infrastructure-as-a-service providers; data lake providers; and a variety of hybrid clouds, servers, and endpoints within the actual organization.

To make things all the more challenging, once data moves from on-prem to the cloud, all the trust factors, visibility, and control over that data disappear. So, how can DevOps and DevSecOps teams fully get their arms around this challenge and continuously keep cloud data safe and secure?

This is where Data Security Posture Management (DSPM) has a key role to play.

Regaining visibility and control

DSPM is a process for securing cloud data, and it largely revolves around three key steps.

The first step is a process of discovery and analysis. Where is all my data? Are there shadow data stores? Are there abandoned databases? You can’t begin to secure your data until you know where it is.

Locating your data – both structured and unstructured – is just the first part of this initial step. Classification analysis is needed to help understand the nature of the data and to determine if the data is subject to any compliance mandates such as PCI, HIPAA, GDPR, and others.

After this discovery and classification, the next step of DSPM is detecting which data is at risk. This involves mapping user access against specific datasets, tracking data lineage to understand where it came from and who had access to the data, tracking resource configurations, vulnerabilities and more. There are many questions that need to be answered here – for instance: Are there access misconfigurations, inflated access privileges, dormant users, vulnerable applications, or exposed resources with access to sensitive data?

The answers to these questions naturally lead to the third and final step of DSPM: remediation and prevention. Let’s say that the security team discovers that certain people have access to data that they shouldn’t or that some of the data is configured in a way that creates a vulnerability that needs to be fixed.

This intelligence is great, but it actually needs to be acted upon to drive remediation. A good DSPM tool not only identifies these risks but easily connects the security teams with the DevOps team, creating a seamless workflow that allows them to better collaborate and fix any problems.

DevOps done right

Integrating these DSPM capabilities into the CI/CD cycle means that as software teams are building and running applications in the cloud – and continuously making changes – they have visibility into their data right away. They know where the data components are, what’s connected to them, and how they’re configured. This gives them the ability to build security into the applications right from the jump as they push them from development, to pre-production, to production in cloud environments.

While it may be tempting for organizations to think that they can implement a DSPM program with existing cloud security tools that focus on various elements of DSPM, the functionality of these standalone tools is siloed; they cannot on their own provide systematic, comprehensive, and effective security for all cloud data. Only a purpose-built DSPM solution can do that to cover discovery, classification, access and governance and risk and vulnerabilities and compliance for all types of cloud data – structured and unstructured.

With that in mind, there are several best practices for selecting a DSPM solution and implementing a DSPM program. First and foremost, customers should look for a DSPM solution with multi-cloud support. In today’s world, it’s not enough for a tool to provide integration with Azure but not AWS or GCP but not Azure. There needs to be support for all the major cloud vendors: Even if a company isn’t on one of the services today, the business will likely lead them to it over time.

Additionally, customers should favor a solution with a light footprint. An agentless solution is ideal here, ensuring that there’s nothing to deploy or manage in order to get started with data discovery and scanning.

Finally, customers should ensure that whatever DSPM solution they purchase provides out-of-the-box integrations with 3rd party ticketing, notification, and automation platforms. This helps security operators to collaborate with DevOps and cloud engineering teams to fix problems in a timely manner and remediate risks. In this way, DevOps and security are all part of one team, working together towards a common goal.

The confidence that data is secure

In an age where data is the most valuable asset in a company’s possession, DevOps and security teams have a vested interest in seamlessly working together to make sure that the software and services they’re building are keeping data secure and protected.

As these teams evolve their applications and move them along the CI/CD cycle, DSPM provides confidence that they are building, deploying, and putting applications into production with an emphasis on data security. In this way, DSPM enables DevOps and DevSecOps architects to chart a modern path forward when it comes to understanding everything that affects the security posture of their data.


Amer Deeba is the cofounder and CEO of Normalyze. He is a senior go-to-market executive with extensive experience in driving both product, marketing and sales go-to-market strategies for enterprise and cloud technologies. In his 17 years tenure at Qualys (NASDAQ: QLYS), Amer led all aspects of marketing, business development, strategic alliances and global enterprise accounts. He also played an instrumental role in taking the company public in 2012.