GigaOm Radar for Data Security Posture Management (DSPM)v1.0

1. Executive Summary

Data security posture management (DSPM) solutions provide visibility into where sensitive data is, who has access to it, and how it is being used. DSPM gives a comprehensive view of an organization’s data security posture, its compliance position, security and privacy risks, and, crucially, how to deal with them.

Data is core to all organizations and has become an essential asset. As the digital landscape continues to evolve, data is increasingly dispersed across a range of locations. No longer limited to on-premises shares and databases, today data is stored in multiple cloud repositories and data platforms. This complexity presents a significant risk to the security and privacy of data, one that cannot go unchecked, as the impact of a data loss incident is becoming increasingly severe.

The risks associated with the proliferation of data are well known, but the move to the cloud presents specific issues. The ease of use and perceived low cost of cloud repositories means they are often created outside of normal controls. Often, they are used for specific tasks and then discarded and forgotten by original project owners. This leads to shadow data repositories that exist outside of established data storage and security controls. Even those with good data security tools often find that they struggle to identify such shadow repositories, leaving them unprotected and unsecured.

Moreover, the proliferation of data in different repositories has led to the adoption of an array of separate, often platform-specific solutions, which increases complexity and adds cost and risk. Couple this with the ongoing security threats and stringent compliance requirements users must adhere to, and it becomes clear organizations need a better way to stay on top of data security and risk.

DSPM solutions have emerged to give organizations the comprehensive view they need by providing visibility across multiple data platform types, both in the cloud and on-premises. Often cloud-based, DSPM solutions can easily integrate with a wide range of data repositories. They are often able to automatically find data repositories and build a data map. They analyze data movement and lineage to understand how data flows through an organization and where it may introduce risk. DSPM solutions can also discover shadow data stores and analyze the data held within them. They can use this data to help give an organization a clear picture of its data estate, its compliance position, and its security posture. Once deployed, DSPM solutions should continuously monitor security posture, provide guidance on access controls, understand user behavior to quickly identify threats, and enable those threats to be rapidly mitigated.

While some DSPM vendors are well-established providers of data management solutions that have evolved to provide DSPM, this is a new and evolving market in which there are many new and innovative providers with solutions built specifically to tackle this problem.

As organizations’ data demands grow, including in areas such as analytics and AI, diligent IT leaders can’t allow potential threats to remain undetected and unchecked. DSPM is becoming one of the best ways to address this challenge, and that’s something modern data security leaders must consider.

This is our first year evaluating the DSPM space in the context of our Key Criteria and Radar reports. This GigaOm Radar report examines 12 of the top DSPM solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading DSPM offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

2. Market Categories and Deployment Types

To help prospective customers find the best fit for their use case and business requirements, we assess how well DSPM solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

  • Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Here, ease of use and deployment are more important than extensive management functionality and feature set.
  • Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category have a strong focus on flexibility, performance, scalability, and the ability to effectively integrate into existing environments.
  • Public sector/federal: While the infrastructure of these environments is likely to be similar to those of SMBs and enterprises, these organizations typically have some constraints, especially around needing suppliers to meet specific requirements laid out in buying and supply frameworks. Solutions must therefore be able to meet such framework demands.
  • Regulated industry: As with public and government organizations, regulated industries will also have some different requirements. These are also addressed by specific frameworks that may be either data specific or industry specific (such as healthcare or financial services), which incorporate the compliance requirements of particular industries that DSPM solutions must be able to meet.

In addition, we recognize the following deployment models:

  • SaaS: These solutions are available only in the cloud, and designed, deployed, and managed by the vendor. The advantages of this type of solution are its simplicity, ease and speed of scaling, and flexible licensing models. While it may be that, architecturally, some components such as scanners or agents must be installed in a physical location, this isn’t a part of our evaluation. We assess that the main management and intelligence elements of the solution are made available via a SaaS deployment.
  • On-premises: These solutions have the main management and intelligence elements installable wholly on-premises. These elements can be installed in the customer’s data center or cloud tenant. They are not shared and are specific to a single customer.
  • Cloud native/cloud image (available in cloud marketplace or deployable as image): With these solutions, the main management and intelligence element is deployed and supported as a public cloud-based service. The main components can be deployed either as a cloud-native service or as a public cloud image, usually although not exclusively available from a cloud provider’s marketplace. In these instances, they are not shared and are specific to a single customer.

Table 1. Vendor Positioning: Target Market and Deployment Model

Vendor Positioning: Target Market and Deployment Model

Target Market

Deployment Model

Vendor

SMB Large Public Sector/Federal Regulated Industry SaaS On-Premises Cloud Native/Cloud Image
BigID
Cyera
Lepide
Normalyze
Open Raven
Palo Alto Networks
Rubrik
SecuPi
Securiti
Sentra
Theom
Varonis

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

3. Decision Criteria Comparison

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

  • Automated data discovery
  • Automated data classification
  • Cloud platform integration (including SaaS)
  • Compliance reporting
  • Agentless install for cloud

Tables 2, 3, and 4 summarize how each vendor included in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

  • Key features differentiate solutions, outlining the primary criteria to be considered when evaluating a DSPM solution.
  • Emerging features show how well each vendor is implementing capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months.
  • Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating DSPM Solutions.”

Key Features

  • Data mapping: In order to safeguard its data, an organization must first understand what data it has. Leading solutions should be able to provide a comprehensive map of an organization’s data and the status of its repositories, including any potential risks to the data held within them.
  • Data access intelligence: To understand the risks to their data, organizations must be able to build a detailed view that includes what data is being accessed, by whom or what, and when. Leading solutions should be able to provide this information.
  • Data lineage: To appreciate data risk, organizations must understand the data lifecycle. Good DSPM solutions must show how data moves through their data pipelines and how it is impacted, accessed, and changed through that process.
  • Security posture assessment: Organizations looking to improve their security posture must first understand their posture in relation to their desired security state. Leading solutions should be able to clearly show this so that customers can quickly see their current posture and the steps needed to improve it.
  • Support for on-premises repositories: While much data has moved to the cloud, a great deal of it, especially in enterprises, remains on-premises. Leading solutions should be able to provide insight into these repositories.
  • Enterprise stack integration: No technology solution in the modern enterprise, especially in the security space, can be a silo. For a solution to be a successful part of day-to-day operations, it must integrate with existing elements of the stack. This allows it to be part of existing workflows and add value to existing investments.
  • Data detection and response (DDR): The primary goal of a DSPM solution is to provide insight on current posture and guidance on improvement. However, in today’s rapidly evolving threat landscape, solutions should quickly identify active threats and automate their mitigation and help to reduce threat impact.

Table 2. Key Features Comparison

Key Features Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Key Features

Vendor

Average Score

Data Mapping Data Access Intelligence Data Lineage Security Posture Assessment Support for On-Premises Repositories Enterprise Stack Integration Data Detection & Response
BigID 4.6
Cyera 3.9
Lepide 3
Normalyze 4.4
Open Raven 3.3
Palo Alto Networks 4.1
Rubrik 4.1
SecuPi 4
Securiti 5
Sentra 4.4
Theom 4.4
Varonis 4.4

Emerging Features

  • Impact analysis: When a solution identifies potential risk to an organization’s data set, it would be hugely valuable for that organization to clearly understand the broad impact the risk might have. Solutions are starting to show the potential impact of such risks by depicting a broader radius that indicates the possible breadth of the impact, sometimes including estimations of the cost of impact, which can be a useful metric for non-IT teams.
  • AI data interaction: Increasingly, organizations are using AI learning models within their organizations, and these models are accessing data from their repositories. This presents multiple risks to the organization, from oversharing of information to poor quality data feeding the learning models. DSPM solutions are starting to develop tooling to help organizations to more effectively adopt AI, including data cleansing and building guardrails to reduce the risk of oversharing. We expect to see this develop into a key feature over the next 12 months.

Table 3. Emerging Features Comparison

Emerging Features Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Emerging Features

Vendor

Average Score

Impact Analysis AI Data Interaction
BigID 4.5
Cyera 2
Lepide
Normalyze 3
Open Raven 2.5
Palo Alto Networks 2
Rubrik 2.5
SecuPi 4
Securiti 5
Sentra 3.5
Theom 4.5
Varonis 4

Business Criteria

  • Cost: Businesses need to understand the full cost of a potential technology investment. This includes the price of a license or service as well as its adoption and running costs. Vendors that can show cost efficiency to customers will be appealing.
  • Ease of adoption: Driving effective adoption is key to the success of any IT project. Adoption can be eased in a number of ways, including good integration with existing platforms and the ability to add the new solution to existing workflows. Solutions that make adoption easy for both operations teams and users also add value. Vendors that assist in these ways will help customers complete a successful technology adoption.
  • Ease of management: Data security is already complex, and adding solutions should not add complexity. Businesses will welcome tools that ease management, provide central administration and reporting, and automate repetitive tasks. Moreover, it is more than the technology that’s important here. Vendors that provide services such as support, training, and proactive account management will help ease the overall management burden of a solution.
  • Security posture: When investing in security posture tools, success should be measurable. Thus, solutions should help each customer clearly identify their current position, show any gaps in this position, and provide clear advice on how to improve the position. Solutions that can provide baselines and ways to measure improvement will help customers improve their data security.
  • Flexibility: Customer environments differ and change. Security tools must be flexible as well, offering different deployment models and adoption techniques, as well as commercial flexibility to fit a broad range of potential customer needs.

Table 4. Business Criteria Comparison

Business Criteria Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Business Criteria

Vendor

Average Score

Cost Ease of Use Ease of Management Security Posture Flexibility
BigID 4.4
Cyera 4
Lepide 3.2
Normalyze 4.4
Open Raven 3.6
Palo Alto Networks 4.4
Rubrik 4.4
SecuPi 3.6
Securiti 4.6
Sentra 4.2
Theom 4.2
Varonis 4.4

4. GigaOm Radar

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for DSPM

DSPM is a developing approach in the business security market. It brings together capabilities from a number of disciplines, including cloud security posture management, data classification, data governance, data loss prevention (DLP), and security measures such as access control, encryption, and masking.

This is reflected in the high number of vendors in the innovation half of the Radar (Figure 1). These vendors are developing new products, focusing on adding new capabilities to existing solutions, or taking new approaches. As demands change quickly around what data security means, vendors that are rapidly innovating can help meet these demands more quickly. This may be particularly valuable as we come to terms with the use of AI platforms within organizations and their potential impact on data access and security.

Vendors in the Maturity half of the chart are those that are already established in one of the areas highlighted earlier; they may be from a governance, security, or access control background but are building or enhancing capabilities in existing products to develop them into comprehensive DSPM solutions. These vendors will have potential value to businesses with more traditional approaches to data security, as both vendors and businesses are more likely to have traditional data management backgrounds.

The majority of vendors are on the Platform Play half; these are vendors that provide good coverage across all of the decision criteria we evaluated and focus their solution on the broadest range of use cases. Vendors on the Feature Play side have a more specific focus and may appeal to customers who are looking to address those specific challenges. This might include vendors that focus primarily on security with DSPM additions, or focus on specific markets such as those operating in the data exchange space, or whose focus is cloud repositories only, not looking to protect on-premises workloads.

Our report highlighted a number of leading vendors that scored well on all of our decision criteria and provided comprehensive solutions that met all of the needs that emerged in our review of this market. There were an equal number of Challengers, those whose solutions either lacked some of the comprehensive capabilities of the Leaders or whose solutions had certain functionality missing, mostly in areas such as broad on-premises repository support and data lineage.

All of the vendors we evaluated were quickly evolving their solutions as they sought to meet new challenges, such as the demands related to AI. Vendors that scored very well on our emerging features were highlighted as Outperformers. One vendor was designated a forward mover, due mainly to the challenge it faces evolving an existing platform, which slowed its rate of innovation in comparison to others we evaluated.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; there are aspects of every solution that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

5. Solution Insights

BigID: Data Security Posture Management

Solution Overview
BigID is a company that focuses on data security, privacy, compliance, and governance. Its platform acts as a single source of truth for an organization’s entire data estate, including cloud and on-premises data sources. It services all types of customers, but the majority are midsize and large enterprises.

The solution can be deployed on-premises, as a cloud image, hybrid, or via SaaS, offering good installation flexibility. BigID uses an agentless platform that can handle a wide range of data types, including structured, unstructured, semistructured, and streaming data. Its large library of more than 500 native connectors makes it easy to integrate BigID with a variety of data repositories across cloud, SaaS, and on-premises deployments.

The solution comes with a large array of prebuilt classifiers that users can customize further to meet specific needs. Its data scanning automatically identifies cloud data repositories using its patented four-in-one scanning that classifies, correlates, and catalogs data. These classifiers can be tuned and customized to drive increased accuracy. Scanning the data provides detailed insights, including a correlation graph that shows granular links between attributes, users, and locations of data.

BigID includes dashboards that provide information about data security risk and uses AI/ML to apply prioritization, context, and useful guidance in addressing discovered risks. It also provides DDR, which both alerts on and can enforce controls on potentially risky events.

The solution also supplies AI tools that can help customers put data guardrails in place to ensure only the right data is used in their AI training models. They can layer these automated controls to extend to compliance frameworks, risk management, privacy use cases, and AI data management. The company is investing in its BigAI Copilot to help customers better classify, catalog, and investigate data.

Strengths
Areas where BigID is particularly strong include:

  • Enterprise stack integration: As an enterprise-focused solution, BigID offers a variety of integrations across the broad range of the IT stack, including areas such as service desk, SIEM, and SOAR. There is a good catalog of prebuilt integrations as well as APIs to handle custom integration.
  • Pricing: The vendor offers pricing flexibility and transparent costing. Its tiered pricing is simple, and its fast-track pricing, which is based on specific customer requirements that include the product, services, and training credits, is a valuable feature. Moreover, its comprehensive coverage will allow a customer to adopt an excellent DSPM with a single vendor, whether datasets are in the cloud or on-premises.
  • Data mapping: BigID provides detailed mapping covering a range of repositories that are easily accessed via its broad array of prebuilt integrations. It includes a data catalog that is searchable, sortable, and scalable with an interactive graphical dashboard. The solution draws connections between data so that users can easily understand what data they have and what it represents, and it also evaluates quality and remediates low-quality data.

Challenges
Areas for improvement include:

  • Data protection: The solution lacks native data protection capabilities such as anonymization, obfuscation, and encryption. It can achieve this in certain platforms via integration with their native capabilities, such as encryption functions in Snowflake. This is likely to be seen as a limitation for those looking for data security enforcement.

Purchase Considerations
BigID is a comprehensive solution that offers a wide range of capabilities. It has some shortfalls in not being able to apply native data protection such as encryption, anonymization, and obfuscation as some of its competitors do, so customers must evaluate other approaches to data security enforcement if this is needed. Its strong DDR capability, which alerts on and can enforce controls on potentially risky events, may alleviate this concern.

It does offer fast-track services that will help ease adoption. For customers with broad requirements across cloud and on-premises environments, BigID’s substantial coverage will be attractive. Its DDR capabilities will prove useful to customers needing automated remediation. The company’s experience in the F500/G1000 space should appeal to customers with needs in that area.

Radar Chart Overview
BigID provides a strong solution that scored well on all of our evaluating criteria, placing it in the Leaders circle. Its comprehensive coverage and innovative approach to classification and correlation, as well as its use of AI, marked it as an innovative platform-focused vendor.

Cyera: Cyera Data Security Platform

Solution Overview
Cyera is an emerging provider of data security. It develops solutions to discover and protect data across the enterprise ecosystem. Its target market is global enterprises with large and complex data security and compliance needs.

The Cyera Data Security Platform is available as SaaS or, for those needing local processing, as an “outpost” deployment, enabling customers to keep their data contained within their environments. The platform provides agentless scanning, with automated discovery of repositories and the inventorying of infrastructure as a service (IaaS) and platform as a service (PaaS) storage buckets, native databases, databases running in virtual machines or container environments, and folders and files in SaaS applications. This includes shadow, dormant, and unmanaged repositories. This has been recently extended to cover on-premises repositories, including file shares, network attached storage (NAS) (NetApp), and popular databases. On-premises support is delivered agentless via a reverse proxy.

Once deployed, the solution maps out the entire organization’s sensitive data, detecting data issues and risks and addressing risks directly or with automation via integrations with third-party solutions such as SOAR, e-ticketing, e-discovery, and backup and restore platforms. Its cloud-native data discovery technology provides operational scale to quickly identify and inventory new data repositories as they are created. It uses AI, ML, and NLP to drive data discovery and classification accuracy, claiming high accuracy with 95% or higher confidence.

The solution provides proactive security posture assessment and reactive, real-time assessment using DDR capabilities. Issues are detected, correlated, and assigned customizable risk verdicts. This helps users prioritize risks and, either automatically or via an approvals process, trigger an integrated workflow to popular SIEM, security orchestration, IT ticketing, and workflow remediation tools.

Strengths
Areas where Cyera is particularly strong include:

  • DDR: Its ability to identify data issues and risks as well as trigger workflows across the enterprise technology stack, such as SIEM and ITSM tools, will be a valuable capability for customers. It sees its dynamic data detection and classification and contextualization engine as a core technology differentiator, allowing it to dive deeply into data sets to apply context to its DDR decisions. This allows it to operate with speed, scale, and accuracy, providing the organization with a more holistic visibility and control over the data it holds both in the cloud and on-premises.
  • Enterprise stack integration: Cyera’s mix of prebuilt integrations and strong APIs enable the solution to integrate broadly with existing enterprise ecosystems, including with data catalogs, DLP, SOAR, and SIEM solutions, ensuring that it can be a core part of enterprise workflows.
  • Ease of adoption: The platform provides good flexibility between its cloud and outpost deployment methods. Its ability to deploy to entire cloud environments using a single identity and access management (IAM) role streamlines deployment in large or unknown environments. Cyera also offers a 30-day trial deployment to ease the initial evaluation.

Challenges
Areas for improvement include:

  • Privacy and governance limitations: The solution is not meant to replace tools designed to meet specific privacy requirements, privacy assessments, and privacy law research, or data governance requirements such as a business glossary, metadata management, and data quality. It is not designed to deliver these functions but rather aims to enrich other platforms with its insight. Customers looking for this will need additional tools when working with Cyera.

Purchase Considerations
There are some limits to Cyera’s data lineage insight, as well as around the ability to meet specific governance requirements. Cyera will prove valuable to companies looking to build a good data map that helps identify potential risks, such as misconfigurations, over-permissive access, and data exposure. Its DDR capabilities will be useful to those looking to automate response to data threats. While it offers good data access intelligence, currently it can not enforce data access restrictions. The solution is ideally aimed at midsize and larger enterprises with predominantly cloud-based data sets.

Radar Chart Overview
Cyera scored well on a number of our metrics. It has many good capabilities but some gaps as well, making it a strong Challenger with a mostly platform approach. Its cloud-native scalability model and its ability to continuously discover new data sources, aligned with its use of AI/ML, placed it on the innovation side of our Radar chart.

Lepide: Data Security Platform

Solution Overview
Lepide is a long-established data security company. Its initial focus on Active Directory security has, over time, expanded to include a variety of data security capabilities. Its Data Security Platform now provides auditing and reporting, access governance, threat detection, and data classification. It targets midmarket and large enterprise customers with between 250 and 10,000 IT users.

The solution, unlike many we evaluated, remains a predominantly on-premises deployment, although a cloud-based deployment through both AWS and Azure marketplaces is also available. Its on-premises solution is a Windows application with a SQL back end. Its cloud variant requires the provisioning of virtual machines and separate licenses. The platform covers four key areas: threat detection, access control, data classification, and e-discovery. The solution offers support for several data sources, including Microsoft 365, on-premises file shares and databases, NAS (NetApp currently), and cloud repositories, including AWS S3.

The solution’s four core pillars are accessed through its management console, which, although it looks dated in comparison to some of its competitors, is intuitive and easy to follow and provides a good range of information. It allows users to track potential threat workflows by pivoting between user, group, and file permissions risks. It also has a good range of flexible reports, including ones that highlight issues in common frameworks and assign financial values to data to provide an option that nontechnical users may find useful. Auto-remediation of threats can be set to a level that triggers prebuilt scripts to lock accounts and remove permissions, and the solution also analyzes the impact of any remediation steps a customer may take.

Strengths
Areas where Lepide is particularly strong include:

  • Ease of management: As a platform aimed more at the SMB market than most evaluated in this research, Lepide offers a simple but functional management platform. While it may look a little dated, it is easy to navigate, and workflows are intuitive and allow management tasks to be triggered easily from within the console.
  • Focus on SMB technology stack: Many of the solutions evaluated in this research are focused on larger enterprises. While the Lepide solution can scale, its simplicity and focus on SMB-type infrastructure such as Windows Servers and Microsoft 365 will be attractive to smaller customers looking for a simple yet effective solution to help improve data security.
  • Data access intelligence: The solution provides a fair amount of data access information, including over-privileged accounts and over-shared files. It also analyzes the impact of any proposed access changes, helping to de-risk these changes.

Challenges
Areas for improvement include:

  • Installation approach: Lepide’s solution is an established platform that it has evolved to provide DSPM. However, that does leave it with the challenge of quickly evolving its current three-tier solution approach requiring server and application infrastructure into a more data-centric one. The solution does have benefits for those wanting on-premises and private deployments; however, its current deployment model does add cost and complexity. While cloud marketplace implementations are available, they are based on deploying cloud virtual machines, and the costs they generate will need to be considered.
  • Limited integration: The solution is aimed at the SMB market more strongly than some we have evaluated and thus has some limitations in the breadth of integrations, both in terms of its repository view, with support for on-premises and some limited cloud services, and in terms of its integration with the broader management stack, which is limited to API-only integration and only available to be developed on a case-by-case basis.

Purchase Considerations
This solution is built on a more traditional three-tier platform and may not offer the data-centric functionality that others we evaluated do. Companies will need to evaluate whether this architecture will suit their needs.

Lepide provides a solution built on its well-established technology. This approach means its focus is on evolving its existing technology. For those who want to install on-premises, this may still appeal. The solution is also more targeted to the SMB market; larger customers will need to evaluate whether its scalability is adequate for their needs. Smaller customers looking for a simple and functional solution will find this an attractive option, particularly if they are looking for on-premises deployments. With its stronger focus on SMBs, this is a tool well suited to that market.

Radar Chart Overview
The Lepide solution was more limited in the breadth of its capabilities and deployment approach than some of the vendors evaluated in this research. This placed it on the Feature side of our Radar and marked it as a Challenger. Lepide’s approach to evolving its existing technology stack placed it in the Maturity half of the Radar. Because this involves some development of its existing stack, it also means it is moving a little more slowly in terms of innovation.

Normalyze

Solution Overview
Normalyze is a data-first security company with a cloud-based data security solution that can secure data in cloud-native apps and infrastructure, SaaS and PaaS platforms, and on-premises repositories and file shares. Its primary market is midsize to large enterprises.

The Normalyze solution is SaaS-based by default, although isolated cloud deployments are supported for customers needing privacy and control. Scanners are deployed as containers in cloud or on-premises environments and can discover and classify data from a wide range of repositories in public clouds, SaaS environments, and on-premises NAS and databases.

Normalyze One-Pass Scanner uses a “single pass” mechanism to automatically discover repositories, including shadow, abandoned, duplicate, and unmanaged data repositories. It then identifies and classifies sensitive information and assesses access risk. The platform can show both asynchronous and continuous scan results, which allows customers to see results immediately within reporting dashboards without needing the full scans to complete, enabling them to quickly start to build a picture of their data security posture.

The solution uses an innovative approach to highlighting risk by assigning monetary value to data and the cost of its exposure. While there may be some questions around the use of monetary values as a method for reporting clearly to the wider business, this can be a useful metric when considering the relative cost of data and prioritizing the relative risks and remediation plans.

The solution’s clear dashboards highlight risk and enable rapid investigation. This includes one-click customizable remediation. It also has a no-code query builder to help customers create complex data queries.

Cohesity customers may find its integration with Normalyze interesting, as this allows Normalyze to identify valuable data and Cohesity to automate its protection. For Snowflake customers, it now has a custom Data Access Graph that accurately classifies data within Snowflake environments.

Strengths
Areas where Normalyze is particularly strong include:

  • DDR: The solution provides a broad range of automated detection and response capabilities, including automatic data discovery and classification, event monitoring, data in motion identification, and abandoned data store detection. Normalyze currently supports 63 risk signatures in its DDR feature, each with its own remediation suggestions provided automatically by the system. In recent benchmarking, Normalyze was able to scan approximately 1 TB per hour or two million files every 10 hours.
  • Security posture assessment: Normalyze automatically discovers all data stores, potential security vulnerabilities, and misconfigurations, classifies all data, and monitors for changes that increase risk exposure or new threats. It uses machine learning algorithms to conduct AI-driven risk prioritization, identifying the most critical vulnerabilities that need immediate attention. It provides actionable remediation insights, offering concrete steps for resolution. It also provides a useful one-click framework assessment that lets users quickly review posture against well-known risk frameworks. Assigning a monetary value to a risk is a potentially useful feature.
  • Data lineage: The solution provides clear graphical representations through its data flow map, enabling users to understand how data originates and moves through their environment. The platform also offers a data-in-motion visualization feature that graphically represents the data’s journey through the organization. In addition, Normalyze added new and comprehensive features to its roadmap, such as how data elements are derived, calculated, or transformed.

Challenges
Areas for improvement include:

  • Encryption and rights management automation: Normalyze does not currently automate encryption and rights management, either through native capabilities or integrations. While the platform can signal the need for these actions, they require manual intervention. Plans to automate this functionality are on the medium-to-long-term roadmap.
  • Data anonymization: The platform currently doesn’t offer an automated anonymization solution. It can identify when data anonymization is necessary, but remediation needs to be performed manually. Plans to automate this capability are on the medium-to-long-term roadmap.

Purchase Considerations
The solution provides a comprehensive range of data repository integrations across IaaS, PaaS, SaaS, DBaaS, and on-premises data repositories and shares. Although the solution is capable of integrating with the technology stack, its lack of prebuilt integrations with tools such as CASB, DLP, and SIEM will require additional work through API integration to have Normalyze fully integrated in the enterprise workflows. This may add both cost and complexity.

Normalyze is a comprehensive solution that will suit those with data repositories across a wide range of platforms, including multicloud, cloud-native, and on-premises databases. Its practice of assigning monetary value to risk may interest those who need to provide metrics that will be easily digestible by nontechnical business leadership. This is a strong solution with a broad roadmap that will appeal to mid-to-larger enterprise customers with complex data environments.

Radar Chart Overview
Normalyze performed well on a broad range of our decision criteria, placing it as a Leader in this report. Its extensive capabilities also positioned it on the Platform Play half of the Radar. Its rate of development, as well as some of its capabilities related to analysis and data protection, also positioned it in the Innovation half.

Open Raven

Solution Overview
Open Raven offers a cloud-native data discovery and classification platform that secures sensitive data across clouds. The platform provides visibility and control to help prevent attacks, reduce costs and risks, and streamline compliance. It targets enterprises and born-in-the-cloud companies with proprietary or sensitive data.

The solution is architected as SaaS and uses CloudFormation or Terraform templates to deploy within a dedicated AWS subnet and single-tenant Kubernetes cluster, providing an isolated environment for each of its customers. It is built to use native APIs, serverless functions, and ephemeral compute, rather than dedicated scanners or agents, to locate, inventory, classify, and protect data. Connection to customer data repositories is via API and serverless functions, and data is analyzed where it resides without “touching” it. The solution provides flexibility to modify the sampling rate, time constraints, and exclusion logic of its analysis engine to control how quickly data is assessed as well as the impact on existing environments. Data classifications are automated, but the platform also enables customization to help more accurately identify data and risk.

Once the inventory is complete, the solution generates insights that include assessing security posture with rule-based policies ranging from CIS Benchmarks to regulatory standards such as GDPR. It also provides the ability to establish data guardrails via rule-based policies that can enforce data sharing agreements and proof of compliance for audit mandates.

The solution integrates with cloud IaaS, PaaS, and SaaS services as well as with some on-premises structured and unstructured repositories. Users of Microsoft SaaS environments should note that SaaS capabilities are currently limited to Google Workspace.

Strengths
Areas where Open Raven is particularly strong include:

  • Enterprise stack integration: The solution offers a broad range of integrations across the enterprise stack, including events integration with tools such as email, Jira, and Slack, options for SIEM and data lakes, and AWS backup. APIs are available to build out custom integrations as needed.
  • Data access intelligence: Open Raven provides good data access insights. For IaaS and PaaS, it provides access to event data, including owner name, ID, resource type, and permissions. For SaaS repositories, it provides all activity data, including view, edit, download, change user access, source copy, and rename. It then uses this information to carry out a range of enforcements, such as enforcing data encryption or removing public access to repositories that hold at-risk data.
  • Security posture assessment: The solution provides an initial assessment of vulnerability to well-known risks and of compliance against popular frameworks. This enables customers to answer the initial “what is at risk” question. Customers can then use the platform’s custom data classes to fine-tune their posture to improve overall data security.

Challenges
Areas for improvement include:

  • Lack of Microsoft support: While the solution has a good range of data repository integrations across both cloud and on-premises, it offers little support for the Microsoft ecosystem, which will deter those invested in that space.
  • Data lineage: Currently, the solution does not provide any insights related to data lineage, though this is on the roadmap. This capability can be extremely useful in understanding how data moves and transforms through an organization.

Purchase Considerations
This cloud-native solution uses serverless functions to deliver its functionality, a good design approach. However, the current lack of support for Microsoft SaaS platforms will be off-putting for customers running such solutions. Moreover, there are no data lineage capabilities.

This is a good tool for those with predominantly cloud environments and especially those using Google Workspace rather than Microsoft 365. Its ability to produce policy-based data guardrails will be interesting to those who need to enforce data-sharing agreements or proof of compliance for audit mandates.

Radar Chart Overview
Open Raven scored well on the majority of our criteria, making it a Challenger in our report. The breadth of its features positioned it as a Platform Play vendor. The innovative deployment model, plus the use of analytics and intelligence related to access control, placed it in the Innovation half of the chart.

Palo Alto Networks: Prisma Cloud DSPM

Solution Overview
Palo Alto Networks is a global technology company with a comprehensive portfolio that covers networking, connectivity, endpoint security, and security services. This includes its cloud-based security and connectivity platform, Prisma Cloud. Prisma Cloud was recently enhanced by the acquisition of Dig Security, adding DSPM to the Prisma Cloud platform. Prisma Cloud DSPM is aimed at enterprises in sectors with sensitive and regulated data in the cloud.

Prisma Cloud DSPM is a SaaS solution. It is agentless and does not use proxies to integrate with customer clouds. It supports a wide range of data repositories—including IaaS, PaaS, DBaaS, and SaaS platforms—and covers on-premises file shares for both classification and risk assessment. Once integrated, it can automatically discover data repositories within cloud environments to help organizations build an accurate view of their data landscapes and locate, classify, and prioritize data risk. Its risk engine can be customized to create business-specific risk policies and apply data governance. It also offers a useful feature that allows it to integrate with malware detection tools to identify malware hidden in cloud object storage and reduce the risk of further infecting files.

Once datasets have been scanned, Prisma Cloud presents a risk overview using a risk score and prioritizes these risks to help customers quickly assess threats and plan remediation actions. It also offers a compliance dashboard that provides clear guidance on data security posture against major compliance frameworks and is designed for compliance teams rather than security ones. It also provides an executive report for security leaders.

The solution also offers automated remediation, real-time monitoring, and protection of data from misuse, exfiltration, and ransomware. While DSPM policies are fully customizable, DDR policies are currently prebuilt and cannot be customized.

Prisma Cloud DSPM is already a strong offering, and plans to integrate more tightly with the broader elements of Prisma Cloud will build an even more comprehensive DSPM platform for the enterprise.

Strengths
Areas where Palo Alto Networks is particularly strong include:

  • Security posture assessment: Customers need clear guidance on their security posture, and Prisma Cloud does this very well. Its use of risk scoring and automated prioritization will help security and data teams quickly identify threats. Its specialized compliance dashboard is a notable addition.
  • Data mapping: The solution’s strong data mapping feature provides clear insight into risk. It claims high data classification accuracy and adds useful business context to help understand and accurately prioritize risk. It clearly visualizes data locality and will show misconfigurations, such as overexposed data sets. It can also show information on data access and how data is flowing. Other capabilities include OCR scanning, identity monitoring, and data type visualization.
  • Enterprise stack integrations: Prisma Cloud provides good integrations, although many of these require using APIs rather than prebuilt integrations. However, this does include designed API integrations with SIEM, SOAR, and ticketing solutions such as Jira. The solution’s ability to integrate with both data labeling and backup solutions will be useful to many to ensure data is well secured and protected in line with existing enterprise workflows. There are also connectors for malware scanning with Crowdstrike (and soon with Palo Alto WildFire). It also supports notification integration via Slack, Qradar, email, and webhooks.

Challenges
Areas for improvement include:

  • On-premises support: The solution’s on-premises support is currently limited to file shares only, and this only covers data classification and risk assessment. DDR capabilities have not been extended to file shares.
  • Data lineage: While the platform offers some data lineage capabilities, it currently lacks the ability to produce a visualization of lineage and to show data dependencies. It does, however, provide some unique insights into data flow and can highlight risks, such as data exiting Europe, moving out of production environments, or transferring out of the state of California. However, those needing more complete lineage capabilities, such as understanding data lifecycle and transformations, will have to determine whether this is sufficient.

Purchase Considerations
Palo Alto Networks’ DSPM solution is a continually evolving platform, building on its cloud-focused heritage. However, it still has some gaps in capabilities, especially for those with large on-premises estates that need to be included in a DSPM strategy. In addition, this is a product new to the Palo Alto Networks portfolio, and while evidence suggests that development will continue and even accelerate, customers should still ensure they understand the roadmap for the solution and how the acquisition impacts that.

Those with primarily cloud-based data sources will find this a strong solution that integrates with a broad array of cloud repositories. Its DDR capabilities will work well for those looking to automate response to data threats.

Radar Chart Overview
The solution scored well on the majority of our decision criteria, making it a Leader in this report. Its broad range of capabilities mark Palo Alto as a Platform Play vendor. Its approach to discovery and classification and DDR place it in the Innovation half of the chart.

Rubrik, DSPM

Solution Overview
Rubrik is a well-known vendor in the data protection space, having built its reputation on its data backup platform. This has evolved into the Rubrik Security Cloud, a comprehensive data security solution that covers customers’ data through its security lifecycle, including proactive threat protection and damage mitigation to post-attack recovery. With its acquisition of Laminar in August 2023, it now offers DSPM as part of this solution.

Rubrik DSPM provides an accurate and continually updated inventory of assets and data across hybrid environments. Architecturally, it uses a SaaS management plane with the use of an outpost account close to the data repository. On-premises, it uses Rubrik Security Cloud’s agentless deployment to integrate with existing storage repositories and uses its snapshot infrastructure to assess application data, databases, and data stores. In the cloud, it uses serverless functions that leverage APIs to asynchronously scan environments without impacting performance. For existing Rubrik customers, this service can be enabled with no additional configuration required. The solution doesn’t move data and only ingests metadata for its DSPM scans. DSPM information includes where data resides, risk levels, ownership, and sensitivity via its data classification capabilities. It provides these insights across cloud and on-premises data repositories and will look for overexposed, misplaced, redundant, and unprotected data so that customers can remediate these vulnerabilities and reduce the risk of exposure and exfiltration.

The solution offers enhanced data security controls via integrations with Microsoft Purview, Microsoft Azure, GCP, Snowflake, and S3 storage, allowing it to provide data-centric security at a granular level. The solution has a good focus on simplicity, and its integration with the full Rubrik security stack allows it to extend DSPM into more proactive data protection and data security steps. This integration with the full stack will make it especially attractive to existing Rubrik customers. Its SaaS-based agentless architecture, which can scan production and backup environments without relying on metadata sent over collectors, provides a useful level of resilience, allowing it to continue to operate should collectors be impacted by an attack or downtime.

Strengths
Areas where Rubrik is particularly strong include:

  • Support for on-premises repositories: Its integration with the broader Rubrik solution provides it with comprehensive support for on-premises data repositories, including Windows, Unix/Linux, VMware, Oracle, SAP, NAS, and NoSQL. Its use of agentless architecture will also ease integration and reduce risk.
  • Data detection and response: The platform can identify anomalous data access and suspicious behavior, alerting customers on data exfiltration, unusual third-party access, insider threats, accidental data leaks, and data misuse. Responses can be immediate by streamlining mitigation workflows to reduce the mean time to respond (MTTR). The solution can also streamline alerts to incident response tools, including SOAR, SIEM, or ITSM platforms.
  • Ease of management: While not a requirement for DSPM solutions, the integration of Laminar with Rubrik’s Security Cloud presents an attractive data management option for its customers. It provides a comprehensive platform and view of risk, and its ability to use the data insight to trigger additional data protection capabilities, such as carrying out a data backup job when sensitive data is discovered, will prove very attractive to many companies.

Challenges
Areas for improvement include:

  • Customer focus: This is a solution aimed primarily at large and midsize enterprises and government customers. It is unlikely to be appropriate for smaller customers looking for a solution.

Purchase Considerations
Rubrik provides a very strong solution and will be attractive to existing Rubrik customers, who can simply enable the additional Laminar DSPM functions in their existing investment. However, new customers will need to consider whether there is broader value to be had over one of its DSPM-specific competitors.

Prospective customers will benefit from Laminar’s capabilities as a comprehensive tool and the additional integrations and coverage that come with Rubrik’s ownership; however, Rubrik’s long-term plans for the tool and the impact of tighter integration with other Rubrik offerings should be considered.

Rubrik DSPM is a strong solution for larger organizations looking for comprehensive data discovery, classification, and governance for complex data sets that straddle cloud, SaaS, and on-premises. Its integration with the broader Rubrik solution set will be attractive for companies looking to bring data security and protection together under a single vendor. Rubrik is uniquely placed to do this. For existing Rubrik customers looking to add data governance and security to their data management approach, its seamless integration with its existing solution stack will make it very attractive.

Radar Chart Overview
The solution has high scores across the majority of the decision criteria we evaluated, making it a Leader in this report. Rubrik’s acquisition added significantly to the solution’s existing breadth of capability, and this acquisition, along with Laminar’s already innovative approach, positions it in the Innovation/Platform Play quadrant. With its speed of development, we also highlighted it as an Outperformer in this market.

SecuPi

Solution Overview
SecuPi is a data-centric security company that provides solutions to help customers use data in a secure and compliant way. It does this via classification, real-time data access, and monitoring, access control, and de-identification of data at rest and in use.

The platform is built on a Kubernetes infrastructure that can be deployed in the public cloud or within a customer’s own data center. Alongside this are a central management server and distributed enforcers that offer flexible integration with data repositories to monitor and enforce control. Its platform integration can be agentless, agent-based, a web service, or via a gateway, depending on the source repository. It can integrate with a wide range of infrastructure types across cloud and on-premises. However, it should be noted that SaaS integrations are limited, with some support for DBaaS and some storage as a service, such as Snowflake and Databricks. Customers should be aware there is no support for Microsoft 365 or Google Workspace.

SecuPi is essentially a data security platform offering a wide range of security enforcements, but it is also able to provide customers with real-time visibility, including classification, behavioral analytics, and threat detection, as well as access controls and insights to identify unauthorized data access. The platform uses a crawler for autodiscovery of data and various classifiers (both out of the box and custom) to identify sensitive data in structured, semistructured, and unstructured sources. It provides customers with insight into what data exists, who is accessing it, and how.

The platform is not exclusively a DSPM tool but rather a superset of data security enforcement tools. However, it offers DSPM capabilities and is a suitable option for midsize and large enterprises with complex environments that are looking to improve remediation and observability and externalize data security from the underlying data platforms.

Strengths
Areas where SecuPi is particularly strong include:

  • Data access intelligence: As a solution aimed at providing security, SecuPi uses data access intelligence well. It provides detailed analysis of how data is used and whether it has been exfiltrated from an organization. It uses behavioral analytics to show anomalies and applies this information to real-time security enforcements.
  • Enterprise stack integration: This is an enterprise tool for complex environments and, as such, provides comprehensive integration capabilities with existing enterprise tools. It offers prebuilt integrations with leading SIEM, SOC, and XDR tools, integration with DLP tools such as Microsoft Purview, and PAM integration with Cyberark and Savient. A full list of integrations is available on its website.
  • DDR: The solution’s ability to identify threats and enforce a broad range of security measures is impressive. Its UEBA capabilities help it identify risk, and it can then apply a wide range of data protections such as data masking and obfuscation, all without needing to make any changes to the source data.

Challenges
Areas for improvement include:

  • SaaS support: The tool lacks support for SaaS productivity platforms such as Google Workspace and Microsoft 365, which could be a limiting factor. It is a focused solution that mainly provides data enforcement. Customers will need to consider other solutions to include these SaaS productivity tools in DSPM approaches.
  • DSPM focus: SecuPi is not a DSPM solution; instead, it provides a superset of capabilities that offer strong and consistent data security enforcement. This means that while it provides DSPM insight and capabilities, they are likely to be a little harder to find than in the DSPM-focused solutions.

Purchase Considerations
As noted, SecuPi is designed as a comprehensive data security enforcement solution rather than one exclusively focused on DSPM. While it includes many DSPM capabilities, it is likely to require more work to find them. Those with strong DSPM needs should consider whether SecuPi’s DSPM capabilities alone will suffice.

However, for those with complex data environments looking to enforce consistent security across them without having to alter the way those repositories natively behave, this is an extremely strong solution, and it will also deliver a good level of DSPM insight. These capabilities may make a suitable option for midsize and large enterprises with complex environments.

Radar Chart Overview
The solution scored well on a number of our criteria, although as a solution not primarily designed for DSPM, it scored slightly lower in some DSPM-specific areas, making it a strong Challenger in our report. Its security enforcement focus, as well as its lack of support for some SaaS productivity tools, place it on the Feature Play half of the chart, and its strong and mature offering puts it on the Maturity side.

Securiti: Data Command Center

Solution Overview
Securiti offers a centralized platform designed to enable the safe use of data and AI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments, targeting larger enterprises.

Its Data Command Center offers multiple deployment options, including SaaS and on-premises, although its hybrid model is its most common deployment. This model uses SaaS for rendering reports and insights while ensuring all processing is done inside the customer environment. It provides an agentless deployment model and eases adoption with hundreds of prebuilt integrations across popular cloud, SaaS, and on-premises data repositories.

Insights are presented to users via the Data Command Graph, which acts as the authoritative data source. The platform provides a comprehensive set of models to help customers interrogate this data to assist with privacy, governance, compliance, and DSPM. Within the Data Command Center, a new AI Security and Governance solution helps organizations gain full visibility into AI use and its potential risks, and to control the use of enterprise data with AI.

The platform provides detailed classification insight, including across shadow data repositories. It also has an impressive capability to classify video and audio data, which goes beyond just looking at the file metadata. Instead, it plays the full clip and analyzes the full content of those files to look for potentially sensitive data contained within them. It can also discover and catalog interaction with machine learning models, identify what data is being used by them, and reduce any associated risk.

Securiti also offers comprehensive access intelligence that includes cross-border data movement. It has a built-in orchestration engine to help customers build complex automation responses and provides a wealth of DDR capabilities that can enforce data protection controls to protect data at risk.

Strengths
Areas where Securiti is particularly strong include:

  • Data mapping: The solution offers comprehensive data mapping capabilities, particularly in its ability—unique among the vendors we evaluated—to classify data within audio and video files, playing the full clip to find sensitive information within the content. It looks at all datasets, including shadow, dormant, and data snapshots of volumes that no longer exist in production, to ensure full insight into risk and provide remediation actions to remove any threat posed by it.
  • DDR: Securiti provides a comprehensive set of capabilities to deliver automated threat detection and a broad array of responses that range from simple blocking of users to targeted obfuscation of data, allowing data to be accessed while remaining secure. This is further enhanced by the platform’s native workflow orchestrator, which enables customers to build their own responses.
  • Data access control: The solution integrates well with identity providers (IdPs) to help visualize access to sensitive data and uses activity analysis to show how data is being used. The platform also uses behavioral analytics to identify unusual behavior and flag it for analysis. It provides full and granular active control and remediation capabilities that include managing access rights, row filtering, and data masking. Where shared access is required, the platform can also create synthetic data when masking is not appropriate.
  • Enterprise stack integration: The solution offers excellent integration with existing tools. This includes via API, integration with cloud-native security tools such as AWS Security Hub, connectors to IaaS, SaaS, and PaaS, and connections from its Workflow Orchestrator to many service automation platforms such as Jira and ServiceNow.

Challenges
Areas for improvement include:

  • Customer size: This is a comprehensive solution that may be most effective for the larger, more complex enterprise. Smaller organizations may find other tools more appropriate for their needs.
  • Complexity: Because Securiti offers such an extensive set of features, customers will need to be clear about the kind of information they need to get from the product and how best to address potential threats. This will reduce the possibility of information fatigue for IT teams and enable a more focused adoption approach.

Purchase Considerations
Securiti is a very comprehensive platform that should meet the needs of most organizations and is probably best used by mature and knowledgeable IT and security teams to get the full benefit of the platform. Customers should also carry out the due diligence that ensures they fully understand their requirements so they don’t get overwhelmed by the extensive features of the platform.

Organizations with broad and complex estates that need a comprehensive solution that integrates fully across cloud and on-premises will find this platform powerful. Those looking for a hybrid deployment model that ensures data never leaves its control but still allows for processing and information presentation to be provided via a SaaS platform will also find it useful. Its unique ability to fully interrogate video and audio files for sensitive information will be hugely desirable for businesses with substantial amounts of such content that could present risks to data security.

Radar Chart Overview
Securiti provides a very strong platform that scored extremely well on all of our decision criteria, positioning it as a Leader in our report. The solution’s broad capability and coverage make it a Platform Play vendor. Its approach to tackling DSPM, including its work with AI governance, and its novel approach to audio and video placed it on the Innovation half of the chart.

Sentra

Solution Overview
Sentra is a DSPM specialist company that aims to help its customers reduce the complexity of managing sensitive information across multiple cloud platforms, automatically detecting and prioritizing risks. The company focuses on serving born-in-the-cloud medium-to-large enterprises.

Sentra provides a predominantly SaaS-based solution but does offer some other deployment options to meet certain use cases. The solution can deploy its scanning engine as a serverless function inside of a customer cloud to carry out analysis with only metadata exchanged with the central SaaS platform. On-premises support is also available via the deployment of an agent. The solution provides broad coverage with more than 30 prebuilt integrations across well-known cloud services in AWS, Azure, and GCP; Snowflake; SharePoint Online; and support for all popular database engines. Once integrated, it carries out automated data discovery to identify known and shadow data repositories, using around 150 prebuilt classifiers to build an understanding of the data. The solution presents analysis within its dashboard, offering a security posture calculation that shows risks broken down across cloud accounts, locations, and data class types. It also offers a view of compliance readiness across all data repositories.

Sentra shows data access threats graphically, helping ops teams to see threats and data flows. It can also identify data in breach of any data locality compliance. The solution can identify a wide range of threats in real time and integrate with existing enterprise tools such as ITSM to provide automated responses; it includes more than 20 out-of-the-box integrations with workflow/remediation tools to streamline this process. It is also starting to build AI governance to help identify interactions from AI learning models.

Strengths
Areas where Sentra is particularly strong include:

  • Data mapping: Sentra provides comprehensive mapping that includes a full data catalog, showing data stores (asset types, locations, sensitivity, and so forth) and underlying data assets (objects, with data type, data class, data context). In addition, its DataTreks platform shows data similarity and movement between locations/environments/accounts/account types, and it can alert on shadow, dormant, or abandoned data and provides risk scoring as well as notification of unprotected data with excessive permissions.
  • Data access intelligence: Sentra offers a range of capabilities for both governance and access monitoring. It can determine which critical data can be accessed by “risky” users, identities, and applications, and shows the business impact of unauthorized access. It can also provide anomaly alerting to identify unusual access behavior. The solution can also enforce access restrictions via integration with IAM solutions such as Okta, and enforce data security controls such as de-identification, encryption, and invocation of cloud-native capabilities in Snowflake and other data repositories.
  • On-premises support: The solution offers good support for a wide range of on-premises repositories, including databases (MSSQL, Oracle, PostgreSQL, MongoDB, and MySQL) and file shares (NFS, SMB, FTP, and NTFS), providing full functionality across these repositories.

Challenges
Areas for improvement include:

  • Data lineage: While the solution does offer data lineage, it currently does not provide the ability to do a full auditable investigation. However, it does provide lineage information, and its DataTreks Context Graph shows data relationships and vulnerabilities.
  • DDR: The solution is an alerting tool. It can alert in real time to a wide range of threats, including exfiltration, anomalous transfers, suspicious accesses, and other malicious activities. However, while it can alert on a wide range of risks and threats, for resolution it would typically interface with incident response (IR) teams via API feeds into existing SOAR or SIEM tools. Customers would need to have this in place to automate remediation against data threats.

Purchase Considerations
This is a solution primarily aimed at cloud-first and born-in-the-cloud medium-to-large enterprises (more than $1B annual revenue). Smaller customers will need to determine if the solution, while technically a good fit, is a fit for their business requirements. The solution also lacks native automated remediation capabilities. While it can provide high-quality insight into threats, organizations will need other tools and processes to act upon that information.

Companies looking to identify data and risk across a broad range of cloud and on-premises repositories will find its breadth of coverage useful. Sentra is a good choice for companies in its target market.

Radar Chart Overview
Sentra scored well on all of our decision criteria, making it a Leader in this report. Its broad range of capabilities place it as a Platform Play vendor, while its innovative approaches around data mapping, posture assessment, and access intelligence place it on the Innovation side of the Radar chart.

Theom

Solution Overview
Theom is a specialist data governance and security provider with a particular focus on companies that need to securely exchange data assets. Theom supplies a solution that offers data access governance, data breach detection, data contract governance, and AI governance and security. It is aimed at larger enterprises in this sector.

Theom offers flexible deployment support with SaaS, cloud images, and an on-premises deployment model that is provided under contract only. The solution requires no proxies or agents to integrate with existing platforms, and once given access, it will autodiscover repositories and classify the data within them. Theom can identify a range of risks, including unprotected sensitive data, humans masquerading as service accounts, and data being accessed by machines with vulnerabilities. It can also track data lineage and ensure controls follow the data across technology platforms. Theom’s risk dashboard shows potential threats, mapped against MITRE, which include possible reconnaissance behavior as well as detection of potential data leak. The solution also applies financial values against data sets, which can include specific values identified in customer/supplier contracts.

An impressive part of the Theom platform is focused on the data exchange contracts market. It offers a unique capability among the vendors we evaluated. The platform can import details directly from customers’ data exchange contracts, then normalize this information to turn it into data protection policies. It can use this information to compare how the data is stored with contract compliance requirements and determine where there is risk specific to those contracts. This will provide a significant benefit to customers in this space.

Theom has also invested well in its AI security and governance capabilities, an increasingly important market. It can apply the same identity and access framework used on data to govern retrieval-augmented generation (RAG) to enable better accuracy and relevance of large language model (LLM) responses and protects against prompt injection attacks to protect the integrity of AI models from bad actors.

Theom also provides an interesting purchase option for customers. Its outcome-based models allow customers to buy a single service engagement that’s defined by a specific, predetermined criterion. This was a unique proposition among the vendors we evaluated.

Strengths
Areas where Theom is particularly strong include:

  • Security posture assessment: Theom is the only vendor we evaluated specializing in companies operating data exchange contracts. The vendor provides a range of impressive assessment capabilities that are specific to that market but potentially offer wider applications. It provides good assessment capabilities against global common frameworks and extends this by being able to import data-sharing contracts, which it can normalize, and then provide security posture information against the specific demands of that contract. It also provides a cost against risk metric, which can be a useful measure for non-IT teams.
  • DDR: The solution uses insights and its AI-driven contextual awareness to learn behavior related to identity (human, service account, AI bot), roles, data operations (DDL), data manipulation (DML), and data lineage. When it sees anomalies in behavior, it can successfully block both insider and outsider attacks. The vendor also works with customers to help build complex runbooks to deal with specific threats.
  • Data access intelligence: Theom gives detailed insight into access and risk. It scans through configuration and audit logs for each datastore and presents insights regarding who has access, who has accessed, frequency of access, what privileges are used to access, any atypical access, abnormal queries (including login locations and times), masking policies, and violation of the masking policies.

Challenges
Areas for improvement include:

  • SaaS Support: The solution currently does not provide integration with SaaS services such as Microsoft 365 or Google Workspace. Customers with a focus on DSPM across these types of data sets may need to consider other solutions instead of Theom or to supplement it.

Purchase Considerations
The solution does have some limits around its SaaS support, currently lacking integrations with Microsoft 365 or Google Workspace. Those looking to apply DSPM to those platforms will have to consider alternative solutions and whether the other benefits Theom brings outweigh this gap.

Theom offers a standard consumption-based model with four different licensing packages to provide customer flexibility. However, it also offers an interesting outcome-based pricing model. This allows a customer to pay Theom for the delivery of a specific outcome—for example, meeting or exceeding certain cost savings. In this model, the customer buys the software as well as professional services to deliver the right integrations in their workflows so that the customer gets the specific outcome. Customers may find this an interesting approach to meet a specific need. However, it is likely to cost more than the standard delivery model.

For companies that operate data exchange businesses, Theom offers some unique and powerful features that will make it very attractive. Those features may also appeal to other data service providers concerned about contractual data risks. The solution also provides very strong impact analysis, a useful feature for organizations that need such information. Its investment in AI governance and AI security will also be extremely interesting to those applying learning models against data sets, as it ensures the integrity and security of both the data sets and the AI tools using them to learn.

Radar Chart Overview
The broad range of capabilities places Theom on the Platform Play side of the Radar. Its strong scoring across all of our decision criteria position it as a Leader. Its novel approach to the market also placed it on the Innovation side of the chart.

Varonis

Solution Overview
Varonis is a data security vendor whose Data Security Platform offers protection for complex data ecosystems. Varonis is a long-established vendor in this space with a large global customer base across all industries. Its target market is enterprises with over 1,000 employees.

The Varonis platform is predominantly a SaaS solution that is also available on the Azure and AWS marketplaces. It retains a self-hosted version, primarily for federal customers.

The Data Security Platform provides comprehensive capabilities, including in areas such as DLP and UEBA, and it offers an extremely broad range of supported integrations across SaaS (including Microsoft 365, Google Workspace, and Salesforce), on-premises, IaaS/PaaS, and databases. Integration is via API, avoiding the need for agents and proxies.

The solution provides detailed threat analysis, with its dashboards reporting on data classifications and exposure, deep permissions, and data usage analysis. This allows Varonis to identify access that’s no longer needed or used, stale files that contain sensitive information, and other data risks. It can determine threat posture against a wide range of global frameworks, showing areas such as misconfigurations and their impact on framework compliance. This includes built-in remediation capabilities, which allow configurations to be fixed directly from the UI without ticketing or third-party workflows. Response to threats can be automated with alerts triggering scripts. The solution provides a good investigation engine that allows a user to quickly examine datasets to understand risks or possible incidents.

Another significant value included in every subscription is that Varonis’s internal incident response team can also see potential threats and will inform customers to help reduce risk. This availability as part of the product is unique among the vendors we evaluated and provides customers a strong layer of support.

Strengths
Areas where Varonis is particularly strong include:

  • Data mapping: This is a traditional Varonis strength that continues to develop. It can report on all data interactions, including create, move, modify, delete, upload/download, send, and receive. Its classification engine will report on sensitive data flows, and it couples this with posture and permissions analysis that provides proactive insight into risks in target data locations. It can also identify misconfigurations and missing security controls, and baselines the information against laws and best practices to provide detailed posture insight.
  • Security posture assessment: Varonis’s broad data repository integration provides a comprehensive view of data across organizations, even those with complex data infrastructure. It provides excellent insight into many frameworks to help customers develop a strong data security posture. Its incident response service, included as part of a subscription, provides a proactive alerting service for customers that ensures threats are not missed and can be rapidly mitigated.
  • Impact analysis: Varonis provides a complete audit trail of activity and a map of all potential access by accounts and services on the data stores and infrastructure it monitors. It shows which frameworks would be impacted if that data was breached, which, in the event of an incident, provides significant value in understanding the impact and limiting its spread.

Challenges
Areas for improvement include:

  • Cost: Varonis provides a comprehensive offering but at a premium price. The pricing is on a per-user basis, which can make it expensive for companies with a disproportionate number of users in relation to the amount of data.
  • On-premises deployment: With the release of its flagship Data Security Platform as a SaaS service, Varonis has prioritized feature development in that area rather than its self-hosted version. Those needing on-premises deployment will need to consider this.

Purchase Considerations
Varonis provides a comprehensive solution priced on a per-user basis, which can be an issue for those with relatively low data requirements in comparison with user numbers. Customers should also be aware that Varonis positions itself as a platform solution, so its strong capabilities do come at a price. Its proactive incident response for all of its customers, provided with all subscriptions, is a feature that could potentially bring strong value. For organizations with more than 1,000 users that need a comprehensive solution covering both cloud and on-premises repositories, Varonis will be a good choice.

Radar Chart Overview
Varonis offers a comprehensive solution that scored well on all of our decision criteria, placing it in the Leaders circle. The vendor continues to build on its well-established offering, which puts it in the Maturity/Platform Play quadrant.

6. Analyst’s Outlook

DSPM is a new technology space but one that has evolved from a number of existing disciplines. That evolution has been driven by changes in the way organizations are structured, their working practices, the adoption of the cloud, and the increased demands companies place on their data.

This was highlighted during our research by the large number of vendors we assessed as innovators in this space. It’s a field where relatively few of the vendors were building on mature technology stacks. However, some of those evolving their stacks are already delivering comprehensive DSPM solutions.

When evaluating DSPM solutions, there are some questions that organizations must ask themselves to help identify potential vendors. While most of the vendors we evaluated are capable of carrying out discovery and classification, there are areas of differentiation that an organization should consider.

  • DSPM goals: As with all data security-centric projects, customers must have a clear goal in mind before embarking on the venture. Is it to meet compliance needs, a desire to build a detailed view of data controls, or to reduce security risks? Determining the answer to this is essential in finding the right solution.
  • On-premises requirements: The majority of vendors we evaluated focus primarily on cloud repositories for the datasets they would effectively evaluate. However, many enterprises still have substantial datasets on-premises that must be part of any DSPM approach. Organizations should consider the type of data they work with—unstructured, structured, or a mix—and whether they need a solution that can integrate with databases, file shares, and NAS platforms. If so, this will limit potential solution partners.
  • Deployment models: Most of the vendors offered cloud deployments, either using SaaS or a cloud image. However, many organizations have concerns about maintaining the locality of the information they hold. Some vendors do offer on-premises deployments, but many don’t, instead providing the option to install specific elements of the solution inside an individual cloud tenant. If your data must remain within a certain geographical region, be sure to choose a vendor that enables this.

Understanding these three key areas will help companies to quickly focus on the correct partners capable of meeting their needs.

This is a sector that is going to continue to develop, perhaps most significantly in response to the increasing adoption of AI and ML by organizations. There is, and will continue to be, an increasing need for tools that can help customers deploy AI securely and ensure that only clean data is used in teaching the models. DSPM providers recognize this and see themselves as valuable partners to help in these endeavors.

To learn about related topics in this space, check out the following GigaOm Radar reports:

7. Methodology

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.

8. About Paul Stringfellow

Paul Stringfellow has more than 25 years of experience in the IT industry helping organizations of all kinds and sizes use technology to deliver strong business outcomes. Today, that work focuses mainly on helping enterprises understand how to manage their data to ensure it is protected, secure, compliant, and available. He is still very much a “hands-on” practitioner and continues to be involved in a diverse range of data projects. Paul has been recognized across the industry and has spoken at many industry, vendor, and community events. He writes for a number of industry publications to share his enthusiasm for technology and to help others realize its value.

Paul hosts his own enterprise technology webcast and writes regularly on his blog.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2024 "GigaOm Radar for Data Security Posture Management (DSPM)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.

Continue reading complimentary Radar Reports

What do you get with a GigaOm Research Subscription?

Stay Informed

A GigaOm Research Subscription ensures you stay at the forefront of technology trends, industry insights, and the vendor landscape, providing you with the knowledge to make informed decisions.

Expert Guidance

GigaOm’s team of practitioner analysts provides expert analysis and actionable intelligence that empowers you to navigate the complex tech landscape with confidence.

Career Investments

GigaOm’s subscription helps you continually invest in your career, ensuring you know the right solutions and strategies to drive innovation and growth at your organization.