Understanding Data Security Posture Management: Five Questions to Get You on Your Way

From IC Insider Thales Trusted Cyber Technologies

By: Gina Scinta, Deputy CTO, Thales Trusted Cyber Technologies

Data Security Posture Management (DSPM) is emerging as a better way to get visibility into where your sensitive data is located, who has access to it, how it has been used and how stored data and applications are secured. It’s a shift from perimeter-based defenses to data-centric approaches, and it’s important to understand because, in today’s hybrid multi-cloud environments, and with quantum computing just around the corner, dynamically managing data security postures is essential.

In the article that follows, we’ll take a deeper dive into what DSPM is, and what you need to know to implement this strategy effectively.

DPSM and today’s security challenges

In general, DPSM refers to tools and practices organizations can use to protect sensitive data across their infrastructure. These tools identify vulnerabilities, generate alerts, and provide remediation guidance to address data security risks. When integrated into other security systems, DSPM helps organizations maintain a strong data security posture and meet regulatory requirements.

There are several challenges and risks that have emerged in recent years that make DPSM strategies essential for any organization:

Poor visibility into data security across the information lifecycle. Accurately identifying and classifying data is harder than ever as data now spreads across clouds, data lakes, and on-premises systems. Understanding the location and interaction of structured and unstructured data is, of course, essential. But today, data can be easily moved and shared. When users share data without proper security measures in place, that sensitive information may end up in unknown or external locations, which makes it more vulnerable to data exfiltration attacks.

Credential sprawl. Cloud computing has led to organizations storing sensitive data online. Because of the adoption of cloud services, containers, and DevOps; keys and secrets are now scattered across platforms, repositories, and codebases. This in turn increases the attack surface, and exposes your data to problems arising from mismanaged credentials. In fact, according to the 2024 Verizon Data Breach Investigation Report, 80% of data breaches involved stolen credentials. Securing sensitive credentials and preventing unauthorized access are one direct benefit of implementing a DSPM strategy.

The AI threat to credential security. In a report from Sapios research and Deep Instinct, a significant uptick in attacks over the past year was traced back by survey respondents to bad actors using generative AI. With AI, attacks like phishing are more convincing, scalable, and harder to detect, which increases the risk of credentials being compromised. Multi-factor authentication is not enough to counter this threat; it must be supplemented with behavioral monitoring, such as tracking unusual access times, login locations, and unexpected data downloads. An effective DSPM strategy can help safeguard organizational data across all environments.

Post-Quantum Cryptography risk. As many news reports indicate, it’s only a matter of a decade or less before quantum computing breaks asymmetric algorithms like RSA and ECC, exposing sensitive data. The damage this could cause may not be apparent for years. The 2025 Thales Data Threat Report shows “Harvest now, decrypt later” attacks are the leading interest in post-quantum computing. Cybercriminals are collecting encrypted data today to decrypt when a Cryptographically Relevant Quantum Computer (CRQC) exists. Organizations’ need to prepare now by adopting the National Institute of Standards and Technology (NIST) FIPS post-quantum cryptography standard  algorithms (ML-KEM, ML-DSA and SLH-DSA) and embracing crypto agility.

Difficulty detecting insider threats. Insider threats, including leaks and sabotage, are becoming increasingly sophisticated and challenging to detect. Traditional perimeter security is insufficient to prevent breaches. What’s really required is effective risk management through robust monitoring.

The growing importance of data governance. Global data protection regulations impose severe penalties for non-compliance. US Federal Government guidelines for achieving Zero Trust maturity models by 2026 contain requirements for data governance. This makes it more important than ever to recognize behavioral changes and identify threats before they compromise sensitive data. DSPM as a security strategy can help address emerging vulnerabilities and attack vectors.

To implement a comprehensive and successful DSPM strategy, you will need to have answers to these five questions. Let’s look at each one.

DPSM Question One: Where is my sensitive data?

Many organizations don’t fully understand where their sensitive data is. In the 2025 Thales Data Threat Report, 24% of respondents indicated that they had little or no confidence in identifying where their data is stored. This creates security risks that can create opportunities for attackers – often through hidden vulnerabilities or misconfigured databases you may not even know exist.

To secure sensitive data, you have to know its specific location. That applies to both structured data (from databases and spreadsheets, for example) and unstructured data (like emails, documents, and multimedia files).

Unfortunately, data types are often spread across various storage environments, including on-premises servers and multiple cloud platforms (like AWS, Azure, or Google Cloud). What’s more, data within an organization is often moved, processed, and accessed by various applications and users. This dispersal of sensitive data across locations complicates comprehensive tracking and management without advanced monitoring tools.

Data protection regulations (GDPR,  HIPAA, Zero Trust etc.) require detailed knowledge of where specific types of data are stored. Consequently, it is critical to leverage data discovery and classification to automatically discover all data stores in your data estate – from structured to unstructured – across on-premises, cloud, multi-cloud, and hybrid environments.

Automated discovery and classification is the only way to routinely and consistently discover and classify new or modified data stores.

DPSM Question Two: Who has access to my sensitive data?

Controlling and monitoring who has access to sensitive data is essential for preventing unauthorized use and potential data breaches. Many organizations, however, lack the comprehensive tools required for full visibility and oversight of data access. Without a way to aggregate and analyze access to data across various systems and platforms, it’s hard to know who has access to sensitive information.

Many modern enterprises employ complex and layered access structures, including role-based access control (RBAC), attribute-based access control (ABAC), and other models. These intricate systems make it difficult to understand exactly who has access to what data and under which conditions.

Additionally, in large organizations, different departments or divisions often manage their own IT resources independently. This can lead to inconsistent access controls and policies. Decentralization makes it harder to track data access throughout the organization.

Scanning your data store locations for granted user rights and displaying various details regarding user rights is critical to understanding your data posture by mapping users and privileges to database objects across all databases.

DPSM Question Three: How well are credentials protected?

It’s important to have safeguards over metadata and credentials – such as encryption keys and secrets – that can unlock encrypted data to make it readable and usable. This includes using cryptography that supports protecting data today and tomorrow, because cryptographically relevant quantum computers will only accelerate malicious decryption techniques.

The problem in protecting credentials is that many organizations rely on multiple cloud providers to house data, so that key creation, management, and rotation processes may vary across CSPs. With an ever-increasing number of encryption solutions, it’s difficult to manage policies protection levels – to say nothing of escalating costs.

The best way through this maze is to transition into a centralized encryption key management system. Centralizing keys and secrets management for key life-cycle  generation, storage, rotation, backup, recovery, revocation, and termination effectively delivers separation of duties. This ensures that the same person creating and managing the keys cannot access protected data.

Limiting access to sensitive data to only those who need it for their work can reduce the risk of insider threats and external attacks. And monitoring who has access to data can help in auditing and tracking usage patterns, which can be vital for security and operational efficiency.

DSPM Question Four: How has my sensitive data been used?

Tracking how data is accessed and used over time is vital for security and compliance. This includes understanding the context of data access and modifications, and detecting unusual patterns that could indicate a security threat.

Effective data usage tracking requires advanced monitoring and logging tools that provide detailed and accurate records of all data interactions. Many enterprises lack these tools or do not have them fully integrated across all systems. This can lead to gaps in data usage visibility.

Complicating matters is that enterprises employ on-premises systems, multiple cloud platforms, and a variety of end-user devices. Each of these environments can process and store data differently, which makes it challenging to track exactly how data is accessed and used across the entire organization.

Understanding specifically how data is used makes it easier to detect anomalies, because unusual access patterns or unexpected data modifications can be early indicators of a data breach. Then, by optimizing data access controls, organizations can better match actual business needs and security requirements.

With the digital economy driving exponential data growth, organizations must have data-centric compliance and security solutions to reduce risks of non-compliance and breaches. That includes comprehensive logs of data usage, which are not only crucial for audits, but can be invaluable during forensic investigations after a security incident.

DSPM Question Five: What is the security posture of our data stores?

Assessing the security posture of data stores involves evaluating the effectiveness of implemented security measures, identifying vulnerabilities, and understanding the impact of potential threats. This knowledge can help strengthen defenses, enabling proactive improvements to data security and aiding in the prevention of breaches.

Therefore, it’s important to manage security resources effectively. By knowing where security is weakest, organizations can allocate resources more effectively to where they are most needed.

Regular assessments of your security posture ensure that defenses keep up with evolving threats and changing business practices.

Effective posture management requires the latest regularly updated vulnerability definitions, leveraged through scans to assess resources, search for vulnerabilities and determine risk. By scanning databases with predefined vulnerability tests, organizations can be aware of databases susceptible to the latest threats.

These scans, using CVSS, assign a risk score to the vulnerabilities discovered in your network and data. CVSS is “an open framework for communicating the characteristics and impact of IT vulnerabilities.” It is maintained by NIST as part of the Security Content Automation Protocol (SCAP) framework. Scoring vulnerabilities using CVSS provides an accurate model for measuring the risk inherent in discovered vulnerabilities and prioritizing them for mitigation.

Beyond scanning, it’s also important to employ monitoring across the data management lifecycle. Monitoring delivers real-time information, such as system events, alerts, violations, blocked sources and more. Monitoring events, alerts, and violations is a multi-faceted pursuit. Depending on your specific implementation, there may be several types of users with varying roles and associated security policies. You will need to fine-tune for yourselves how events are interpreted to determine if an alert is a false positive, an attack, or something else.

These are the important things to know about DSPM, and the state of your data, to establish a strategy that will gain you greater visibility into where your sensitive data is located, who has access to it, how it has been used and how stored data and applications are secured.

Quantum computing is becoming more of a reality every day, and multi-cloud environments are only complicating matters further still, so perimeter-based defenses are no longer enough. Dynamically managing your data security postures – ideally from a single platform – is essential to keeping data secure today and into the foreseeable future.

Keeping Your Data Safe with a Single Platform for DPSM

Across all businesses, public sector and private industry, data is an organization’s most valuable resource, driving economies of scale. As more businesses and even federal agencies are adopting AI, more data than ever before will be generated, leading to more data depositories, more data blind spots and more potential to leave data exposed and vulnerable to bad actors.

To protect this data, every security professional knows that they need an effective way to identify sensitive data and to keep it secure for their organization’s own sake and for compliance with local and international cybersecurity guidelines.

This can lead to a complicated and scattershot collection of solutions and tools. There are, however, some vendors that can support your Data Security Posture Management (DPSM) efforts with a single platform to help you understand the state of your data.

To take one example, CipherTrust DSPM automates the discovery and classification of both structured and unstructured data. This platform is applicable across a wide range of data stores, including on-premises, cloud, multicloud, and hybrid-cloud environments.

If you are ready to look for an all-in-one data platform for DPSM, here are the feature and benefits you need to look for from a solution vendor:

Scanning and Identifying Data: Make sure your DSPM platform can systematically scan data environments—whether on-premises or in the cloud—to discover data repositories. This must include databases, big data platforms, cloud storage, and file systems.

Classifying Data: After data repositories are discovered, a DSPM platform must be able to classify data based on its type and sensitivity. This automated classification helps organizations to understand the data they hold, and to prioritize their security accordingly.

Understand User Access: To identify excessive, inappropriate, or unused privileges, an effective DSPM platform must provide user rights management, monitoring data access, and activities of privileged users. It must also give security and IT teams full visibility into how data is accessed, used, and moved around the organization.

A comprehensive data protection strategy is crucial for DSPM. That means establishing a solid foundation for data protection through encryption and effective credential management.

Platforms like CipherTrust DSPM identify sensitive data and protect it with industry-leading technologies. The right platform ensures the security of your credentials and metadata, preventing unauthorized access by users and applications, and reinforcing your overall data security and compliance framework.

About Thales TCT

Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.

For more information, visit www.thalestct.com

About IC Insiders

IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.