Recently, attacks directly targeting the cloud have increased by 288%.¹ With organizations now pushing zettabytes of data to the cloud, this is a recipe for disaster. Moreover, with sensitive data such as PII, PCI, PHI, and secrets scattered across multiple clouds, accounts, services, and data stores—paired with poor visibility and understanding—prioritizing your cloud data isn’t just an option anymore. It’s a requirement.

Current Data Security Approaches Fall Short

Organizations can spend millions of dollars every year on multiple security solutions to secure their data. But this approach doesn’t scale, and it requires a lot of manual operations, leading to alert overload and more security gaps, especially in complex multicloud environments. Meanwhile, the global average cost of a data breach increased 15% in the last three years to approximately $4.45 million, with 82% of data breaches involving data stored in cloud environments.²

In addition, with traditional data security approach, organizations struggle to:

Discover and classify cloud data: Where is sensitive data stored? What type of data is it?
Identify cloud data: Who has access to this data? Is it compliant?
Contextualize cloud data: Is data exposed? What is the security posture of my data?

Hello World! Meet Zscaler Data Security Posture Management (DSPM)

To address today’s cloud data security challenges, we’re excited to be launching our fully integrated Zscaler DSPM solution to proactively classify, detect, and protect your cloud data.

As part of the Zscaler AI Data Protection platform, Zscaler DSPM extends robust, best-in-class security for your data into the public cloud. It provides granular visibility into cloud data, classifies and identifies data and access, and contextualizes data exposure and security posture, empowering security teams to prevent and remediate cloud data breaches at scale.

As opposed to legacy or standalone data security solutions, it uses a single and unified DLP engine to deliver consistent data protection across all channels such as endpoint, email, SaaS, and now IaaS/PaaS. By following all users across all locations and governing data in-use, in-motion, and at-rest, it ensures both structured and unstructured data is seamlessly protected and compliant.

Key Capabilities and Benefits:

Discover and classify data: Scan and discover sensitive data across various cloud platforms and services in real time. Leverage precise, AI-based data classification backed by the Zscaler Zero Trust Exchange™, which monitors billions of transactions daily.
Map and track exposure: Get a unified view of security, inventory, and compliance for sensitive data in your multicloud environment. Receive a granular, risk-based, user-centric view over all access paths to mission-critical data assets and configurations. Analyze hidden risks such as misconfiguration, excessive permissions, and vulnerabilities.
Remediate risk: Proactively mitigate risks by identifying potential security gaps and implementing necessary controls, and easily fix issues and violations at the source with context-based guided remediation.
Ensure consistent security posture: Enforce consistent, best-in-class data security everywhere, from endpoint to email, SaaS, public cloud, etc.
Compliance assurance: Ensure continuous compliance with industry regulations and data protection standards. Continuously map posture against regulatory frameworks such as GDPR, HIPAA, and PCI DSS to identify and remediate compliance violations.
Integrated workflows: Seamlessly integrate with your existing security ecosystem, third-party services, native risk prioritization tools, and team collaboration applications.

How Zscaler DSPM Can Solve Your Real Security Problems

Discover and Classify Your Most Sensitive Data

To understand your data in the public cloud—including what types of data are stored, the services storing the data, and where sensitive data is located—Zscaler DSPM can scan your entire organization or specific accounts you want to protect. By default, Zscaler DSPM will take all available out-of-the-box AI classifiers, dictionaries, and DLP engines, as well as any customized engines, to discover and classify the data.

DSPM enables security teams to discover and classify data across multiple cloud and network locations. It provides comprehensive visibility into file location, categorization, classification, access permissions, and compliance risks. This helps identify misconfigurations, improper access controls, and vulnerabilities that could lead to data breaches.

Figure 1: DSPM Dashboard - Data Discovery

Security teams can drill down to investigate data further by focusing on a specific data type, to learn related information such as volume, where the data is dispersed geographically, and the services storing this type of data. For example, we can see that medical records are mostly stored in storage buckets, some in VM drives, and just a few were detected in databases.

For some organizations, it is important to inspect data from a geo-perspective, such as specific geography or view of the data breakdown by geography. With geo-fencing, Zscaler DSPM can help organizations inspect and restrict data usage to specific locations/geographies.

Security teams can get clarity as to the types and volume of data stored in each location and understand the breakdown by data store type. This provides powerful visibility and control over what data runs in their clouds, enabling teams to optimize DSPM settings, keeping it as a wide full analysis, or focused on specific data types they care about.

Figure 2: DSPM Dashboard - 360-degree view of data stores in data inventory

Security teams can go a few levels deeper with investigation. From any of the links, you can drill down all the way to a single data store level, examine the specific information there, and get visibility into the data store. This makes it easy to understand posture, get information about the way data is tagged, or glean many other kinds of information (e.g., the project it’s part of, the owner) to help better understand the data.

Identify, Investigate, and Remediate Risks

Having gone through different inspection modes, security teams now have complete clarity as to cloud data whereabouts. Their next concern would be:

What are the top security concerns and risks to the data?
Does the current setup of security policies restrict the risk of data loss?
Does the current setup offer proper controls to avoid malicious access to, or accidental exposure of, the data?
What can be the next step to protect sensitive data in the cloud and maintain consistent security posture?

DSPM can automatically address these concerns, using AI and ML algorithms paired with advanced threat correlation to identify and prioritize data risks. It analyzes data context and content to identify sensitive information (e.g., intellectual property, PII, medical records), prioritize data risks, and help security teams focus their efforts on protecting the most critical data assets.

Figure 3: DSPM Dashboard - Top Risk Data Stores

Based on the posture findings and the sensitive data, the system ranks the data stores by greatest to least risk they pose to the organization. Basically, if you have just one hour to improve your cloud risk, start from the top of this dashboard and make your way down.

You can also see that alerts were raised, each describing an attack vector that raised concerns. DSPM alert view provides an accurate, yet simple view detailing the detected issue. In the example in figure 3, the impact of a potential attack through these vectors would be huge as that S3 bucket contains a high volume of sensitive records. Combined, these yield a critical risk.

Once security teams understand this, the next step would typically be to learn all about the data store and resolve the potential issues, thus reducing data security risk. DSPM offers complete understanding of security issues with step-by-step remediation guidance to help security teams, cross-functional teams, and project stakeholders address them.

Let’s look at an example to understand how DSPM can help identify, prioritize, and remediate risk.

Figure 4: Alert detailed view

In this example, we were exploring an advanced attack vector allowing a malicious user to gain access to the sensitive data on a storage bucket. This storage bucket is properly configured: there is no direct access to it, it is backed up, and it has relevant logs enabled. Even so, it is exposed through a more advanced path—it can be accessed by multiple VMs (AWS EC2 instances).

A valid business case may require this access. For example, a VM may run an application that requires access to the data on the storage bucket. These VMs, however, contain some CVEs and are configured in a way that they can be publicly exposed.

You can learn all of that from the alert description, summary, and graph. This alert says a hacker can access each of these VMs (because they are publicly exposed), exploit the vulnerability in their running packages to gain control/access to that VM, and then use the VM to access the data on the bucket.

At this point, security teams will be looking for more details. By selecting the services node, you can switch the context to learn about these VMs. You can then scroll through the VMs, examine their vulnerabilities, check what packages they are part of, whether a fix exists, and more.

To get greater attack path analysis, you can explore deeper at a direct EC2 level through the public exposure path.

Figure 5: DSPM - Alert Details

Figure 6: DSPM - Alert Details - Public exposure path

Here, we can see that the public exposure path for this EC2 involves the security group and VPC ACL associated with the VM, a load balancer and an internet gateway service. DSPM also highlights the security group with an exclamation mark, denoting that it plays a key part in this exposure. Clicking on the security group will change the context to it and provide information about the security group itself.

Figure 7: DSPM - Alert Details - Public exposure root cause

Even if your team members are not cloud experts, they will be able to easily identify root cause for the security group inbound rule. That rule allows for direct access. They can inspect or copy the rule and share that with the cloud architect or developer who will be fixing that issue.

In other cases, instead of (or in addition to) fixing the public exposure, teams may wish to examine the entitlements granted to this VM and explore why it has access to storage bucket.

Figure 8: DSPM - Alert Details - Access path

Similar to the public exposure path, teams can click on the “access path” this time, and observe a simple graphic representation of the access entitlements. Permissions in the public cloud are highly granular. DSPM does the heavy lifting and explains that access. In this case, the EC2 has an instance profile associated with a certain role that is tied to three policies, each of which grant different levels of access to the bucket.

Again, teams can examine each of the objects on the graph, copy the relevant metadata, or even go directly to the AWS console and fix the issues. Through our remediation capabilities, security teams can then get a step-by-step guide on how to resolve issues and ensure that your cloud data remains protected.

To learn more about Zscaler DSPM, watch launch webinar.