This document describes how you can enable and use Data Security Posture Management (DSPM).
Enable DSPM
Complete the following to enable DSPM at the organization level:
-
To get the permissions that you need to enable DSPM, ask your administrator to grant you the following IAM roles on your organization:
-
Organization Administrator (
roles/resourcemanager.organizationAdmin) -
Security Center Admin (
roles/securitycenter.admin)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
-
Organization Administrator (
- Enable DSPM using one of the following methods:
- If you haven't activated Security Command Center in your organization, then Activate Security Command Center Enterprise.
- If you've already activated the Enterprise service tier of Security Command Center, add DSPM using the Activate DSPM page.
- Enable discovery of the resources that you want to protect with DSPM.
When you enable DSPM, the following services are also enabled:
- Compliance Manager to create, apply, and manage data security frameworks and cloud controls.
- Sensitive Data Protection to use data sensitivity signals for default data risk assessment.
- Event Threat Detection (part of Security Command Center) at the organization level to use the data access governance cloud control and the data flow governance cloud control
- AI Protection to help secure the lifecycle of your AI workloads.
The DSPM service
agent (service-org-ORGANIZATION_ID@gcp-sa-dspm-hpsa.iam.gserviceaccount.com) is created when you enable
DSPM.
For information about the DSPM Identity and Access Management roles, see Identity and Access Management for organization-level activations.
Use the DSPM dashboard
Complete the following actions to use the dashboard to analyze your data security posture.
-
To get the permissions that you need to use the DSPM dashboard, ask your administrator to grant you the following IAM roles on your organization:
-
Data Security Posture Management Admin (
roles/dspm.admin) -
Security Center Admin (
roles/securitycenter.admin) -
For read-only access:
-
Data Security Posture Management Viewer (
roles/dspm.viewer) -
Security Center Admin Viewer (
roles/securitycenter.adminViewer)
-
Data Security Posture Management Viewer (
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
-
Data Security Posture Management Admin (
- Use the DSPM dashboard for data discovery and risk
analysis. When you enable DSPM, you can immediately assess
how your environment aligns with the Data
security and privacy essentials framework.
In the console, click the Data Security & Compliance tab under Data Protection.
The following information is available:
- Data map explorer
- Data security findings
- Insights about applied data security controls and frameworks
Use this information to review and remediate findings so that your environment better aligns with your security and compliance requirements.
The data map explorer might take 24 hours after you activate Security Command Center to populate all the data from Security Command Center and Cloud Asset Inventory.
Create custom data security frameworks
If required, copy the Data security and privacy essentials framework and customize it to meet your data security and compliance requirements. For instructions, see Apply a framework.
Deploy advanced data security cloud controls
If required, add the advanced data security cloud controls in custom frameworks. These controls require additional configuration. For instructions on deploying cloud controls and frameworks, see Apply a framework.
Consider the following:
Review the information for each advanced data security cloud control for limitations.
Complete the tasks for each rule, as described in the following table.
Rule Additional configuration Data access governance cloud control - Enable Data
Access audit logs for Cloud Storage and
Vertex AI (where applicable in your environment).
Set the data access permission type to
DATA_READ. Enable the data access logs at the organization level or project level, depending on where you apply the Data access governance cloud control.Verify that only authorized principals are exempted from audit logging. Principals exempted from audit logging are also exempted from DSPM.
- Add one or more allowed principals (up to a maximum of 200
principals), using one of the following formats:
- For a user,
principal://goog/subject/USER_EMAIL_ADDRESSExample:
principal://goog/subject/alex@example.com - For a group,
principalSet://goog/group/GROUP_EMAIL_ADDRESSExample:
principalSet://goog/group/my-group@example.com
- For a user,
Data flow governance cloud control Enable Data Access audit logs for Cloud Storage and Vertex AI(where applicable in your environment).
Set the data access permission type to
DATA_READ. Enable the data access logs at the organization level or project level, depending on where you apply the Data access governance cloud control.Verify that only authorized principals are exempted from audit logging. Principals exempted from audit logging are also exempted from DSPM.
- Specify allowed countries using the country codes that are defined in the Unicode Common Locale Data Repository (CLDR).
Data protection and key governance cloud control Enable CMEK in BigQuery and Vertex AI. Data deletion cloud controls Set the retention periods. For example, to set a 90 day retention period in seconds, set the retention period to 777600.- Enable Data
Access audit logs for Cloud Storage and
Vertex AI (where applicable in your environment).