Wiz adds a lightweight agent called Runtime Sensor for detection and response. In addition to the usual cloud data sources, it also scans a variety of on-prem DBs, such as MySQL, PostgreSQL, MongoDB as well as their cloud versions and integrates with over 60 different security products. The full DSPM feature set is only available with an advanced license plan.

*Vendors we contacted for this article but didn’t respond were Flow Security, Laminar Security/Rubrik, and Theom.

DSPM products are focused on finding your data, no matter where it might reside and whether these locations are well documented or unstructured, or are the shadow data repositories which have been initially created by departmental teams outside IT’s purview, left to fester or be forgotten.

How each vendor describes where it goes looking for data is instructive. Every vendor supports some visibility into some of the cloud data repositories of Amazon Web Services, Google Cloud Platform, and Microsoft Azure. But that doesn’t mean that they cover every service offered by each of the cloud providers that deals with data. For example, AWS has its S3 storage, Relational Database Service, Redshift’s cloud data warehouse, Athena serverless SQL queries, and ElasticSearch managed data services, among several other places that operate on data. Securiti takes pains to delineate which services are covered in each cloud platform, but this is not as transparent as it could be for other DSPMs. One approach is how Varonis uses a “universal data connector” that can seek out a wider range of structured data destinations, both cloud and on-premises-based.

Some of the vendors acknowledge cloud services that they don’t support. Sentra doesn’t cover data stored by Azure Synapse Analytics, Symmetry doesn’t handle any mainframe databases nor cover data stored by ServiceNow and Salesforce, and Wiz doesn’t support data stored in Databricks, AWS’ Redshift or on Azure SQL servers with Transparent Data Encryption enabled with a customer managed key. Again, this is a very dynamic situation as vendors are adding coverage areas continually as their customers demand them.

But tracking down data is just the beginning of the DSPM process. Once found, it has to be cataloged, evaluated, and summarized in various dashboards. That could be tricky if done without tight security controls, which is why most DSPM vendors claim that “customer data always stays within the customer’s environment.” This typically means collecting metadata, rather than the actual data itself, using read-only access to the apps, services, and database structures. Vendors refer to this as agentless or using API access. This has the advantage of being able to scan huge volumes of data quickly to understand the nature of its usage and potential risk factors.

Once discovered and the metadata collected, the next step is to perform regular scans to see what changes have been made: Has data been copied to some dark corner of your cloud estate? Has someone just changed access rights to allow for greater or insecure access? These tools provide a single point of view across all the various cloud and on-premises data locations. The key word here is “regular.” Scans have default periods (such as daily or weekly) and can be activated when new data repositories are found.

Another aspect of searching for data is how data is consumed in your production environment, including data pipelines, lakes, and warehouses. This can involve creating data maps to classify this landscape as well as facilitating audits to enumerate who has access to which data resource and under what specific circumstances it was shared across your enterprise. Maps are not just pretty pictures but important visualizations that often show where shadow data was abandoned, for example. 

On top of all these activities there is the entire field of data governance. This means these products assign risks and apply consistent security policies to manage your entire data collection, and work with other security tools to enforce these policies and remediate problems. 

Each DSPM tool has several components, including agents and agentless collectors (useful for tracking on-premises data), a centralized management dashboard, scanners that detect and prioritize data collections, maps of data lineage and usage, and compliance assessments.

Most vendors offer their DSPM product in one or both wider contexts: to integrate with third-party security services (such as offered by Wiz and Securiti) or as part of their own security product portfolio with other add-on modules that include identity management, cloud management, detection and response and log analysis tools (Cyera, Varonis, Wiz and Palo Alto Networks).

The specifics on these integrations are worthy of examination, as some vendors such as Varonis and Palo Alto Networks have wider support while others such as IBM and Normalyze are more limited or just getting around to implementing them. Understanding the scope, integration level, and what other protective features are included, and which are available at an extra cost will take some effort to figure it out.

Products can be deployed as a complete SaaS cloud-based solution, run from on-premises servers or private virtual machines, or some combination.

Finally, there is the issue of pricing. Few vendors were willing to share this information, indicating that prices are flexible and depend on numerous factors. However, numerous vendors offer annual subscriptions on either or both the Amazon and Azure marketplaces, which typically start at $30,000 but can quickly move into six figures.

Wiz offers two licensing plans and the full collection of DSPM features is only available on its more expensive Advanced plan. A summary table shows the various products and services offered, and links to the marketplace subscriptions.

How to evaluate DSPM products

DSPM tools will require a significant amount of staffing resources to evaluate because they touch on so many different aspects of an enterprise’s IT infrastructure. And that is a good thing, because you want them to seek out and find data no matter under what digital rock it could be hiding. So having a plan that prioritizes which data is most important will help focus your evaluation. Also, a good thing is to document how each DSPM creates its data map and how to interpret it and subsequent dashboards. Finally, you should understand the specific cloud services that are covered and which ones are on the vendor’s near-term product roadmap.