Use Data Security Posture Management

This document describes how you can enable and use Data Security Posture Management (DSPM).

Enable DSPM

Complete the following to enable DSPM at the organization level:

1. To get the permissions that you need to enable DSPM, ask your administrator to grant you the following IAM roles on your organization:

   • Organization Administrator (roles/resourcemanager.organizationAdmin)
   • Security Center Admin (roles/securitycenter.admin)

   For more information about granting roles, see Manage access to projects, folders, and organizations.

   You might also be able to get the required permissions through custom roles or other predefined roles.

2. Enable DSPM using one of the following methods:
   • If you haven't activated Security Command Center in your organization, then Activate Security Command Center Enterprise.
   • If you've already activated the Enterprise service tier of Security Command Center, add DSPM using the Activate DSPM page.

     Go to Activate DSPM

3. Enable discovery of the resources that you want to protect with DSPM.

When you enable DSPM, the following services are also enabled:

• Compliance Manager to create, apply, and manage data security frameworks and cloud controls.
• Sensitive Data Protection to use data sensitivity signals for default data risk assessment.
• Event Threat Detection (part of Security Command Center) at the organization level to use the data access governance cloud control and the data flow governance cloud control
• AI Protection to help secure the lifecycle of your AI workloads.

The DSPM service agent (service-org-ORGANIZATION_ID@gcp-sa-dspm-hpsa.iam.gserviceaccount.com) is created when you enable DSPM.

For information about the DSPM Identity and Access Management roles, see Identity and Access Management for organization-level activations.

Use the DSPM dashboard

Complete the following actions to use the dashboard to analyze your data security posture.

1. To get the permissions that you need to use the DSPM dashboard, ask your administrator to grant you the following IAM roles on your organization:

   • Data Security Posture Management Admin (roles/dspm.admin)
   • Security Center Admin (roles/securitycenter.admin)
   • For read-only access:
     • Data Security Posture Management Viewer (roles/dspm.viewer)
     • Security Center Admin Viewer (roles/securitycenter.adminViewer)

   For more information about granting roles, see Manage access to projects, folders, and organizations.

   You might also be able to get the required permissions through custom roles or other predefined roles.

2. Use the DSPM dashboard for data discovery and risk analysis. When you enable DSPM, you can immediately assess how your environment aligns with the Data security and privacy essentials framework.

   In the console, click the Data Protection tab under Data Security & Compliance.

   Go to Data Security Dashboard

   The following information is available:

   • Data map explorer
   • Data security findings
   • Insights about applied data security controls and frameworks

   Use this information to review and remediate findings so that your environment better aligns with your security and compliance requirements.

   When you view the dashboard from an organization level and you deploy applications in an app-enabled folder, you can select an application to filter the dashboard to show only the findings and insights that apply to the application. Consider the following scan latencies when reviewing the data:

   • The top findings panel might show outdated resource configuration data. For example, a finding's primary resource might be associated with an outdated application.
   • The application selector might not show the applications and resource registrations that were created within the last 24 hours.

   The data map explorer might take 24 hours after you activate Security Command Center to populate all the data from Security Command Center and Cloud Asset Inventory.

Create custom data security frameworks

If required, copy the Data security and privacy essentials framework and customize it to meet your data security and compliance requirements. For instructions, see Apply a framework.

Deploy advanced data security cloud controls

If required, add the advanced data security cloud controls to custom frameworks. These controls require additional configuration before you can deploy them. For instructions on deploying cloud controls and frameworks, see Apply a framework.

You can deploy frameworks that include advanced data security cloud controls to your organization, folders, projects, and applications in app-enabled folders in App Hub. To deploy the advanced data security cloud controls against applications, the framework can only include these controls. You must select the app-enabled folder and the application that you want the cloud controls to monitor. Applications in host projects aren't supported.

Consider the following:

• Review the information for each advanced data security cloud control for limitations.

• Complete the tasks for each rule, as described in the following table.

  Rule	Additional configuration
  Data access governance cloud control	Enable Data Access audit logs for Cloud Storage and Vertex AI (where applicable in your environment). Set the data access permission type to DATA_READ. Enable the data access logs at the organization level or project level, depending on where you apply the Data access governance cloud control. Verify that only authorized principals are exempted from audit logging. Principals exempted from audit logging are also exempted from DSPM. Add one or more allowed principals (up to a maximum of 200 principals), using one of the following formats: For a user, principal://goog/subject/USER_EMAIL_ADDRESS Example: principal://goog/subject/alex@example.com For a group, principalSet://goog/group/GROUP_EMAIL_ADDRESS Example: principalSet://goog/group/my-group@example.com
  Data flow governance cloud control	Enable Data Access audit logs for Cloud Storage and Vertex AI(where applicable in your environment). Set the data access permission type to DATA_READ. Enable the data access logs at the organization level or project level, depending on where you apply the Data access governance cloud control. Verify that only authorized principals are exempted from audit logging. Principals exempted from audit logging are also exempted from DSPM. Specify allowed countries using the country codes that are defined in the Unicode Common Locale Data Repository (CLDR).
  Data protection and key governance cloud control	Enable CMEK in BigQuery and Vertex AI.
  Data deletion cloud controls	Set the retention periods. For example, to set a 90 day retention period in seconds, set the retention period to 777600.

What's next

• Review findings related to data security.