OptIQ is now Matters, read about it here
Matters
Get a Demo

Platform

How It WorksWhy Matters

Key Features

Advanced Data Detection & ResponseData Security Posture ManagementInsider Data Risk ManagementExternal Data Risk ManagementData Loss Prevention & Mitigation

Resources

Blogs

Company

About UsCareers
Thought Leadership

DSPM Beyond the boundaries of CNAPP.

CNAPP-integrated DSPM is no longer enough to protect modern enterprise data. This article explores why dedicated DSPM platforms, with advanced discovery, classification, and runtime threat detection, are essential for safeguarding sensitive data across cloud, SaaS, and endpoints.
Dhiraj Khare avatar
Dhiraj KhareCBO, Matters.AI
&
Prajal Kulkarni avatar
Prajal KulkarniCISO, Groww
AUGUST 2025

DSPM Beyond the boundaries of CNAPP.

As a longtime advocate for cloud security and someone who helped build CNAPP brands like PingSafe, I used to believe that Data Security Posture Management (DSPM) was merely a subset of CNAPP, an auxiliary feature rather than a category of its own.

That belief changed after a pivotal conversation with my good friend Prajal Kulkarni, CISO at Groww. Not only did he introduce me to the founders of Matters.AI (formerly OptIQ.ai), but he also challenged the assumptions I held about DSPM’s relevance and independence.

This article reflects the insights from that conversation, shaped by nearly two decades of hands-on experience across cloud security, data protection, and go-to-market strategy. Together, we’ll explore why standalone DSPM platforms are no longer optional but critical to modern cybersecurity.

The Mario Analogy

Not sure about Gen Z, but all millennials will relate to the iconic Mario video game, the one we spent summer holidays playing, trying to protect the queen at the end (but only if you were good enough).

Now, think of cybersecurity engineers as the warriors, armed with multiple powers, tools like firewalls, vulnerability scanners, CNAPP platforms, identity security tools, EDR, XDR, SIEM, and more, all working toward one goal: protecting the queen, i.e., sensitive data.

My fundamental question is this: if our ultimate goal is to protect data, why is data security so often treated as an afterthought in cybersecurity conversations? Shouldn’t we start by prioritising foundational elements like data discovery, classification, lineage, and exfiltration?

With that perspective, I want to explore why DSPM deserves to be the starting point and why we need to look at it beyond the traditional CNAPP lens.

The Background

Traditionally, DLPs have been synonymous with data security, but is that true? DLPs were indeed designed at a time when most data resided on laptops and desktops, and the exfiltration of sensitive data from these endpoint machines was a major concern. As a result, DLPs focused heavily on prevention rules for all data.

As sensitive data started spanning across cloud, SaaS, and endpoints, a significant number of vendors entered the data security space by adding various point solutions like DLP for email, Browser DLP, and CASB (Cloud Access Security Broker) for handling in-flight sensitive data across various cloud and SaaS applications. But as multiple SaaS platforms like Dropbox, Drive, WhatsApp, Telegram, etc., began supporting end-to-end encryption, CASBs started to fail in delivering on their promise of securing and stopping sensitive data from being sent over the network to these third-party SaaS applications.

Why was DSPM needed?

A true DSPM is a solution that can automatically discover data across multiple channels like Cloud, SaaS, and Endpoints; classify both structured and unstructured data with a high degree of accuracy; and enforce runtime and DDR (Data Detection and Response) policies to catch compliance risks and security threats as they happen.

While this may sound straightforward, the industry faced several challenges leading to a definitive need to rethink the approach to DSPM.

Problem Statement

  • Most companies use multiple tools to discover data across the cloud, SaaS, and endpoints.
  • Each of these tools follows RegEx (regular expression) based rules to classify sensitive data, which is very rudimentary and can only achieve 20-30% accuracy even after writing thousands of rules. 
  • Each tool follows its own classifiers, which are based on its own set of RegEx rules, which eventually creates confusion across the same data. (Eg, a 10-digit number is classified as a mobile number by tool 1 using classifier 1 in an endpoint, where the same 10-digit number in an email will be classified as a customer ID by tool 2 using classifier 2) 
  • Since there was no unity in data classification, it is very hard for security admins to write a unified policy. Hence, they always have to keep writing and maintaining thousands of security policies across multiple tools. 


The Solution

To handle the modern-day sophistication across data classification for structured and unstructured data, it became important that tools using Machine Learning & Large Language Models achieve higher speed and accuracy in the game. Some of the new-age companies started using LLMs, but the approach they are taking is still a very point-specific approach. E.g.. CNAPP players are introducing DSPM but only solving data discovery and classification of critical data stores within the cloud environment, etc. 

Let’s discuss further the common challenges in this approach. 

The Promise and Limitations of CNAPP-Integrated DSPM

CNAPPs have become a cornerstone of cloud security, offering a unified set of capabilities to protect cloud-native applications and infrastructure. These platforms typically integrate Cloud Security Posture Management (CSPM), Cloud Workload Protection (CWP), and Cloud Infrastructure Entitlement Management (CIEM), with some claiming to include DSPM as a feature.

The appeal of a single platform that addresses multiple security needs is undeniable, especially for organizations looking to streamline their security stack. However, the DSPM capabilities within CNAPPs often serve more as a checkbox item than a comprehensive solution, failing to deliver the depth and breadth required to secure sensitive data across diverse environments.

Limited Scope of Data Discovery

One of the primary shortcomings of CNAPP-integrated DSPM is its limited scope in data discovery. CNAPPs are fundamentally designed to secure cloud infrastructure and applications, focusing on misconfigurations, vulnerabilities, and workload protection. While they may include basic data discovery features, these are often limited to specific cloud service providers (CSPs) like AWS, Azure, or Google Cloud Platform (GCP).

SaaS applications such as Google Drive, Microsoft OneDrive, or Salesforce are critical repositories of sensitive data in modern enterprises, yet they frequently fall outside the purview of CNAPP-integrated DSPM. This creates a significant visibility gap, leaving sensitive data in these platforms unmonitored and unprotected.

Consider a customer who relies heavily on SaaS tools to collaborate and manage customer data. A CNAPP with embedded DSPM may identify sensitive data in AWS S3 buckets but fail to detect personally identifiable information (PII) or financial records stored in Google Drive folders shared across teams. This lack of visibility into SaaS environments exposes organisations to data breaches, insider threats, and compliance violations.

Industry insights consistently show that DSPM solutions must offer comprehensive visibility across hybrid, multi-cloud, and SaaS environments to address the full spectrum of data risks. CNAPPs, with their infrastructure-centric focus, are simply not built to meet this need.

Inadequate Data Flow Analysis

Another critical limitation is the inability of CNAPP-integrated DSPM to perform robust data flow analysis. Understanding how sensitive data moves across systems, whether between cloud services, SaaS applications, or on-premises environments, is essential for identifying risks such as unauthorised access or data leakage.

Dedicated DSPM platforms leverage advanced data flow analysis to map data lineage, track usage patterns, and detect anomalies. In contrast, CNAPP-integrated DSPM often lacks the granularity to analyse data flows across diverse ecosystems, particularly in SaaS tools where data sharing is dynamic and user-driven.

For instance, a financial services organisation must ensure that customer financial data is not inadvertently shared via unsecured Google Drive links or accessed by unauthorised third parties. CNAPP-integrated DSPM may flag infrastructure misconfigurations, but cannot provide the contextual insights needed to understand how data is moved or processed in SaaS environments. This gap undermines the ability to enforce data governance policies and detect potential threats in real time.

Alert Fatigue and False Positives

CNAPPs generate a high volume of alerts related to infrastructure vulnerabilities, misconfigurations, and workload threats. When DSPM is integrated into a CNAPP, data-related alerts are often buried within this noise, leading to alert fatigue for security teams. Moreover, CNAPP-integrated DSPM solutions may rely on simplistic or regex-based classification techniques, resulting in excessive false positives that overwhelm security analysts. This lack of precision hampers the ability to prioritise and remediate critical data risks effectively.

Dedicated DSPM platforms, on the other hand, employ AI-driven classification and context-aware risk assessment to reduce false positives and focus on high-priority threats. By integrating with Security Information and Event Management (SIEM) systems and leveraging machine learning, these platforms provide actionable insights that align with an organisation’s unique data security needs.

Compliance and Regulatory Gaps

Compliance with regulations such as GDPR, HIPAA, and PCI-DSS is a top priority for organisations handling sensitive data. DSPM within CNAPPs often lacks the depth to ensure comprehensive compliance across all data repositories, particularly in SaaS environments.
For example, a CNAPP may verify that cloud infrastructure complies with specific standards but fail to monitor whether sensitive data in Google Drive adheres to data residency or access control requirements.


Challenges of Onboarding: CNAPP vs. DSPM

One often-overlooked aspect of the CNAPP vs. DSPM debate is the onboarding process. CNAPPs are typically designed for relatively straightforward deployment, requiring access to cloud infrastructure APIs and minimal configuration to monitor workloads and configurations. This ease of setup makes CNAPPs an attractive choice for organizations seeking to quickly establish a baseline for cloud security.

However, onboarding a DSPM platform is inherently more complex due to the need for granular permissions to access and monitor sensitive data across diverse environments, including SaaS platforms.

Granting a DSPM platform access to tools like Google Drive or Salesforce requires careful permission configuration to ensure the system can scan and classify data without compromising security or privacy. The ability to manage this granularity is critical to a DSPM vendor’s value.

For instance, Matters.AI’s onboarding process allows organizations to define both role-based access controls (RBAC) and attribute-based access controls (ABAC) for data scanning. This ensures that only authorized data is accessed during discovery and monitoring. Such flexibility not only strengthens security but also builds trust with stakeholders who may be cautious about granting broad access to a third-party solution.

The Case for a Dedicated DSPM Platform

To address these limitations, organisations must invest in a dedicated DSPM platform that prioritises data security over infrastructure protection. Such platforms offer several key advantages that CNAPPs cannot match:

Comprehensive Data Visibility Across Environments

A dedicated DSPM platform provides end-to-end visibility into sensitive data across hybrid, multi-cloud, and SaaS environments. By continuously scanning and classifying data in platforms like Google Drive, OneDrive, and Atlassian, these solutions ensure that no data repository, ‘known’ or ‘shadow’, remains unmonitored.

This comprehensive visibility is critical for organisations, where sensitive customer data may reside in cloud databases, SaaS applications, or even on-premises systems. A dedicated DSPM platform maps data flows, identifies shadow data, and ensures that all sensitive information is accounted for and protected, regardless of its location.

Advanced Data Detection and Response (DDR) Policies

Dedicated DSPM platforms go beyond visibility to offer robust Data Detection and Response (DDR) capabilities. DDR policies enable organisations to monitor sensitive data usage patterns and detect anomalies that may indicate a security threat.

For example, a DDR policy might flag an unusual spike in data access from a specific user account in Google Drive or detect sensitive data being uploaded to an unauthorised external service.

Some sample DDR policy might look like this:

  • Policy Objective: Detect unauthorisedˀ. access to sensitive data in Google Drive.
  • Criteria: Monitor user access patterns for PII (e.g., customer names, financial records) and flag instances where access exceeds a baseline threshold (e.g., more than 100 files accessed in 10 minutes).
  • Action: Send real-time alerts to the security team via SIEM integration and temporarily restrict the user’s access pending investigation.

Such policies provide granular control over data usage, enabling organisations to proactively mitigate risks before they escalate into breaches.

Monitoring Sensitive Data Egress: GPS for Your Data

In addition to Data Detection and Response (DDR) policies that monitor data access and usage, egress monitoring is a critical capability offered by advanced DSPM platforms. It focuses on tracking how sensitive data leaves your environment, whether via email, file uploads, or unsanctioned third-party applications like WhatsApp, Google Drive, or Telegram. By analysing outbound data flows across cloud, SaaS, and endpoint channels, modern DSPM solutions should identify and prevent unauthorised data transfers in real time. This not only mitigates insider threats and accidental leaks but also strengthens compliance with regulations around data exfiltration.

eBPF (Extended Berkeley Packet Filter) plays a vital role in enabling this functionality at the endpoint level. Despite widespread encryption in modern communication tools, DSPM agents equipped with machine learning techniques, such as nearest neighbour search (commonly referred to as “fingerprinting”), can classify sensitive data locally on a user’s device. Imagine sensitive content that originated in Google Drive being identified by the endpoint agent, and its outbound movement flagged and traced via eBPF. It’s like placing a GPS tracker on your most critical data, following it wherever it goes, regardless of channel or format.

Leveraging OPA Rego for Runtime Threat Detection

To further enhance security, dedicated DSPM platforms can integrate with Open Policy Agent (OPA) and its policy language, Rego, to enforce runtime threat detection and policy compliance. OPA Rego is a powerful tool for defining and enforcing fine-grained policies across cloud and SaaS environments. DSPM platforms can use OPA Rego to catch threats in real time by analysing data access patterns and system behaviours.

For example, an OPA Rego policy could be designed to send an immediate alert the moment any sensitive GDrive file is shared with an unauthorised user, or marked as public, etc.

By integrating OPA Rego with a DSPM platform, organisations can enforce context-aware policies that adapt to runtime conditions, such as user location, data sensitivity, and application context.
This level of granularity is critical for detecting and mitigating runtime threats, such as data exfiltration or lateral movement, which CNAPP-integrated DSPM solutions often overlook.

Scalability and Integration

Dedicated DSPM platforms are designed to scale seamlessly with an organisation’s growing data footprint. Unlike CNAPPs, which may struggle to handle the complexity of quintillions of data points across diverse environments, DSPM solutions leverage agentless architectures and serverless functions to scan and protect data without performance lags. They also integrate with a wide range of security tools, including SIEM, SOAR, and IAM systems, to provide a cohesive security posture.

The Path Forward: Investing in Dedicated DSPM

As organisations navigate the complexities of multi-cloud and SaaS environments, the limitations of CNAPP-integrated DSPM become increasingly apparent. To achieve true data security, organisations must invest in dedicated DSPM platforms that offer:

  • Comprehensive Visibility: End-to-end discovery and classification of sensitive data across hybrid, multi-cloud, and SaaS environments.
  • Advanced DDR Policies: Real-time monitoring and anomaly detection to proactively address data risks.
  • OPA Rego Integration: Flexible, context-aware policies for runtime threat detection and compliance enforcement.
  • Scalability and Integration: Seamless support for growing data volumes and integration with existing security tools.
  • Flexible Onboarding: Granular permission models and automated workflows to simplify integration into complex environments.

Our experience underscores the importance of prioritising data security over infrastructure-centric approaches. By partnering with innovative DSPM providers like Matters.AI. We have strengthened our ability to protect sensitive data, mitigate risks, and maintain compliance in a dynamic threat landscape.

For CISOs and security leaders, the message is clear: CNAPP-integrated DSPM is not enough. A dedicated DSPM platform is not just a luxury; it’s a necessity for safeguarding your organisation’s most valuable asset: its data.