Data Security Posture Management (DSPM) helps you understand what data that you have, where your data is stored, and whether it is used in a way that aligns with your security and compliance requirements. DSPM permits you to complete the following tasks:
Discover data resources within your Google Cloud environment using filters such as resource type, location, project ID.
Evaluate your current data security posture against Google's recommended best practices so that you can identify and remediate potential security and compliance issues.
Map your data security and compliance requirements to data security cloud controls.
Apply data security cloud controls using frameworks.
Monitor how well your workloads align with applied data security frameworks, remediate any violations, and generate evidence for audit.
DSPM works with Sensitive Data Protection. Sensitive Data Protection finds the sensitive data in your organization, and DSPM lets you deploy data security cloud controls on the sensitive data to meet your security and compliance requirements.
DSPM components
The following sections describe the components of DSPM.
Data security dashboard
The data security dashboard in the Google Cloud console lets you see how your organization's data aligns with your data security and compliance requirements.
The data map explorer on the data security dashboard shows the geographic locations where your data is stored and lets you filter information about your data by geographic location, how sensitive the data is, the associated project, and which Google Cloud services store the data. The circles on the data map represent the relative count of data resources and data resources with alerts in the region.
You can view data security findings, which occur when a data resource violates a
data security cloud control. Data security findings use the DATA_SECURITY
finding category. When a new finding is generated, it can take up to two hours
for the finding to appear on the data map explorer.
You can also review information about the data security frameworks that are deployed, the number of open findings associated with each framework, and the percentage of resources in your environment covered by at least one framework.
Data security frameworks
You use frameworks to define your data security and compliance requirements and apply those requirements to your Google Cloud environment. DSPM includes the Data security and privacy essentials framework, which defines recommended baseline controls for data security and compliance. When you enable DSPM, this framework is automatically applied to the Google Cloud organization in detective mode. You can use the generated findings to harden your data posture.
If required, you can make copies of the framework to create custom data security frameworks. You can add the advanced data security cloud controls to your custom frameworks and apply the custom frameworks to the organization, folders, or projects. For example, you can create custom frameworks that apply jurisdictional controls to specific folders to ensure that data within those folders stays within a particular geographical region.
Data security and privacy essentials framework
The following cloud controls are part of the Data security and privacy essentials framework.
| Cloud control | Description |
|---|---|
SENSITIVE DATA BIGQUERY TABLE_CMEK DISABLED |
Detect when CMEK isn't used for BigQuery tables that include sensitive data. |
SENSITIVE DATA DATASET CMEK DISABLED |
Detect when CMEK isn't used for BigQuery datasets that include sensitive data. |
SENSITIVE DATA PUBLIC DATASET |
Detect sensitive data within publicly accessible BigQuery datasets. |
SENSITIVE DATA PUBLIC SQL INSTANCE |
Detect sensitive data within publicly accessible SQL databases. |
SENSITIVE DATA SQL CMEK DISABLED |
Detect when CMEK isn't used for SQL databases that include sensitive data. |
Advanced data security cloud controls
DSPM includes advanced data security cloud controls to help you meet additional data security requirements. These advanced data security cloud controls include the following:
- Data access governance: Detects whether principals other than the ones that you specify are accessing sensitive data.
- Data flow governance: Detects whether clients that are outside of a specified geographic (country) locations are accessing sensitive data.
- Data protection and key governance: Detects whether sensitive data is being created without customer-managed encryption keys (CMEKs) encryption.
- Data deletion: Detects violations to maximum retention period policies for sensitive data.
These controls support detective mode only. For more information about deploying these controls, see Use DSPM.
Data security cloud controls
The following sections describe the advanced data security cloud controls.
Data access governance cloud control
This control restricts access to sensitive data to specified principal sets. When there is a non-conformant access attempt (access by principals other than the allowed principals) to data resources, a finding is created. Supported principal types are user accounts or groups. For information about what format to use, see the supported principal format table.
User accounts include the following:
- Consumer Google Accounts that users sign up for on google.com, such as Gmail.com accounts
- Managed Google Accounts for businesses
- Google Workspace for Education accounts
User accounts don't include robot accounts, service accounts, delegation-only brand accounts, resource accounts, and device accounts.
Supported asset types include the following:
- BigQuery datasets and tables
- Cloud Storage buckets
- Vertex AI models, datasets, feature stores, and metadata stores
DSPM evaluates for conformance with this control whenever a user account reads a supported resource type.
This cloud control requires that you enable Data Access audit logs for Cloud Storage and Vertex AI.
Limitations include the following:
- Only read operations are supported.
- Access by service accounts, including service account impersonation, are
exempt from this control. As a mitigation, ensure that only trusted service
accounts have access to sensitive Cloud Storage,
BigQuery, and
Vertex AI resources. Additionally, don't grant the Service
Account Token Creator (
roles/iam.serviceAccountTokenCreator) role to users who shouldn't have access. - This control doesn't prevent access by users to copies that are made through service account operations such as those made by Storage Transfer Service and BigQuery Data Transfer Service. Users could access copies of data which don't have this control enabled.
- Linked datasets
aren't supported. Linked datasets create a read-only BigQuery
dataset that acts as a symbolic link to a source dataset. Linked datasets
don't produce data access audit logs and might let an unauthorized user read
data without it being flagged. For example, a user could bypass the access
control by linking a dataset to a dataset outside of your compliance
boundary and they could then query the new dataset without generating logs
against the source dataset. As a mitigation, don't grant the BigQuery Admin
(
roles/bigquery.admin), BigQuery Data Owner (roles/bigquery.dataOwner) or BigQuery Studio Admin (roles/bigquery.studioAdmin) roles to users who shouldn't have access to sensitive BigQuery resources. - Wildcard table queries are supported at the dataset level, but not the tableset level. This feature lets you query multiple BigQuery tables at the same time using wildcard expressions. DSPM processes wildcard queries as though you're accessing the parent BigQuery dataset, not individual tables within the dataset.
- Public access to Cloud Storage objects isn't supported. Public access grants access to all users without any policy checks.
- Access or downloads of Cloud Storage objects using authenticated browser sessions isn't supported.
Data flow governance cloud control
This control lets you specify the allowed countries from where data can be accessed. The cloud control works as follows:
If a read request comes from the internet, the country is determined based on the IP address of the read request. If a proxy is used to send the read request, alerts are sent based on the location of the proxy.
If the read request comes from a Compute Engine VM, the country is determined by the cloud zone where the request originates.
Supported asset types include the following:
- BigQuery datasets and tables
- Cloud Storage buckets
- Vertex AI models, datasets, feature stores and metadata stores
Limitations include the following:
- Only read operations are supported.
- For Vertex AI, only requests from the internet are supported.
- Public access to Cloud Storage objects isn't supported.
- Access or downloads of Cloud Storage objects using authenticated browser sessions isn't supported.
Data protection and key governance cloud control
This control requires that you encrypt specific resources using CMEKs.
Supported asset types include the following:
- BigQuery datasets and tables
- Vertex AI models, datasets, feature stores and metadata stores
Data deletion cloud control
This control governs the retention period for sensitive data. You can select resources (for example, BigQuery tables) and apply a data deletion cloud control that detects if any of the resources violate maximum age retention limits.
Supported asset types include the following:
- BigQuery datasets and tables
- Vertex AI models, datasets, feature stores, and metadata stores