DSPM: Control Your Data to Prevent Issues Later
The world has changed significantly in the last 10 years. Technology has enabled us to shift from storing information on paper to digitizing most everything and storing that information on devices around the world. This allows most anyone to access data anywhere and anytime, oftentimes on a mobile device.
At the same, the technology that we leverage to run and manage these environments continues to quickly evolve. More and more environments are now running on complex and quickly changing cloud native architectures that leverage multiple cloud providers in addition to on-prem and edge deployments.
While the proliferation and availability of data is a massive leap forward we are now paying the price for that level of accessibility. Specifically, attackers want us to pay a steep price for access to data seemingly. In the last three years, there has been a significant increase in the number of cybersecurity attacks as well as ransomware attacks. Not to mention, compliance requirements have gotten more onerous and the US Federal Government is now getting more involved in preventing security risks.
Simply put, it’s becoming increasingly hard to prevent data security breaches and hacks — the attack surfaces have become too complex.
Today, there are petabytes of data being stored, but only a small percentage is actually used and touched on a regular basis. Once the data is stored, it flows seemingly to everyone, and before long, no one knows what data is stored where and who has access to it. Data has become prevalent, especially with the increase in the number of cloud and SaaS applications. All employees, not only engineers, generate and transmit data, sometimes sensitive PII data that is subject to regulations like GDPR and HIPAA.
Of course, companies attempt to maintain good data hygiene with risk assessments, labeling, written policies and procedures (that no employee actually reads). All of this is largely done manually and adds more work on IT teams that are already drowning in security and risk assessments as well as security alerts.
Add to that the fact that manual assessments are unsustainable and are out of date the second they are completed because they are point-in-time and don’t capture any changes. Additionally, as data is transmitted and shared, controls are lost and most don’t recall that they existed in the first place.
The Price of Progress and Maintaining Control of Data
So, how does one solve the problems brought about by digitization and how do companies maintain control over their sensitive data? Ideally, you leverage a highly automated technology product, such as Teleskope, that helps you identify data at risk, as well as prevent the wrong data from becoming available to the wrong people. At a high level that process would like this:
- To protect your data you need to understand what data you have, so you should start by inventorying and cataloging all of your data.
- Next, analyze access and audit logs to determine if the data is still being used and if not, deprecate it. The fewer data you have, the smaller attack surfaces you have, and the added benefit is reduced costs to store and maintain that data.
- Identify where your customer’s sensitive and personal information is being stored using classification tools. Realistically, it is not practical to enforce strict security policies on ALL data, as this will slow down development. You should prioritize and protect the most important data to your organization.
- Assess data that is shared with any partners. Understand how that data flows (data lineage, API calls) And then continuously track and monitor security configurations, since these can always change.
- Remediate data at the source instead of modifying things in ways that are not persistent. Remediate through IAC (infrastructure as code) solutions, to ensure that you retain a changelog of any changes made to the environment.
Once you have tackled the data, you now have the continual task of ensuring your data remains secure. Some steps…
- Redact any sensitive data (for example, PII) programmatically in your code, ensuring that only permitted data is stored or transmitted.
- Continue to enforce data policies (assuming that these are up to date) via CI/CD (Continuous Integration/Continuous Delivery) and IAC (infrastructure as code) to prevent data from slipping through.
- Find issues at their origin by monitoring the development process to flag issues before they hit production.
Identified here are basic and high-level steps you can take to gain control over your data and access to that data. The good news is that data protection software is quickly innovating to help with this problem — and frankly make your life easier. Getting a handle on your data and access has never been more critical, and I haven’t even touched on the ramifications of the use of generative AI and insecure data.
The only way to stay on top of your data access, as well as ensure compliance, as well as the added benefit of saving your developers and security teams hours and hours of operational overhead is through highly automated software based on clear policies. The goal of any of this is to better understand what data you have and who has access to it, as well as ensure that your company continues to stay ahead of threats that can have devastating financial consequences.
By the way, Teleskope launched a data protection platform last week that automates data security, privacy and compliance at scale, helping organizations comply with regulations like GDPR and CCPA and reduce the manual and operation burden on security, data and engineering teams.
Unlike typical Data Security Posture Management (DSPM) approaches that often result in alert fatigue due to valuable time wasted on false positives, Teleskope uses AI — specifically LLM — to provide actionable insights with greater accuracy. The company’s data protection software integrates with existing workflows and developer pipelines, giving engineers the ability to automate security at the source.
The company raised $2.2 million in pre-seed funding led by Lerer Hippeau. And I’m excited to be advising them.