Safeguard.sh Documentation Center

Data Security Posture Management (DSPM)

Discover and classify sensitive data — PII, PHI, Luhn-validated payment data, and high-entropy secrets — with an enforced redaction mandate so raw sensitive data is never stored.

Data Security Posture Management (DSPM)

DSPM finds where sensitive data lives so you can govern it. It classifies data across your assets and — critically — never stores the raw sensitive values it finds. Only redacted snippets are retained.

Sensitive-data classification

DSPM identifies and classifies:

CategoryHow it's detected
PIIPersonally identifiable information — names, emails, national identifiers, and similar patterns.
PHIProtected health information patterns.
Payment data (PCI)Candidate card numbers are Luhn-validated to cut false positives before they're classified as payment data.
SecretsCredentials and keys are entropy-gated — a high-entropy check reduces noise from ordinary strings that merely look secret-shaped.

The redaction mandate

DSPM enforces a hard rule: raw sensitive data is never stored. When a match is found, the value is redacted at the point of detection, and only a redacted snippet (enough to locate and understand the finding) is persisted. This keeps the platform itself from becoming a secondary store of the very data it's protecting, and keeps findings safe to view within your tenant.

Connectors and discovery

DSPM classifies a filesystem store out of the box and connects to live cloud data stores, S3 and RDS first:

ConnectorEnumerateSamplePosture recorded
Amazon S3List buckets, then objects (capped)Ranged GetObject read (bounded bytes)Encrypted (SSE / default encryption), Public (ACL + public-access-block + policy)
Amazon RDSinformation_schema table introspectionBounded SELECT ... LIMIT n over text/blob columnsEncrypted (storage encryption), Public (PubliclyAccessible + open security groups)

Connectors are agentless where possible and use credentials from your existing cloud-account integrations (the approved secret store) — never persisted, never logged. Sampling is hard-capped (default 1000 objects/rows per store, 1 MiB per object, 10 s per call); DSPM never reads an entire object or table. Discovery also flags shadow stores — a store present in a cloud account but absent from your managed inventory.

Access fusion — who can reach the crown jewels

DSPM joins each data store with CIEM effective permissions to build access edges: every identity with a read/write/delete/admin path to a sensitive store, flagged external if the principal sits outside your tenant boundary. Access breadth feeds the risk score, so a sensitive store readable by many identities — or by any external principal — ranks far above one only its owning service can reach. An over-privileged or external principal with read access on a sensitive store also raises a dspm.access-<class> finding.

Exposure and runtime detection

  • Exposure detection surfaces public, unencrypted, over_shared (read granted too widely, or to an external principal), and cross_boundary (readable across tenant/region/account) exposures. A public, unencrypted PII bucket scores near the top; a private, encrypted, low-sensitivity store scores low.
  • Data detection & response (DDR) tails access and query logs to catch anomalies against a per-store, per-identity baseline — mass reads, first-time sensitive access, anomalous queries, and exfiltration patterns. DDR records only the shape of the anomaly (counts, never the data read); alerting is always on, while quarantine/deny response is opt-in per policy.

Compliance mapping

Classified data, exposure, and residency map to regulatory obligations — GDPR (art32 and residency), HIPAA (164.312 encryption/access), PCI (req3 stored cardholder data), and CCPA — producing dspm.compliance-<framework> findings and a data-inventory report that lists sensitive stores, locations, classes, and residency per framework.

Findings produced

Findings record the data category, the asset and location, and the redacted snippet, flowing into the unified findings model discriminated as dspm, tenant/org-scoped end to end. Rule IDs name the pillar that fired:

  • dspm.<exposure>-<class> — a classified store with an exposure (e.g. dspm.public-pii).
  • dspm.access-<class> — an over-privileged or external access path to sensitive data.
  • dspm.flow-<kind> — sensitive data moving across a boundary.
  • dspm.ddr-<kind> — a runtime data anomaly.
  • dspm.compliance-<framework> — a regulatory violation.

Because DSPM findings reveal where crown jewels sit and who can reach them, they are held under elevated access control — tighter than normal findings — and every read is audited.

Configuration

DSPM is admin-toggleable via the ff.dspm feature flag, enforced server-side. Once enabled, assets are classified as they're scanned through the standard integration and pipeline flow. Scan a cloud store from the CLI:

safeguard dspm scan --connector s3 --account <ref>
safeguard dspm risks
safeguard dspm compliance --framework pci

Sampling caps, access fusion, exposure thresholds, DDR response mode (alert/quarantine/deny), and compliance frameworks are configured per tenant.

  • Secrets Scanning — dedicated detection of committed and configured secrets.
  • ITDR & DLP — data-loss prevention reuses this classifier for data in motion (roadmap).
  • Unified Findings & Feature Flags — where DSPM findings land and how the engine is toggled.
  • Compliance — using data classification as evidence for privacy and regulatory frameworks.

On this page