Data Security Posture Management (DSPM)
Data Security Posture Management, or DSPM, is a tool that helps quickly detect sensitive information stored in Yandex Object Storage buckets and on Yandex 360 disks for timely actions to protect it by configuring access policies, anonymizing data, etc.
Note
Disk scanning in Yandex 360 is in the Preview stage. To get access, contact tech support or your account manager.
Scanning for sensitive information
DSPM scans data sources for sensitive information in buckets. You can run a scan once or on a schedule.
To run scans for sensitive information, use a service account.
To create a scan, the user must have the dspm.editor role for the folder specified in the Security Deck settings as the default storage as well as the iam.serviceAccounts.user role for the service account that will run the scan.
Warning
To run the scan, make sure the service account is assigned the dspm.worker role for all buckets you want to scan. If the buckets are encrypted, your service account also needs the kms.keys.decrypter role for the relevant Yandex Key Management Service encryption keys.
Before you start scanning, select a data source and specify the data categories to search for.
Data source
A data source contains settings and information about the resources to scan:
- Object Storage buckets
- Yandex Cloud folders
- Yandex Cloud clouds
- Shared Yandex 360 disks
- Shared Yandex 360 folders
When you add folders and clouds to a data source, all buckets of the selected types in your selected clouds and/or folders will be scanned. This includes both the existing buckets and any other buckets added to these clouds and folders by the time of the scan.
You can set the following scan scopes for a data source:
-
All files: To scan all files saved in the buckets. -
DOC/TXT: To scan.doc,.docx, and.txttext files. -
XLS/CSV: To scan.xls,.xlsx, and.csvspreadsheet files. -
PPT: To scan.pptand.pptxpresentation files. -
PDF: To scan.pdfdocument files. -
HTML/XML: To scan.htmland.xmlfiles. -
Images: To scan.jpg,.jpeg,.png,.gif,.webp, and.svgimage files. -
Custom filter: To scan all files whose names do or do not match the specified patterns:- File name contains: To scan files whose names match the specified pattern.
- File name does not contain: To ignore files whose names match the specified pattern.
Specify the patterns using the RE2 regular expression syntax. You can specify patterns in both fields, in which case the scan will use the
ANDlogic to select files.
You can select multiple filters at the same time; the system will use the OR logic to apply them.
You can add multiple buckets, folders, and/or clouds as well as create multiple resource groups with different scan scope settings in a single data source at once. You can also add a bucket to multiple data sources with different scan scope settings at the same time.
Data categories
When creating a new scan, you can select data categories separately for text and images.
You can select all the available categories at once or any combination of them.
Data categories available for scanning:
- In text:
Personal data: Full names, email addresses, phone numbers, and social security numbers (SNILS).Financial data: Credit or debit card details.Secrets: Cloud access keys, passwords, tokens, SSH keys, etc.
- In images:
Personal data: Full names, email addresses, phone numbers, and social security numbers (SNILS).Financial data: Credit or debit card details.Medical data: Data from medical documents and images.Other: Personal document data: military ID cards, pension certificates, educational documents, etc.
To create data sources, set up and run scans, and view scan results, the user must have the appropriate roles.