Announcing Customer Success, New Platform Capabilities to Enable Safe Use of LLMs and Data Lakes + RSA Highlights. Read Both Announcements.


Gartner® Innovation Insight: Data Security Posture Management
The Normalyze Platform
Supported Environments
Platform Benefits

Reduce Data Access Risks

Enforce Data Governance
Eliminate Abandoned Data

Secure PaaS Data

Enable Use of AI

DSPM for Snowflake




DSPM-chat-Richard Stiennon-Ravi-Ithal-Normalyze
Improve Cloud Security:
Dark Reading Interviews Ravi Ithal


CYBER 60: The fastest-growing startups in cybersecurity

Normalyze… Continuous Insights to Support Data Security Compliance

Normalyze helps organizations handle data security regulatory compliance across every industry. These are just a few of the most critical data security regulations and frameworks:


The Family Educational Rights and Privacy Act applies to educational institutions in the U.S.. Similar regulations are in place globally, ensuring the privacy of student education records. FERPA data security requirements include:
  • Data Access: 34 CFR § 99.30 – Under what conditions is prior consent required to disclose information? It outlines the conditions under which a school must have written consent from the parent or eligible student in order to release education records.
  • Data Retention: Not explicitly covered by FERPA, but schools must follow state regulations and best practices in deciding how long to retain student records.

General Data Protection Regulation applies to most organization in the EU, particularly Telcos. GDPR includes strict provisions for data privacy and security, and specific national laws that protect users’ communication data. GDPR data security requirements include:

  • Data Access: Article 15 – Right of access by the data subject, provides individuals the right to access their personal data and information about how this data is being processed.
  • Data Retention: Article 5(1)(e) – Requires that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Gramm-Leach-Bliley Act frameworks apply to financial service institutions in the U.S.. GLBA data security requirements include:
  • Data Access: Section 501(b) – Safeguards Rule requires financial institutions to have measures that ensure the security and confidentiality of customer records and information.
  • Data Retention: Financial institutions must retain records in compliance with other financial regulations such as the Sarbanes-Oxley Act (Section 802).
  • Similarly, PSD2 (Payment Services Directive) in the European Union, and other global banking regulations, focus on the protection of consumer financial information. 

Health Insurance Portability and Accountability Act applies to US healthcare organizations who must ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA data security requirements include:
  • Data Access: Section 164.312(a)(1) – Technical safeguards require procedures to allow only authorized access to PHI.
  • Data Retention: Section 164.530(j) – Requires covered entities to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later.
  • Data Classification: Requires covered entities to implement policies and procedures that limit access and uses of PHI based on the specific roles of the members of their workforce (Section 164.514).

North American Electric Reliability Corporation Critical Infrastructure Protection applies to energy and utility sectors, particularly those involved in critical infrastructure in North America. This set of regulations focuses on securing the electric grid against potential cyber threats. NERC CIP data security requirements include:
  • Data Access: CIP-004-6 – Personnel and Training, involves managing access to Critical Cyber Assets.
  • Data Classification: While specific data classification is not outlined in NERC CIP, the identification and categorization of Critical Cyber Assets is implied within various requirements.

National Institute of Standards and Technology guidelines apply to agencies and contractors dealing with government data in the U.S.. NIST data security requirements include:

  • Data Access: NIST SP 800-53 Access Control Family – Guidelines on how organizations can implement access controls to limit and manage the access of users to systems and environments.
  • Data Classification: NIST SP 800-60 Vol. I & II – Guide for Mapping Types of Information and Information Systems to Security Categories, provides a structure for classifying federal information and information systems based on the objectives of confidentiality, integrity, and availability.

Payment Card Industry Data Security Standard requirements to protect against data breaches and fraud, and applies to any business that processes, stores and/or transmits credit card data. PCI DSS data security requirements include:
  • Data Access: Requirement 7 – Restrict access to cardholder data by business need-to-know.
  • Data Retention: Requirement 9.6 – Implement a retention policy for cardholder data to ensure it is not stored longer than necessary.
Effective December 18, 2023, mandate companies to annually disclose their cybersecurity risk management, strategy, and governance, and to report material cyber incidents within four days of their assessment. This applies to public companies or those planning to go public, private companies with public debt, foreign public companies and investment firms and broker-dealers.Specific standards from the SEC Rule:
  • Data Access and Classification: Companies are expected to maintain rigorous controls over who can access sensitive data and ensure that data is appropriately classified to safeguard against unauthorized access.
  • Data Retention: While the rule does not specify data retention periods, it implies that companies must have effective data governance to quickly retrieve and report relevant security incident details.
  • Incident disclosure: Material cybersecurity incidents must be disclosed on SEC Form 8-K within four business days, detailing the nature, scope, timing, and impact of the incidents.

Zero Trust Model – Data Pillar
Many teams are putting in a Zero Trust model to require strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are within or outside of the network perimeter. Normalyze supports security and data teams who need to implement:

  • Least Privilege Access: Implementing strict access controls that ensure individuals have access only to the data necessary for their specific role.
  • Anomaly Detection: Continuously monitor data and associated users and resources to identify deviations from normal behavior patterns. 
  • Continuous Data Governance: Running automated queries to ensure that data is not retained beyond its required lifecycle and  deleting data that is no longer necessary.
  • Data Classification: Running scans as often as needed against new, unclassified or misclassified data then accurately classifying them based on its sensitivity and the regulations governing it.