Data handling for DSPM platforms
Understand vendor options and best practices for data handling
DSPM deployment options
When evaluating a DSPM vendor, it is important to consider how they handle data. The deployment of DSPM solutions can vary significantly depending on the operational needs and security policies of an organization and the vendor selected. There are three distinct approaches, with some vendors offering customers the choice and other vendors only offering one method.
As organizations research Data Security Posture Management, it’s important to understand the pros and cons of the three methods below:
Summary
1. Extract and scan
Risky
2. In-place scanning
Preferred
3. Sidecar
Alternative
1
Extract and scan
Risky
The most controversial of the three, this requires allowing vendors to extract customer data which is then transferred to the external vendor environments for scanning, analysis and classification. While this approach, also called the “snapshot” approach, expedites implementation because fewer permissions are typically needed, it also introduces two concerns that customers should ask vendors to address:
What happens to the extracted data? |
Who pays the processing costs? |
2
In-place scanning
Preferred
This approach, preferred by Normalyze customers, allows DSPM scanning functions to run directly in the customer’s data environments, continuously operating as data is created, moved or updated.
This method ensures real-time data monitoring and analysis, which is crucial for environments where data sensitivity and immediacy are critical. By analyzing data within its native system, in-place scanning minimizes data exposure to external threats and eliminates the latency and potential security risks associated with data transfer. Unlike the other two approaches, this model does not attempt to bypass vendor due diligence or internal risk assessment/audits.
Advantages of
in-place scanning
In-place scanning represents a significant advancement in managing data security by integrating DSPM capabilities directly within the data environment.
By continuously monitoring and analyzing data in its native environment as it is created, moved or modified, context about critical data is not lost, which would leave gaps of vulnerability between scans.
This method ensures that security measures are always in step with the latest data, providing a living view of an organization’s data landscape and security posture.
Lower operational cost
Simplified data governance and sovereignty
Continuous compliance
Better trust among teams
Smaller risk footprint
Better data integrity
3
Sidecar model
Alternative
In this configuration, a software component is deployed in a separate account within the customer environment. This component operates in parallel to the primary system, pulling data over, then scanning and analyzing it in near real time. It allows for an isolated – yet integrated – environment where data can be processed and analyzed by DSPM tools without being moved out of the source system.
This is ideal for customers with many on-premises data stores, since it balances operational isolation with the convenience of close data proximity, offering a compromise between in-place scanning and external processing. In certain scenarios, Normalyze recommends a sidecar housed within the customer environment. Along with an established process for sidecar maintenance—managed either by the customer or under strict control by Normalyze—risk and compliance teams keep the data under their control while still providing security and data teams with rapid insights on their posture.
Resources
GigaOm Radar for DSPM 2024
Data is the most valuable asset for a modern enterprise, and its proliferation everywhere makes DSPM an essential tool for visibility into where sensitive data is, who has access to it, and how its being used.
The Normalyze cloud-native platform
Learn how we deliver the fastest scanning at scale with the most accurate classification across every data environment.
A Buyer’s Guide to Data Security Posture Management
The 2024 DSPM Buyer’s Guide is designed to help in your research process, clearly define your internal requirements, and make well-informed decisions for your organization.