DSPM vs. CSPM: Clarifying the Scope and Purpose

By Katrina Thompson
If you were to get Data Security Posture Management (DSPM) experts and Cloud Security Posture Management (CSPM) experts in the same room and ask what their ultimate goal was, they would both say something very much like “protecting data in the cloud.” However, when you dug deeper, you would find that they both had very different ways of going about the same thing.

Once you heard them out, you could decide which made more sense for your organization. Or, what’s more likely is that you would discover that you don’t have to pick. The truth is the two solutions are complimentary and don’t “step on each other's toes” in the push for data security. They each do something the other can’t, and both are needed in a zero-trust data security posture for the modern era.

So, what are the differences? (And why are both tools running around?)

Explaining the Differences

As data security firm Cyberhaven asserts, “While DSPM directly addresses cloud data security, CSPM ensures that the underlying cloud infrastructure is secure.” Here’s how that looks.

DSPM deals primarily with the protection of the data itself. Think of a GPS tracker put on the ear of an endangered animal that allows concerned environmentalists to know where the animal is (and is going) at all times. It doesn’t matter if that area is an enclosed, protected pen or loose in the wild – that tracker can follow the animal anywhere. That’s DSPM’s relationship with an organization’s data.

Cloud security posture management, on the other hand, deals with protecting the ‘box’ in which the data is stored in the cloud. Following our analogy, this would be the engineering team at the wildlife enclosure that is responsible for making sure the wild animal doesn’t escape. It makes sure the exhibits are padlocked, the cages and feeding areas are secure, and all the doors and exits have been checked and monitored. This is also integral to the animal’s safety - it might run out the front door and onto the freeway without these safeguards. However, the one shortcoming is that once the animal has left the enclosure (if it does manage to escape), its whereabouts are lost. There’s no GPS tracker.

This sums up the relationship between DSPM, CSPM, and your cloud-hosted data. Let’s dive deeper and see how they work.

How DSPM Works

Gartner states that data security posture management “provides visibility as to where sensitive data is, who has access to that data, how it has been used, and what the security posture of the data stored or application is.” It does this by using artificial intelligence, machine learning, and automation to:
  • Determine a baseline of security across the organization’s data assets.
  • Classify data based on sensitivity.
  • Assign appropriate security controls based on the level of classification.
  • Continuously monitor the data security posture for changes and dangerous alterations.
  • Autonomously perform remediations and fixes for basic data security problems.
Another key tool in the DSPM tool belt is its ability to provide organizations with data lineage, or the data’s lifecycle – from inception to ultimate destination. As IBM notes, “Data lineage gives visibility into changes that may occur as a result of data migrations, system updates, errors and more, ensuring data integrity throughout its lifecycle.” Data lineage shows teams a map of where their data came from and helps them more easily spot areas of vulnerability or compromise.

Say an authorized user took an internal-only file from a secured repository in the company’s Box account. One second, it’s safe, and the next, it’s downloaded on the user’s mobile device and attached in a group message to a sketchy WhatsApp Bitcoin group. It could happen, and it’s called an insider attack. Up until now, these forms of “legal” foul play were hard to catch for that very reason – after all, the exec had the authorization to access the file, and there apparently weren’t any controls against downloading it. With data lineage, the security team has access to the data’s whereabouts, its journey, and who did what with it.

DSPM also specializes in finding instances of shadow data and even shadow IT.

How CSPM Works

CSPM is officially touted by Gartner as a tool that protects the security posture of Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) offerings “through prevention, detection and response to cloud infrastructure risks.” In other words, it leverages security industry frameworks, enterprise policies, and regulatory requirements to make sure all cloud configurations and security settings are above board and, therefore, ensure security.

If something goes amiss, CSPM solutions can also jump into action and automatically remediate a host of issues – or alert your SOC so they can do so. The main difference is the assumption (under CSPM) that if the security settings are correct, the data will be secure. And that’s not a bad assumption, considering that human error is estimated to account for 99% of all cloud misconfigurations – and misconfigurations take the blame for up to 80% of breaches.

A One-Two Punch

So, which will it be: a locked gate or a GPS tracker on the endangered animal? Why not both?

Since DSPM and CSPM are two data security platforms that complementarily interact, there is no reason not to stack the deck in your favor with a strategy that leverages both solutions. DSPM has the added benefit of finding and securing data remotely, in hybrid environments, and on-premises, so with the two, your reach can be extended beyond the cloud alone.

There’s no end to the uses to which threat actors will put modern tools like GenAI, polymorphic malware, and RaaS, and sometimes a combination of tactics is what it takes to infiltrate an enterprise. We can’t fight guns with sticks; by meeting today’s combo attacks with multi-vector defense-in-depth tools of our own, we, as defenders, can do more to parlay attacks and keep cloud-hosted data safe.

About Author - An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.