Fortra DSPM (Data Security Posture Management)

Fortra is a US-based developer of cybersecurity software, founded in 2022 as part of IT software company HelpSystems. In the years since, it has grown in size to over 2000 employees serving more than 9000 clients across upwards of 15 countries. It is also partnered with a variety of organisations, including global law enforcement and intelligence agencies.

Fortra DSPM (Data Security Posture Management) is a data security and privacy product designed to help you discover, classify, and protect your sensitive data, with a particular eye toward shielding it (and you) against data breaches and cybersecurity attacks. To this end, it offers visibility into which of your data is sensitive, why that data is sensitive, where it’s stored, how it’s accessed, and whether – and to what extent – it represents a security risk. Moreover, it can parlay that information into meaningful, automated protective action, such as encryption or masking, without needing to leave the product.

DSPM comes in two packages: Essentials and Advanced. The former covers up to 5 SaaS applications with a standard set of data detection and Cloud DLP (Data Loss Prevention) techniques, along with out of the box integration with various third-party identity and security products. The latter expands on this selection with further methods for data detection and DLP, email controls, and support for any number of SaaS applications. It also offers full API access for third-party integrations beyond what’s offered in the Essentials package, as well as expanded customer support. Various product and service add-ons are also available, such as a historical data discovery service. A more detailed comparison is available in
Figure 1.

Fortra DSPM will continually search for sensitive data across your environment, with the aim of building and maintaining a complete, real-time inventory of it regardless of where it lives or how it moves. To this end, the product is compatible with many different types of data sources, including such things as code repositories (GitHub/Lab), cloud storage (Azure, AWS), CRM tools (Salesforce, BusinessNow), and collaboration platforms (SharePoint, Google Drive, and many more), among others.

This inventory of sensitive data is then used as a foundational step to facilitate other data privacy and security measures, starting with more extensive data classification. Using this inventory as a basis, the product will automatically sort your sensitive data into different sensitivity classifications, such as personally identifiable information, medical information, financial information, and so on, by examining its metadata using predefined rules and/or machine learning. These classifications are used to associate your sensitive data with any applicable regulations (such as GDPR or HIPAA) or other compliance frameworks (such as relevant internal policies) using built-in mappings, with identifiers to this effect stored as metadata and passed on to downstream systems in order to inform the actions they might take.

Moreover, Fortra DSPM offers multiple ways to classify your sensitive data. In addition to the above, you can define custom enterprise classifications for your data, which are often used to bucket data by importance or risk (using classifications such as confidential, highly confidential, internal use only, public, regulated, enterprise-critical, and so on) in whichever way is most useful for your organisation. You can also classify your data automatically using external tools, such as Azure Information Protection.

All of these results are presented as part of a visual dashboard (a small snapshot of which is shown in Figure 2) that you are free to explore, enabling you to investigate and remediate your sensitive data. For example, you can drill down into individual classifications to see further details, including audit trails, file owners, the specific sensitive data that was discovered, and so on. This dashboard also captures the exposure of your sensitive data across different systems, as well as its geographic distribution. You can additionally view application information, in terms of which users are using which apps and how sensitive data is distributed across them.

Using your sensitive data classifications, you can protect your sensitive data precisely and automatically by enforcing security controls that are specific and appropriate to each classification. This is achieved by defining a series of classification policies that determine which protective action should be taken on which kind of sensitive data. For example, your policies might specify that you should mask PII found in emails, or encrypt source code that contains user passwords. These policies can then be used to scan for and protect any matching data in the manner specified, on either an ad hoc or scheduled basis. Notably, your policies do not need to have actions associated with them. In this case, your scans can serve to assess risk and highlight matching records. In addition, Fortra offers a dedicated DLP product – appropriately named Fortra DLP – that can be deployed alongside DSPM, enabling you to further protect your data without leaving the Fortra platform.

Fortra DSPM provides substantial visibility into your sensitive data through its discovery and classification functionality – an essential first step in protecting it – then follows that up with built-in data protection that is not only integrated with its classification, but actively driven by it. This allows you to precisely define your data protection and privacy strategy according to the kind of the data that needs to be protected, and thereby the risk it poses to your organisation. Moreover, this combined risk assessment and mitigation is both continual and automatic, improving efficiency and reducing the time and cost of responding to incidents due to its ever-ready nature.

It is also worth pointing out that the product’s scope, in terms of the types of sensitive data it can examine and the remedial actions it enables, is impressively wide. The former is broad enough to include intellectual property, HR details and private source code (among other things) in addition to the usual suspects of PII, PHI, and similar, while the latter enables you to, say, programmatically prevent users from printing sensitive information, emailing it outside your organisation, saving it to a thumb drive, or feeding it into (unauthorised) AI tools. The latter is particularly relevant, as generative AI technologies continue to occupy a large space in the public – and many organisation’s – consciousness.

Fortra DSPM is a comprehensive and effective data privacy and security solution, offering not just sensitive data discovery and classification but tightly integrated data protection as well. Indeed, we would say that the offering’s breadth is its
greatest asset.

Figure 1 – Fortra DSPM product offerings

Figure 2 – Data classification in Fortra DSPM’s dashboard