Infosec glossary
DSPM
Data Security Posture Management
Organizations store data across cloud services, databases, data warehouses, object stores, and software services. Security teams may not know where sensitive data resides, who can access it, or whether its storage and permissions follow policy. DSPM addresses that visibility and assessment problem.
DSPM maps sensitive data and its security context
Data discovery identifies stores and datasets, while classification determines whether they contain information such as personal data, credentials, financial records, intellectual property, or regulated content. Context then shows the cloud account, owner, location, service, and environment associated with that data.
Security assessment adds information about encryption, public exposure, identity permissions, cross-account access, copies, and other conditions. This combination helps distinguish an expected dataset from one stored or shared in a risky way.
Core DSPM functions
DSPM systems connect to supported data services and inspect metadata, configurations, permissions, or data samples. Discovery methods differ, so organizations should consider service coverage, scanning depth, data handling, and whether analysis moves content outside its original environment.
Findings may identify a public store, an overprivileged identity, an unencrypted dataset, a stale copy, or sensitive data in an unapproved location. Remediation may change a configuration, remove access, assign an owner, delete an unnecessary copy, or document an accepted condition.
- Sensitive data discovery and classification
- Access and entitlement analysis
- Storage configuration and exposure assessment
- Ownership, prioritization, and remediation tracking
DSPM differs from DLP and data governance
Data loss prevention monitors or controls how data moves through endpoints, networks, applications, or cloud services. Data governance defines ownership, quality, retention, use, and accountability. DSPM concentrates on the security state and exposure of sensitive data across connected environments.
The disciplines can share classification labels and policy information. They remain distinct because they answer different questions about data use, movement, ownership, and security risk.
Related reading
The term is clearer when the nearby language is clear too.
Use the pages below when you need adjacent terms, category context, or a longer explanation instead of leaving the definition to stand on its own.
Adjacent terms
Further reading
Sources used to check the definition and terminology
Guides
Where the definition expands into a longer explanation
A practical pre-publish review process for cybersecurity content covering terminology, claims, audience fit, proof, structure, and trust.
How Security Vendors Should Brief External WritersA practical briefing framework for cybersecurity teams working with freelance writers, agencies, or specialist editors on website copy, articles, whitepapers, and proof assets.