Data Security Posture Management (DSPM)
Discover and classify sensitive data — PII, PHI, Luhn-validated payment data, and high-entropy secrets — with an enforced redaction mandate so raw sensitive data is never stored.
Data Security Posture Management (DSPM)
DSPM finds where sensitive data lives so you can govern it. It classifies data across your assets and — critically — never stores the raw sensitive values it finds. Only redacted snippets are retained.
Sensitive-data classification
DSPM identifies and classifies:
| Category | How it's detected |
|---|---|
| PII | Personally identifiable information — names, emails, national identifiers, and similar patterns. |
| PHI | Protected health information patterns. |
| Payment data (PCI) | Candidate card numbers are Luhn-validated to cut false positives before they're classified as payment data. |
| Secrets | Credentials and keys are entropy-gated — a high-entropy check reduces noise from ordinary strings that merely look secret-shaped. |
The redaction mandate
DSPM enforces a hard rule: raw sensitive data is never stored. When a match is found, the value is redacted at the point of detection, and only a redacted snippet (enough to locate and understand the finding) is persisted. This keeps the platform itself from becoming a secondary store of the very data it's protecting, and keeps findings safe to view within your tenant.
Connectors and discovery
DSPM classifies a filesystem store out of the box and connects to live cloud data stores, S3 and RDS first:
| Connector | Enumerate | Sample | Posture recorded |
|---|---|---|---|
| Amazon S3 | List buckets, then objects (capped) | Ranged GetObject read (bounded bytes) | Encrypted (SSE / default encryption), Public (ACL + public-access-block + policy) |
| Amazon RDS | information_schema table introspection | Bounded SELECT ... LIMIT n over text/blob columns | Encrypted (storage encryption), Public (PubliclyAccessible + open security groups) |
Connectors are agentless where possible and use credentials from your existing cloud-account integrations (the approved secret store) — never persisted, never logged. Sampling is hard-capped (default 1000 objects/rows per store, 1 MiB per object, 10 s per call); DSPM never reads an entire object or table. Discovery also flags shadow stores — a store present in a cloud account but absent from your managed inventory.
Access fusion — who can reach the crown jewels
DSPM joins each data store with CIEM effective permissions to build access edges: every identity with a read/write/delete/admin path to a sensitive store, flagged external if the principal sits outside your tenant boundary. Access breadth feeds the risk score, so a sensitive store readable by many identities — or by any external principal — ranks far above one only its owning service can reach. An over-privileged or external principal with read access on a sensitive store also raises a dspm.access-<class> finding.
Exposure and runtime detection
- Exposure detection surfaces
public,unencrypted,over_shared(read granted too widely, or to an external principal), andcross_boundary(readable across tenant/region/account) exposures. A public, unencrypted PII bucket scores near the top; a private, encrypted, low-sensitivity store scores low. - Data detection & response (DDR) tails access and query logs to catch anomalies against a per-store, per-identity baseline — mass reads, first-time sensitive access, anomalous queries, and exfiltration patterns. DDR records only the shape of the anomaly (counts, never the data read); alerting is always on, while quarantine/deny response is opt-in per policy.
Compliance mapping
Classified data, exposure, and residency map to regulatory obligations — GDPR (art32 and residency), HIPAA (164.312 encryption/access), PCI (req3 stored cardholder data), and CCPA — producing dspm.compliance-<framework> findings and a data-inventory report that lists sensitive stores, locations, classes, and residency per framework.
Findings produced
Findings record the data category, the asset and location, and the redacted snippet, flowing into the unified findings model discriminated as dspm, tenant/org-scoped end to end. Rule IDs name the pillar that fired:
dspm.<exposure>-<class>— a classified store with an exposure (e.g.dspm.public-pii).dspm.access-<class>— an over-privileged or external access path to sensitive data.dspm.flow-<kind>— sensitive data moving across a boundary.dspm.ddr-<kind>— a runtime data anomaly.dspm.compliance-<framework>— a regulatory violation.
Because DSPM findings reveal where crown jewels sit and who can reach them, they are held under elevated access control — tighter than normal findings — and every read is audited.
Configuration
DSPM is admin-toggleable via the ff.dspm feature flag, enforced server-side. Once enabled, assets are classified as they're scanned through the standard integration and pipeline flow. Scan a cloud store from the CLI:
safeguard dspm scan --connector s3 --account <ref>
safeguard dspm risks
safeguard dspm compliance --framework pciSampling caps, access fusion, exposure thresholds, DDR response mode (alert/quarantine/deny), and compliance frameworks are configured per tenant.
Related
- Secrets Scanning — dedicated detection of committed and configured secrets.
- ITDR & DLP — data-loss prevention reuses this classifier for data in motion (roadmap).
- Unified Findings & Feature Flags — where DSPM findings land and how the engine is toggled.
- Compliance — using data classification as evidence for privacy and regulatory frameworks.
AI Gateway (LLM Firewall)
A runtime guardrail layer for LLM apps and agents — prompt-injection, jailbreak, and PII/secret-egress checks in monitor or enforce mode, with fail-open safety so the protected app never breaks.
Runtime Protection (CWPP & CNAPP)
ATT&CK-mapped runtime threat detection and cloud-native risk correlation — surfacing findings that are running, reachable, exposed, and over-privileged all at once.