Data Classification & DSPM
Business objective
Data Security Posture Management (DSPM) discovers, classifies, and assesses the posture of data at rest across cloud stores, SaaS, databases, and file shares. It is the labeler that knows where sensitive data lives — Client confidential, Employee confidential, Legal privileged, IP, MNPI, PII — and how exposed it is (who can reach it, whether it is encrypted, whether it sits in the wrong place).
You cannot protect, or decide what an AI model is allowed to retrieve, data you have not found and classified. DSPM is the map that every downstream data control (dlp, data-access-governance, entitlement-aware-rag) reads from.
When you need it
Day-1. For a hedge fund the sensitive-data inventory is foundational: you have MNPI, PII, and privileged/IP material scattered across SharePoint, OneDrive, email, data warehouses, and SaaS. Before you point any AI assistant or RAG pipeline at internal content, you need to know what is sensitive and where it is. DSPM is also the precondition for credible model-risk and regulatory conversations (you can show where regulated data lives and who can touch it).
Security role
A detective, out-of-band control against sensitive-data exposure — it does not block anything at runtime, it finds and labels the sensitive data so other controls can act. It mostly inventories data sitting in the green zone (internal stores) and flags where that data is over-exposed to yellow/red paths. It is the discovery layer underneath the enforcement controls; on its own it prevents nothing, but nothing else in the data layer works well without it.
Vendors
Broad-platform / data-governance-led:
- microsoft-purview — native classification + labeling across the Microsoft estate; default for M365/Azure-heavy shops (also does dlp).
- bigid — discovery and classification breadth across structured/unstructured; privacy and data-governance heritage.
- securiti — data command-center spanning DSPM, privacy, and AI governance.
- collibra — data-catalog/governance lineage; more cataloging than security posture.
- immuta — data-access policy and governance for analytic data platforms.
Cloud-native DSPM:
- cyera — AI-driven data classification; spans DSPM, dlp, and data-access-governance.
- sentra — cloud DSPM with data-access context.
- normalyze — cloud-data security posture (seed flags acquisition — see below).
- wiz — DSPM as part of a broader cloud-security platform (also ai-spm).
- bedrock-security — data-store discovery and posture.
- symmetry-systems — data-store-centric posture and access analysis.
- concentric-ai — AI-based classification of unstructured data (also data-access-governance).
- rubrik — DSPM bolted onto data-resilience/backup footprint.
Cross-listed:
- onetrust — data discovery/classification within a broader GRC/privacy suite.
- netskope — DSPM as part of its SSE/data-protection platform.
Consolidation / M&A dynamics
- normalyze — acquired by Proofpoint (per seed; unverified — to confirm in research).
- wiz — acquired by Google (per seed; unverified — to confirm in research).
Beyond the specific flags, DSPM is consolidating in two directions: cloud-security platforms (Wiz, Netskope) absorbing it as a feature, and data-governance/privacy suites (OneTrust, Securiti, Collibra) folding it in alongside cataloging.
Adjacent categories
- dlp — DSPM finds and labels data at rest; DLP enforces at the egress moment. The CSV merges them; we keep them split (see Survey notes).
- data-access-governance — consumes DSPM classification to right-size who can reach the sensitive data; several vendors do both.
- entitlement-aware-rag — relies on classification/labels so an AI assistant never retrieves data the user could not see.
- ai-spm — posture management for AI assets, conceptually parallel to DSPM for data.
Survey
Question. Which data classification / DSPM tools is your firm using or evaluating to discover and classify sensitive data at rest?
Answer options. Microsoft Purview, BigID, Securiti, Cyera, Sentra, Normalyze, Wiz, Bedrock Security, Symmetry Systems, Concentric AI, Rubrik, Immuta, Collibra, OneTrust, Netskope, Other (Please Specify).
Response scale. multi-select; Interested; Considering/evaluating; Pilot/implementing; In production; Would recommend; Would not recommend.
Notes for survey design.
- The seed CSV asks one merged question (
DSPM / Data Governance / DLP). Per taxonomy gap D2 we split it into DSPM (this page) and dlp. Several vendors — Cyera, Sentra, Concentric AI, Microsoft Purview, Netskope — legitimately answer both questions; expect respondents to tick the same vendor on both pages, and note that on the DLP page too. - Table-stakes for most respondents: Microsoft Purview (often already owned via M365).
- Watch overlap confusion between “DSPM” and “data catalog/governance” — Collibra and Immuta lean governance/cataloging, not security posture; some respondents will not think of them as DSPM.
- M&A may date options: confirm Normalyze (Proofpoint) and Wiz (Google) status before fielding.
Open taxonomy questions
- Where does data cataloging/governance (Collibra, Immuta) end and security posture begin? They sit on this page for now but lean toward a governance cut.
- Overlap with data-access-governance is heavy (Cyera, Sentra, Concentric, Immuta appear on both) — candidate for a future merge or explicit primary/secondary split.
- The CSV merge (DSPM+DLP+governance) vs the doc’s split is the core open tension; resolved here in favor of the doc spine but flagged for survey design.