DSPM: Data Security Posture Management
What DSPM looks for
DSPM samples data inside cloud resources, not just their configuration. The detection categories cover:
- PII: email addresses, phone numbers, national IDs, dates of birth.
- Financial: credit-card numbers (Luhn-validated), IBANs, SWIFT codes.
- Health: medical record numbers, ICD codes (HIPAA scope).
- Authentication material: API tokens, cloud keys, private keys, JWT secrets. These also surface in Secrets detection, but DSPM catches them inside data, not source code.
- Internal: customer IDs, employee IDs, structured exports.
Each rule is a pattern with optional validators (e.g. Luhn for credit cards, checksum for IBAN, modulo-97 for SSN-style identifiers).
Where DSPM scans
| Source | How |
|---|---|
| Object storage (Scaleway Object Storage, AWS S3, GCS, Azure Blob, OVHcloud Object) | Stream objects and sample content |
| Relational databases (Scaleway Database, AWS RDS, Cloud SQL, Azure SQL) | Sample rows from text columns |
| Volume snapshots | Read-only filesystem mount, sample text files |
We never copy your data out of your environment. Sampling happens inside the infrastructure that holds the cloud credential, in our European region.
How findings are scored
Each match has a match count (rows or lines containing the pattern) and an estimated total when sampling. The sample size and total row count are both reported, so you can judge confidence.
A bucket with 50,000 rows of which 1,000 were sampled and 250 matched gives an estimate of around 12,500 PII records, with confidence proportional to sample size. Ctadel makes this explicit instead of pretending to be exact.
How DSPM feeds toxic combinations
When DSPM detects sensitive data on a resource, that resource is flagged as high-value in the security graph. Toxic-combination rules use that flag to surface chains that end on data, not just on resources, so a public bucket finding becomes a public bucket holding 12,000 PII records finding.
DSPM vs Secrets
There is overlap. Both look for patterns. The split:
- Secrets focuses on credentials (cloud keys, vendor tokens, private keys) and runs across IaC, env files, source code, plus volumes and buckets.
- DSPM focuses on sensitive data subjects (PII, PCI, PHI) and runs primarily against data storage.
A finding can match both detectors. You'll see it in both module pages with its appropriate classification.
What's next
- Secrets detection, sibling detector for credentials
- The DSPM module
- Toxic combinations & attack paths, why DSPM is the most consequential leg of most attack paths