The rise of cloud-native software development has led to an interesting shift: the roles of InfoSec (Information Security) and DevOps teams are starting to overlap when it comes to safeguarding application and user data. Previously, the focus of DevSecOps—the blend of development, security, and operations—was mainly on securing the code, the tools used throughout the software development lifecycle, and the underlying infrastructure of applications against vulnerabilities, data leaks, and misconfigurations.
Today, sensitive data no longer lives in secure and centralized databases. Instead, it’s scattered in fluid and amorphic instances on various cloud and hybrid platforms, making data protection everyone’s problem.
Data protection does become everyone’s problem especially as according to Check Point’s Threat Intelligence Report, in the last six months, an organization in India is being attacked on average 2144 times per week in the last 6 months, compared to 1239 attacks per organization globally.
If you look at the numbers, the state of data security today is downright terrifying. In 2023, as many as 47% of companies have at least one database or storage bucket exposed to the internet. How do you stretch your organizational data security and compliance policies in a way that follows your data no matter where it goes? Meet data security posture management (DSPM) – an innovative approach to shifting left data security in the cloud and putting data protection, at least in part, in the hands of DevOps engineers.
Why and What DevOps Need to Know About DSPM
Suppose you designed, implemented, and automated a security posture for your applications from code to cloud. Data is encrypted, available to applications via secured APIs, and protected behind a firewall. Then, a junior developer replicates some data to a lower environment outside your organizational data security envelope.
Do you know what data was copied? Can you determine how much of it is considered sensitive? And was this developer even supposed to have the permissions to duplicate it? If the answer to any of these questions is no or maybe, DSPM in your CI/CD pipelines may be just what you need.
DSPM vs CSPM
While both DSPM and CSPM pertain to the security of cloud computing assets, they relate to different aspects of cloud security. CSPM focuses on protecting and securing cloud infrastructure, and DSPM focuses on protecting sensitive data. One is not an alternative to the other. DSPM can complement CSPM in your overall cloud computing security posture and may overlap in tooling.
7 Essentials for DSPM in DevSecOps
In DevSecOps, maintaining a robust data security posture is critical for safeguarding sensitive information. The below tips are foundational components for achieving this goal.
1. Data Discovery and Cataloging
You can’t begin to protect data if you don’t know where it is. The first step is to discover where all your structured and unstructured data resides. For example, are there abandoned databases and shadow data stores lurking in your multi-cloud environment? Is sensitive data used in testing scenarios?
2. Data Asset Classification
Not all data is the same. To effectively prioritize sensitive data protection efforts, you need a clear understanding of the types of data you possess and their sensitivity. Classifying your data according to sensitivity also entails cataloging it as such, with special attention to personally identifiable information (PII) records, financial data, intellectual property, and the subject of data ownership.
3. Data Flow Mapping
Data is not static, especially in today’s fast-paced, developer-centric world. To gain actionable insights into potential weaknesses in your data protection envelope, you need to map out the flow of sensitive data between users, applications, data stores, and services. Data flow mapping should, ideally, encompass the entire data lifecycle from creation, through transmission, storage, processing, and ending with disposal.
4. Data Risk Assessment
Anonymized application usage data is less sensitive than financial data, so treating both types equally is unnecessary. With complete visibility into where your sensitive data resides, where it flows, and how it is classified, you can measure the potential implications of a data compromise and your level of risk.
5. Security Controls Implementation
Security controls serve as a tool to align your DSPM with organizational security policies and industry best practices. At this stage, and based on your findings from previous steps, you can set up the policies and tools needed to streamline and automate the enforcement of controls like encryption, data loss prevention (DLP), vulnerability scanning, and other data protection measures.
6. Monitoring and Auditing
DSPM includes continuously monitoring data flows and data stores for potential anomalies, threats, and policy violations to tackle this challenge. Monitoring is also a requirement for data protection regulations, as are audits and logs, all of which require appropriate data protection tooling that is equally accessible to InfoSec and DevOps teams.
7. Incident Response and Remediation
While DSPM is a preventative approach, it also includes planning and implementing processes to handle the identified risks and drive remediation. With an efficient DSPM, threats and risks are analyzed and prioritized, and your DevOps teams are empowered with a seamless workflow that enables them to better collaborate with InfoSec teams to fix problems without impacting development flows.
Protecting What Matters With DSPM in Your CI/CD
By integrating DSPM capabilities into your CI/CD pipelines, you can ensure that as applications continuously change, the level of visibility development teams have into the data stays the same. Therefore, it’s much easier to bake data security into your products from day zero without trading innovation for data privacy.
Check Point CloudGuard CNAPP collaborates with leading DSPM providers to prioritize risks related to sensitive data. In an environment housing multiple sensitive storages, CloudGuard aids security teams in prioritizing the data risks that demand their attention. Moreover, as part of the comprehensive risk context, it ranks vulnerable assets and provides recommendations for remediation that can be communicated to developers and DevOps teams.
(Attributed to Harish Kumar GS, Head of Sales, India and SAARC, Check Point Software Technologies)