DSPM (Data Security Posture Management)
Tools that continuously discover sensitive data across cloud and SaaS, classify it, map access paths, and flag exposure — a posture layer above DLP that focuses on where data sits rather than what crosses the perimeter.
Data Security Posture Management (DSPM) is a category named by Gartner in 2022. DSPM tools continuously discover where sensitive data sits across cloud object stores, data warehouses, and SaaS apps; classify it (PII, PHI, source code, financials); map who and what can reach it; and flag misconfigurations or unexpected exposure paths.
The category emerged because the traditional perimeter assumption no longer holds: customer data is in Snowflake, BigQuery, S3, Google Drive, Dropbox, Notion, Salesforce — not behind a firewall. DSPM answers do we still know where our sensitive data is, and who can reach it?
DSPM is often compared with DLP. The difference is angle of attack:
- DLP sits on egress paths and inspects content in motion (email, endpoint, web upload). It asks is this transfer allowed?
- DSPM sits on the data at rest and the access graph. It asks should this data even be reachable from there?
Most enterprises now run both. Representative vendors: Wiz DSPM, Cyera, Varonis, Microsoft Purview, Sentra, Normalyze.
DSPM frequently produces findings like “this S3 bucket holding production PII is publicly readable”, “this Notion page with employee salary data is shared with the entire workspace”, or “this Snowflake share to a partner has been dormant for 11 months”. Each of those findings has a human story behind it — somebody clicked Anyone with the link, somebody approved an OAuth scope, somebody forgot to revoke. That’s the layer Engarde watches, distinct from other vendors sharing the Engarde name.
Related terms
- DLP (Data Loss Prevention)A set of technologies that inspect data at rest, in motion, or in use to prevent sensitive information from leaving authorized boundaries.
- CASB (Cloud Access Security Broker)A policy-enforcement layer that sits between users and cloud services to inspect traffic, block disallowed actions, and tag data — the gatekeeping model of SaaS security.
- Shadow ITSoftware, SaaS, or cloud services in use inside an organization without IT or security approval — invisible to inventory, unmanaged, and rarely off-boarded.
- Public file sharingSharing a SaaS file or folder via an 'anyone with the link' setting that bypasses authentication — the most common quiet data leak inside Google Drive, SharePoint, Dropbox, and Notion.
- Dormant external collaboratorAn external account — ex-vendor, former contractor, departed partner — that still has access to a SaaS workspace, file, or channel months or years after the work ended.