Types of Vulnerabilities
IBM Guardium DSPM not only provides an overview of vulnerabilities in different data stores of cloud accounts but also categorizes the vulnerabilities under different types.
Following are the two different types of vulnerabilities:
- Security data vulnerabilities
- Compliance data vulnerabilities
The different types of Security data vulnerabilities are listed in the following table:
Name | Found against | Description | Recommendation for resolution |
---|---|---|---|
Exposed Sensitive Data | Cloud providers | Alerts on sensitive data from different data stores that are exposed to the public due to misconfiguration in network or service access. | Block public access to the data store. |
No Backup Set Up On Data Store | Cloud providers | Alerts if there are no backups defined for a data store even if that data store does not have any sensitivity or resources. If there are no defined backups for a data store, it can result in data loss on an event of malware attack. Alerts on no backups that are defined for a data store and can result in data loss on an event of malware attack. |
Define a backup process for the data store by changing backup configurations. |
Unencrypted Data Store | Cloud providers | Alerts on an unencrypted data store that is not following security best practices. The data can be exposed to unauthorized users, services, data tampering, or data loss due to malware attack. | Encrypt the data store by changing encryption configurations. |
Sensitive Data Duplication Flow | Cloud providers | Alerts on sensitive data that is copied across accounts by a service from one data store to another data store. | Check whether the service is required to copy data between the data stores, and then change configurations or stop the service, if required. |
Copied Sensitivities Between Accounts | Cloud providers and SaaS applications | Alerts on duplication of data between any accounts, including cloud providers and SaaS applications. | Delete the unnecessary data copies. |
Default Write Entitlements On Data Store | Cloud providers | Alerts on a cloud asset that has write permissions on another data store. This access can be too permissive and can allow an attacker to make the asset unavailable or insert malicious data to your internal services. | Modify policies to grant write access to users and services only if required. |
Transitive Data Flow | Cloud providers | Alerts on data transfer or data manipulation when a cloud service accesses a data store using one or more roles. | Check whether the service is required to copy the data to the data store, and then change configurations or stop the service, if required. |
Cross-Account Potential Data Flow | Cloud providers | Alerts on potential flow of sensitive data between accounts and can result in potential data leakage between cloud accounts. | Review if this data movement is needed. If not, consider stopping the data flow or delete any unnecessary data copies. |
Cross-Account Actual Data Flow | Cloud providers | Alerts on actual flow of sensitive data between accounts and can result in actual data leakage between cloud accounts. | Review if this data movement is needed. If not, consider stopping the data flow or delete any unnecessary data copies. |
Third-party Potential Data Flow | Cloud providers | Alerts on potential flow of sensitive data to third-party vendors that do not have relevant certification for the data access and handling. | Review the permissions to access the data store and contact the their-party vendor to verify their certifications to access the data store. |
Third-party Actual Data Flow | Cloud providers | Alerts on actual flow of sensitive data to third-party vendors that do not have relevant certification for the data access and handling. | Review the permissions to access the data store and contact the their-party vendor to verify their certifications to access the data store. |
The different types of Compliance data vulnerabilities are listed in the following table:
Name of Compliance data vulnerability | Found against | Description | Recommendation for resolution |
---|---|---|---|
Exposed Sensitive Data | Cloud providers | Alerts on violation of compliance due to exposure of sensitive data from different data stores to the public. This exposure can be due to misconfiguration in network or service access. | Block public access to the data store. |
Potential Cross-Country Data Flow | Cloud providers | Alerts on potential flow of sensitive data between regions in different countries and can
result in potential violation of regional compliance. Potential compliance threats can include violations of data compliance, such as,Health Insurance Portability and Accountability Act (HIPAA), California Privacy Rights Act (CPRA), and General Data Protection Regulation (GDPR). |
Review if the potential data flow contains sensitive information that can violate a country's data compliance. You can consider stopping the potential data flow, if required, to prevent non-compliance to regional data policies. |
Actual Cross-Country Data Flow | Cloud providers | Alerts on actual flow of sensitive data between regions in different countries and can result
in actual violation of regional compliance. Compliance threats can include can include violations of data compliance, such as,HIPAA, CPRA, and GDPR. |
Review if the actual data flow contains sensitive information that can potentially violate a country's data compliance regulations. You can consider stopping the actual data flow, if required, to avoid data transaction of regional data policies violations. |
No Backup Set Up On Data Store | Cloud providers | Alerts on sensitive data from different data stores that are exposed to the internet due to misconfiguration in network or service access. This exposure of data can result in violation of compliance with respect to data backup. | Define a backup process for the data store by changing backup configurations. |