Cyber Defense Matrix 2.0 · Asset Row · Data
Data
Data at rest, in transit, and in use. The row whose protection and recovery outcomes matter most during incidents and regulatory inquiries.
Data is the original Cyber Defense Matrix row for information itself: data at rest in databases and storage, data in transit across networks, and data in use inside applications and endpoints. It is the row whose protection (PROTECT × Data) and recovery (RECOVER × Data) outcomes matter most during breach disclosure and regulatory inquiry, and the row where detection coverage is hardest to build.
Scope of the Data row
Data covers databases, data lakes and warehouses, file storage (file servers, S3 buckets, SharePoint), email content, and the data flowing through applications and APIs. It also covers derived data — analytics results, reports, backups — and the classification metadata that tells you what is sensitive.
The row does not cover the systems that host the data (Devices, Cloud, Applications), the network the data flows over (Networks), or the identities that access the data (Users). Most data-security work spans multiple rows — the canonical example is a DLP rule that requires Users telemetry (who is moving it), Networks telemetry (where it is going), and Data classification (what it is) to be meaningful.
Tooling per function column
GOVERN × Data is data classification policy, retention policy, privacy programs, and records-management governance. Tools: OneTrust, BigID, Securiti for privacy; data-classification modules of DLP and DSPM platforms.
IDENTIFY × Data is data discovery and classification — finding sensitive data, classifying it, and mapping its location. Cloud DSPM (Dig/Palo Alto, Laminar/Rubrik, Normalyze, Cyera, Varonis for file-server contexts) is the emerging category; BigID and OneTrust serve privacy-focused discovery.
PROTECT × Data is DLP (both endpoint and network), CASB data controls, encryption (at rest, in transit, in use), database activity monitoring (DAM — Imperva, IBM Guardium), tokenization, and rights management (Microsoft Purview IPM, Seclore). DETECT × Data is DLP alert streams plus database activity alerts plus cloud-data-access anomaly detection.
RESPOND × Data is a mix of tooling and procedure — rolling encryption keys, revoking access, notification workflows. RECOVER × Data is backup and restoration tooling plus integrity validation.
Why DLP rarely works the way it is sold
The biggest honest-signal gap on the Data row is DLP. Every organization that buys DLP intends to tune the rules, curate the classifications, and act on the alerts. Most organizations end up with alert volumes that exceed analyst capacity, rules that were never refined past the vendor defaults, and classifications that do not match the actual data the business produces. The matrix cell reads Covered; the program's effective exfiltration-detection capability is well below what the cell suggests.
The working alternative for many mid-market organizations is to narrow the scope radically. Pick one data type (source code, PHI, a specific customer-data category), classify it precisely, route exfiltration alerts to a dedicated queue, and accept that broader DLP is aspirational. Narrow and operational beats broad and paper.
Cloud DSPM as the modern Data entry point
Data Security Posture Management (DSPM) platforms — Dig (Palo Alto), Laminar (Rubrik), Normalyze, Cyera, Symmetry Systems, Varonis for on-prem/SharePoint — automate data discovery and classification across cloud storage, databases, and SaaS. They surface the data that exists, where it lives, and who has access, which in practice is the most useful first step on the Data row. A program that knows precisely what sensitive data it has, where, and who can reach it has a realistic foundation for PROTECT × Data investments.
The 'You Already Own the Fix' pattern on Data is usually about M365/Google Workspace features. Microsoft Purview Information Protection, sensitivity labels, and auto-classification are included in most E3+ tenants and widely under-configured. Google Workspace Enterprise has comparable features. The cost is configuration effort, not new licensing.
Frequently asked
Where does encryption fit?
PROTECT × Data, with the operational controls (key management, key rotation, HSM integration) also covered on PROTECT × Data. Encryption is a control; the hard part is key management, which most programs under-invest in. The matrix cell is only as strong as the weakest key-management practice.
Is data classification a policy activity or a tooling activity?
Both. Policy defines what matters (PHI, PII, source code, financial records) and at what sensitivity level. Tooling operationalizes the policy — labeling, scanning, enforcing handling rules. Classification with no tooling is paper; tooling with no policy produces meaningless labels.
How does DSPM differ from CASB and DLP?
CASB is flow-focused: what's moving from where to where via which SaaS app. DLP is content-focused but primarily alert-driven: what policy violations are happening. DSPM is posture-focused: what sensitive data exists, who can reach it, and how the configurations permit or deny access. The three are complementary, not redundant.
Does backup belong on Data or on another row?
Backup tooling shows up across multiple rows — Devices (endpoint backups), Applications (app-aware backups), Data (database and file backups). In CDM 2.0 we place backup strongly on Data in the RECOVER × Data cell, because the incident outcome we care about is data recovery specifically, not the substrate the data lived on.