Data Security Platforms: 9 Key Capabilities and Evaluation Criteria

What Makes a Cloud Data Security Platform?

Recent years have seen a flurry of new technologies and vendors — first in CSPM, and then DSPM. Dozens of products have emerged, in addition to existing data loss protection (DLP) vendors releasing cloud features and offerings. But do any of these tools provide comprehensive data security in the cloud?

To help you answer this question, we've created this guide covering the current market landscape, key capabilities and differentiators to look out for when evaluating data security tools. It's based on the same learnings and conversations with the industry that have shaped our product roadmap.

First, let's quickly review the problem space.

Data Security in the Cloud: A New Set of Challenges

Cloud architecture and usage patterns present a unique set of security challenges.

The elasticity of cloud services enables users to spin up new data services effortlessly, which leads to sprawling environments where data continuously flows between object storage, managed services and unmanaged databases. Since much of the infrastructure is provided by the cloud service providers (CSPs), the possibility of installing monitoring agents is inherently limited.

At the same time, data is seen as a competitive advantage. Organizations collect and retain more data than ever and democratize access to data by giving more teams and principals access to analytics tools. While this serves important business goals, it also heightens the risk of unauthorized access to sensitive information.

These factors dictate the requirements from a data security platform: it needs to be agentless, provide robust monitoring and access governance over sensitive data, and be capable of processing vast volumes of data. Most cloud security tools will claim to tick these boxes, but things get a bit trickier when you drill down.

The State of the Cloud Data Security Market

A complete analysis of the data security market is beyond the scope of this article. However, we can delineate the following categories that are currently at play:

• Legacy DLP: Focused on protecting endpoints, networks and traditional on-premises infrastructures. These tools are often poorly adapted to the challenges presented by cloud environments.
• CSP-native security tools: These tools are often limited by features and coverage and would not offer the possibility to enforce the same policies and controls in other clouds, DBaaS and SaaS.
• CSPM: A powerful security solution designed to identify misconfigurations and analyze risk in the cloud environment. CSPM tools provide visibility into the cloud infrastructure services. At the same time, they are not aware of the content of the data, which makes prioritization of risks difficult.
• DSPM: Cloud-native tools that discover and classify sensitive data within cloud datastores. They scan an organization's cloud at regular intervals (e.g., every 24 hours) and help to identify specific threats to sensitive data. The batch-based nature of these systems, however, makes them prohibitively expensive for real-time threat detection.
• DDR: Building on the inventory of sensitive data provided by DSPM, DDR solutions augment them with real-time monitoring capabilities based on streaming analysis of cloud data events. This allows the tools to surface critical incidents related to sensitive data within minutes of their occurrence.
• Data privacy solutions: These tools are focused on identifying sensitive data for regulatory compliance purposes and offer little by way of increasing security. In most cases they require agents to be installed on the asset being monitored.

The 9 Core Capabilities for Cloud Data Security

In our conversations with enterprise buyers, we've identified 9 security gaps that are top of mind when it comes to cloud data. These just so happen to correspond to the required capabilities from a data security platform.

1. Sensitive Data Inventory

Prerequisite for a data security product is the ability to discover and classify sensitive data. An up-to-date inventory of sensitive data is the foundation for all data security capabilities, as it contextualizes security efforts and enables enterprises to focus their time and resources on the data that poses the largest risk in case of breach.

Key Considerations for Your Approach to Acquiring a Data Inventory

• Speed, meaning the time it takes to perform an (agentless) scan your cloud environments and detect sensitive data
• Scale, or rather the ability to efficiently scan petabyte-scale datasets without impacting performance
• Accuracy to properly identify all relevant records (including enriched or transformed items) with minimal false positives

2. Posture Management

Managing data posture means analyzing data risk and continuously assessing the configuration of cloud resources that store or move sensitive data, and the security controls that apply to them. The data security platform detects and flags misconfigurations, vulnerabilities and deviations from best practices that put sensitive data at risk. It should also provide automated or semi-automated remediation paths.

3. Cloud Data Compliance

Compliance with standards (e.g., GDPR, HIPAA, PCI DSS, SOC 2) is a priority for organizations of all sizes, as can be seen from the rapid growth of the GRC market. Security tools address cloud data compliance by mapping sensitive data assets to relevant compliance standards, and highlighting the necessary controls such as encryption, access control or data retention policies. They also monitor data movement to identify flows that violate residency or isolation requirements.

4. Access Governance

Effective access governance ensures that sensitive information is accessible only by authorized accounts (individuals or software tools) and follows the principle of least privilege. Data security platforms reduce the risk of unauthorized access by providing visibility into user permissions, helping admins monitor and control access to sensitive data, as well as quickly identify gaps between who has access to a particular dataset versus who actually accesses it.

5. Real-Time Monitoring and Alerting (DDR)

Organizations can't accept a mean time to detect (MTTD) of days or weeks for a breach incident. Real-time monitoring and alerting capabilities help identify and contain attacks almost immediately. Since agent-based solutions often aren't viable, data security platforms need to use alternative methods, such as monitoring cloud logs, to identify anomalous access patterns or suspicious behavior related to sensitive data. Swift detection enables security teams to mitigate threats more effectively.

6. Shadow Data Detection

Shadow data refers to unknown, hidden, or overlooked copies of sensitive information that may not be properly secured and monitored. A data security platform detects and classifies shadow data across structured and unstructured storage — enabling security teams to address potential vulnerabilities and reduce the risks associated with unmonitored environments.

7. Malware Analysis

Both internal and external users might need permissions to store data in an organization's cloud object storage (S3, Azure Blob, Google Cloud Storage). For example, an automated machine learning tool might allow user input in the form of XLSX files. However, this can lead to malware-infected files being uploaded to cloud storage. The data security platform should scan existing and incoming files for known malware signatures and identify malicious files in object storage, so that they can be properly isolated and investigated.

Users need to be able to upload data. But this data can be infected.

8. Data Hygiene

Enforcing best practices is key to any security strategy. In the context of sensitive data, this includes measures such as managing retention policies, redundancy measures and backups. Data security tools help streamline this process by alerting security teams or data owners when best practices are not being followed.

9. Support for Multicloud Environments

Organizations are increasingly storing data across multiple public cloud platforms (e.g., Azure and Snowflake). To streamline operations and reduce complexity, data security platforms should allow organizations to apply the same security policies and threat modeling across multicloud environments. This functionality is typically missing from the native tools provided by cloud service providers.

Additional Evaluation Criteria and Differentiators

Once you've determined that a set of data security solutions have the key capabilities that support your use case, you'll want to evaluate them based on the following differentiators:

Threat Model

The most robust engine will not deliver on security requirements without an accurate and up-to-date threat model. Research the solution to ensure it's backed by a strong research team with a proven track record of identifying new threats to cloud environments. You'll also want to ensure that the underlying model is continuously updated based on new attack vectors and weaknesses revealed in previous attacks.

Breadth of Coverage

Determine whether the platform you're evaluating provides comprehensive coverage across the diverse array of datastores that your organization currently uses or plans to use in the future. This can include IaaS, PaaS and DBaaS. You should also consider the velocity in which new sources are added, and whether the team behind the platform is staying current on the latest risks and vulnerabilities associated with each datastore.

Implementation

Consider the resources you'll need to spend on implementation and the effects a security tool may have on your existing systems. A data security platform automates the API connections and other deployment prerequisites will reduce the burden on your team. Agentless deployment is faster and minimizes the permissions required — and it's often the only feasible option when you don't have access to the physical servers (as is the case with most PaaS and DBaaS).

The platform should be designed to operate out-of-band and without requiring a live database connection, so that it continuously monitors your infrastructure without directly impacting your data services' performance. The ability to do so without requiring database credentials can expedite implementation and evaluation.

Security

It goes without saying that your data security platform should be, well, secure. Check whether any sensitive data leaves your account for scanning or classification (it shouldn't). Verify that the vendor has the necessary certifications (ISO 27001, SOC 2 Type 2, etc.)

Integrations Ecosystem

You'll want your data security platform to integrate with other parts of your security stack. The most relevant would typically be SOAR, SIEM and SOC solutions, as these will enable you to act on the insights surfaced by the data security tool. Integrating with your identity provider (IdP) helps provide a rich view of active identities for each data asset, adding a valuable context layer for making informed access decisions for sensitive data.

Learn More: Comprehensive Data Security

As we mentioned at the start of this post, this list of requirements is based on what we believe a security platform should do to address the current challenges in cloud data security. It should come as no surprise then that Prisma Cloud provides this full set of capabilities — spanning DSPM, DDR and cloud DLP across multicloud environments.

Unlock the potential of cloud data security with our whitepaper Why DSPM? Learn about the different data security approaches and discover the benefits of a cloud-native solution designed for today's evolving threats. Gain insights to protect your organization's critical data in the cloud and stay ahead of the ever-changing cybersecurity landscape.