The following new data posture policies for Azure are available:

• Azure

  Policy Title
  Azure PostgreSQL Flexible server with databases containing sensitive data is publicly exposed.
  Azure PostgreSQL Flexible server with databases containing sensitive data is publicly exposed and has password authentication enabled.
  Azure PostgreSQL Flexible server with databases containing sensitive data can be accessed by publicly exposed App Service with risky permissions.
  Azure PostgreSQL Flexible server has databases containing sensitive data that can be accessed by Entra ID applications that accept external or personal Azure accounts with high privileges.
  Azure PostgreSQL Flexible server has databases containing sensitive data that do not have audit logging enabled.
  Azure PostgreSQL Flexible server has databases containing sensitive data that do not have private access VNet configured.
  Azure PostgreSQL Flexible server has databases containing sensitive data that do not have geo-redundant backups enabled.
  Azure PostgreSQL Flexible server has databases containing sensitive data that can be accessed by publicly exposed Linux Web App that has SSH enabled.
  Azure PostgreSQL Flexible server has databases containing sensitive data that can be accessed by users who have not logged in for more than 90 days.
  Azure PostgreSQL Flexible server has databases containing sensitive data that can be accessed by users who have not logged in for more than 90 days but have logged in via cached sessions or OAuth-based SaaS apps in the last 7 days.
  Azure PostgreSQL Flexible server has databases containing sensitive data that are susceptible to ransomware.
  Azure PostgreSQL Flexible server has databases containing sensitive data that can be accessed by users without MFA and with highly risky permissions.
  Azure PostgreSQL Flexible server has databases containing sensitive data that do not have resource locks enabled.
  Azure PostgreSQL Flexible server has databases containing sensitive data that do not have logging enabled for diagnostic settings.
  Azure PostgreSQL Flexible server has databases containing sensitive data that do not have secure transport enabled.
  Azure PostgreSQL Flexible server has databases containing sensitive data that are not encrypted using customer-managed keys.
  Azure PostgreSQL Flexible server has databases containing sensitive data that have Entra authentication enabled and can be accessed by publicly exposed Azure virtual machines with admin privileges and critical vulnerabilities.
  Azure SQL server has databases containing sensitive data and can be accessed by publicly exposed Azure Linux Web App that is running deprecated versions of PHP, Python, and Node.js runtime application stacks.
  Azure SQL server with databases containing sensitive data can be accessed by Azure Web App leveraging insecure basic SCM or FTP authentication publishing credentials.
  Azure SQL server with databases containing sensitive data can be accessed by publicly exposed Azure Web App that allows insecure FTP access.
  Azure SQL server has databases containing sensitive data that can be accessed by Azure Web App that is not integrated with a VNET.
  Azure SQL server has databases containing sensitive data that can be accessed by Azure Web App that allows insecure FTP access.
  Azure storage account containing sensitive blob data can be accessed by Azure Web App that is not integrated with a VNet.
  Azure storage account containing sensitive blob data can be accessed by publicly exposed Azure Web App that allows insecure FTP access.
  Azure storage account containing sensitive blob data can be accessed by Azure Web App that allows insecure FTP access.
  Azure storage account containing sensitive blob data can be accessed by Azure Web App leveraging insecure basic SCM or FTP authentication publishing credentials.

  Close

Onboard Management Groups

DSPM now supports the onboarding of Azure management groups and scans the subscriptions within them. This option can be used when there are restrictions for onboarding at the tenant level.

See image.

Close

To learn more, see Onboarding a Microsoft Azure Tenant.

Onboard Azure Services

You can now select and onboard a subset of the supported Azure services (storage accounts, databases, etc.). This option allows DSPM to have minimal permissions to monitor and scan the data only in these services.

See image.

Close

To learn more, see Onboarding a Microsoft Azure Tenant and Managing Services.

DSPM provides support for onboarding and scanning unmanaged Microsoft SQL Server (MSSQL) databases hosted on Azure virtual machines. Based on the scan setting configuration, DSPM scans and classifies data in these databases and identifies misconfigurations and posture issues.

The scan results are displayed on the Data Inventory page. You can create custom policies and investigation queries to further optimize the protection.

See image.

To learn more, see About Unmanaged Databases and Configuring Scan Settings for Azure Unmanaged Databases.

The Compliance dashboard provides an overview of the compliance breaches detected by DSPM for industry-standard data protection regulations and benchmarks such as CIS, NIST, PCI DSS, HIPAA, GDPR, DPDP, CCPA, RBI, ISO 27001, and SOC2. The Compliance dashboard provides insights into the overall compliance status and the total number of policies that failed to comply with each benchmark. You can also view the policy summary and compliance configuration details. The dashboard also provides actionable steps to remediate compliance violations.

See image.

Close

To learn more, see About Compliance and Viewing Compliance Details.

The dashboard includes the following enhancements:

• A legend is added to provide context to the risk score values displayed on the dashboard.
  See image.

  Close
• The scan statistics is moved to the Data Discovery tab.
  See image.

  Close

To learn more, see About the Dashboard.

The following new data posture policies are available for cloud service providers:

• AWS

  Policy Title
  RDS DB instance containing sensitive data encrypted with customer-managed key has KMS key rotation disabled.
  RDS DB instance containing sensitive data can be accessed by external users.
  RDS DB cluster containing sensitive data encrypted with customer-managed key has KMS key rotation disabled.
  RDS DB cluster containing sensitive data can be accessed by external users.
  S3 bucket containing sensitive data encrypted with customer-managed key has KMS key rotation disabled.
  S3 bucket with sensitive data can be accessed by IAM entities with high privilege roles that have not been used for more than 90 days.
  EC2 instance containing sensitive data has VPC flow logs disabled.
  Virtual machine containing sensitive data can be accessed by identities with permissions to modify network security groups.
  RDS Aurora, MySQL, and PostgreSQL DB clusters containing sensitive data have IAM authentication enabled with a weak IAM password policy.
  RDS Aurora, MySQL, and PostgreSQL DB instances containing sensitive data have IAM authentication enabled with a weak IAM password policy.
  AWS DynamoDB table containing sensitive data can be accessed by external entities with risky access.
  AWS DynamoDB table containing sensitive data has data logging disabled.
  AWS DynamoDB table containing sensitive data is readable externally.
  AWS DynamoDB table containing sensitive data is accessible by all IAM principals.
  AWS DynamoDB table with sensitive data is publicly exposed.
  AWS DynamoDB table containing sensitive data does not have deletion protection enabled.
  AWS DynamoDB table containing sensitive data does not have global tables replica configured.
  AWS DynamoDB table does not have point-in-time restore enabled.
  AWS DynamoDB table containing sensitive data is not encrypted using a customer-managed key.

  Close
• Azure

  Policy Title
  Azure SQL server database containing sensitive data can be accessed by publicly exposed App Service with risky permissions.
  Azure SQL Server with databases containing sensitive data can be accessed by Azure Web App that allows insecure TLS versions.
  Azure SQL database server has databases containing sensitive data that do not have logging enabled for diagnostic settings.
  Azure storage account containing sensitive blob data can be accessed by publicly exposed App Service with risky permissions.
  Azure storage account containing sensitive blob data can be accessed by a publicly exposed Azure Linux Web App that is running deprecated versions of PHP, Python, and Node.js runtime application stacks.
  Azure storage account containing sensitive blob data can be accessed by Azure Web App that allows insecure TLS versions.
  Azure storage account containing sensitive blob data should be accessed only through Azure private endpoints.
  Azure virtual machine containing sensitive data has public IP with basic SKU and no network security group attached to the interface and subnet.
  Virtual machine containing sensitive data can be accessed by identities with permissions to modify network security groups.

  Close

Deploy Orchestrator and Scanner Instances in Custom Network

DSPM provides support for deploying the orchestrator and scanner instances in your organization's existing network settings.

See image.

To learn more, see Onboarding an AWS Organization and Onboarding a Microsoft Azure Tenant.

Azure Diagnostic Logs Storage

You can specify an existing Azure storage account or configure a new Azure storage account to store the diagnostic logs.

See image.

Close

To learn more, see Onboarding a Microsoft Azure Tenant.

The investigation and policy queries are enhanced with the following predicates and operators for improved metadata analysis and enrichment:

Custom Policy and Investigation Queries for AWS DynamoDB

DSPM supports entitlements for AWS DynamoDB and allows you to create custom policies and investigation queries. The predefined policies for DynamoDB are also extended to support entitlements.

See image.

Close

To learn more, see Creating an Investigation and Creating Custom Policies.

Security Posture Logging for AWS EC2 Instances

The Logging state is added as a security posture for AWS EC2 instances. You can use the Logging predicate in policy and investigation queries to monitor the logging state of your EC2 instances.

See image.

Close

To learn more, see Creating an Investigation, Creating Custom Policies, and Understanding the Security Posture State.

To improve the security of user authentication, DSPM has enabled multi-factor authentication for local users while logging in. After entering the login ID, a verification code is sent to the registered email address, and this code is valid for 10 minutes.

See image.

Close

To learn more, see Accessing and Navigating the DSPM Admin Portal.

Support for Azure-Managed PostgreSQL Flexible Server

DSPM provides support for scanning the Azure-Managed PostgreSQL Flexible Server. Based on the scan setting configuration, DSPM scans and classifies data in the relevant SQL servers, checks for misconfigurations, posture issues, and runs dedicated predefined policies for Azure PostgreSQL. All findings are displayed on the Data Inventory page. You can create custom policies and investigation queries to further optimize the protection.

To learn more, see Configuring Scan Settings for Azure Database.

Database Scanning Options

You can select the following options while configuring the scan settings for databases:

• Data Sampling Scan: Scans a sample of recent data in the database, providing a faster approach with lower cost.
• Full Scan: Scans all the databases across all onboarded accounts, providing a detailed data scan report.

See image.

To learn more, see Configuring Scan Settings for Azure Database and Configuring Scan Settings for AWS Database.