January 31, 2024 By Tom Fisher 4 min read

“A data breach has just occurred”, is a phrase no security professional wants to hear. From the CISO on down to the SOC analysts, a data breach is the definition of a very bad day. It can cause serious brand damage and financial loss for enterprises, lead to abrupt career changes among security professionals, and instill fear of financial or privacy loss for businesses and consumers.

According to an ESG report, 55% of data and workloads currently run or operate in the cloud and 43% of current on-premises apps will likely move to the cloud in the next 5 years. That means that data generation and movement within the cloud is increasing at an even more impressive rate. This has and will continue to increase the attack surface against cloud assets, especially sensitive data. If cloud data isn’t adequately secure, it’s a massive liability for any organization.

Is data security in the cloud actually a problem?

Yes, it is. It’s a BIG problem. According to Gartner, Inc., “Through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data. Cloud strategies usually lag behind cloud use. This leaves most organizations with a large amount of unsanctioned, and even unrecognized, public cloud use, creating unnecessary risk exposure. CIOs must develop a comprehensive enterprise strategy before cloud is implemented or risk the aftermath of an uncontrolled public cloud.”

You may then ask, “Well, what about encryption?” It protects the data. Doesn’t it?

Yes, it does, when it’s vigorously and thoroughly applied to all data assets. But according to Statista.com, “In 2021, approximately 55 percent of respondents who experienced data encryption issues reported that unencrypted cloud services are a problem.”

Encryption also comes with a cost, and it’s often always easy to implement, especially within the cloud. Many companies fail to build encryption into internal security processes or employ digital rights management to help control file access. Without this protection, data that is exfiltrated can and is used to steal identities and money, misappropriate secrets, and other negative effects.

What about the public cloud providers – Don’t they provide protection?

Yes and no. The best definition of what public cloud providers provide is the Shared Responsibility Model of Amazon Web Services (AWS). It specifies “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer.

That means for cloud data security, YOU bear the responsibility for protecting your data and for application, network, access and other security.

To accommodate some of these security requirements, cloud security posture management (CSPM) has emerged to address security issues created by public cloud infrastructure.

According to Gartner, Inc., cloud security posture management consists of offerings that continuously manage IaaS and PaaS security posture through prevention, detection and response to cloud infrastructure risks. The core of CSPM applies common frameworks, regulatory requirements and enterprise policies to proactively and reactively discover and assess risk/trust of cloud services configuration and security settings. If an issue is identified, remediation options (automated or human-driven) are provided.

You may have noticed that missing from that definition is any consideration for data. That could be because the general assumption is that data is protected by encryption and doesn’t need further protection. But the reality of data protection is more complex.

According to the analyst information above, not all the information traversing public cloud, multi-cloud and hybrid cloud environments is unencrypted. That, unto itself, is a serious security deficit. But, other actions, such as exfiltrating encrypted data and holding it for ransom can be equally problematic. In the cloud, data interception can be more difficult to track because of the ephemeral nature of microservices-based applications.

To address these issues, which are not handled by CSPM platforms. That’s why data security posture management (DSPM) has emerged as a rapidly growing component of enterprise security focus. Why? Because it’s focused on keeping data secure. Although other security posture platforms, such as CSPM have done a solid job in detecting and providing ways to alleviate security vulnerabilities, cyber thieves have still found ways to circumvent those vulnerability measures to instigate data breaches.

What are the differences?

CSPM Attributes

DSPM Attributes

Detect and automatically remediate cloud misconfigurations.

Provide unified data security with a single view of data security and compliance posture.

Maintain an inventory of best practices for different cloud configurations and services.


Generate data security and audit reports in seconds and customize reports to meet specific needs.

Map current configuration statuses to a security control framework or regulatory standard.

Understand risk by providing risk-scoring to show where high-risk activities occur and focus the investigation on high-risk areas first.

Work with IaaS, SaaS and PaaS in containerized, hybrid cloud and multi-cloud environments.

Understand threats by rating anomalies with a risk-scoring engine and give each a high-, medium-, or low-risk score. Show data source and risk information and show high-risk anomalies.

Monitor storage buckets, encryption and account permissions for misconfigurations and compliance risks.

Provide analytics for Investigating issues, detecting threats, finding anomalies and the specifics for each issue.


Share insights about an anomaly across multi-cloud infrastructure with compliance teams


Block suspicious users, prevent access to on-premises or in-cloud data sources and automatically trigger incident remediation.

Scroll to view full table

DSPM has evolved to provide additional security protections for structured and unstructured data, whether it’s encrypted or not. DSPM tracks data wherever it’s located in a public cloud, multi-cloud or hybrid cloud environment. A comparison of CSPM versus DSPM is summarized in the table above.

DSPM and CSPM are two separate yet vital components of cloud security. They provide different types of security for cloud environments which are complimentary capabilities.

Organizations shouldn’t choose one over the other, if possible. It’s crucial to deploy CSPM and DSPM simultaneously for a holistic approach to protecting your cloud and hybrid cloud environments. After all, it is better to have all your bases covered to help ensure your sensitive data is secure. But if you must choose, DSPM is the platform that protects your most crucial resource, your data.

Address data security posture management with IBM Security® Guardium® Insights SaaS DSPM. Provide compliance and security teams with essential visibility and insights to help ensure your company’s sensitive data is secure and compliant.

If you’re interested in learning more about DSPM v. CSPM, please check out this video on the @IBMTechnology YouTube channel. Ready to enhance your data security strategy? Start with IBM Security Guardium Insights SaaS DSPM.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today