Safeguard
Industry Analysis

Top cloud data security solutions

Prisma Cloud's DSPM bolts data classification onto a 30-module CNAPP after resources already exist in the cloud. Here's why that misses the supply chain risks that matter most.

Karan Patel
Cloud Security Engineer
Updated 8 min read

Cloud data security spending crossed $16 billion in 2024, according to Gartner's cloud security forecast, yet the average breach involving cloud-stored data still cost organizations $4.9 million to contain, per IBM's 2024 Cost of a Data Breach report. That gap between spend and outcome is the story of the category right now. Palo Alto Networks has spent five years and roughly $2 billion in acquisitions — RedLock in 2019, Twistlock in 2019, Bridgecrew in 2021, Cider Security in 2022 — stitching together Prisma Cloud into the market's broadest CNAPP. Broad, however, is not the same as deep where it matters most: the software supply chain that produces the artifacts landing in those cloud environments. This post breaks down what "cloud data security solutions" actually means for public cloud data security programs in 2026, where Prisma Cloud's platform-of-platforms approach holds up and where it doesn't, and what teams should actually check for before renewing a six-figure CNAPP contract.

What Are Cloud Data Security Solutions, and Why Did the Market Triple in Five Years?

Cloud data security solutions are the tools that discover, classify, and protect sensitive data across cloud storage, databases, and SaaS apps — and the market tripled from roughly $5 billion in 2020 to over $16 billion in 2024 because the attack surface changed faster than security teams could staff for it. Every S3 bucket, Snowflake warehouse, and managed Postgres instance a developer spins up is a potential exposure point, and the 2023 MOVEit breach — which exposed data from over 2,700 organizations through a single vulnerable file-transfer product — showed how one unpatched cloud-adjacent component can cascade into a supply chain incident. Data security posture management (DSPM), a term Gartner formalized in its 2022 Hype Cycle, emerged specifically because traditional CSPM tools were checking cloud configurations without ever looking at what data actually lived inside the resources being scanned. The category now spans four overlapping functions: data discovery and classification, encryption and key management, access governance, and runtime data loss prevention — and most vendors, Prisma Cloud included, only fully own two or three of the four.

How Does Prisma Cloud Approach Cloud Data Security?

Prisma Cloud approaches cloud data security through its DSPM module, launched in 2023 as an add-on to the broader CNAPP, which scans cloud storage and databases to classify sensitive data and map it against identity and network exposure. The module pulls from Palo Alto's Cortex data lake and correlates data risk with the 27+ other modules in the Prisma Cloud suite — CSPM, CWPP, CIEM, and the code-to-cloud scanning inherited from Bridgecrew. In practice, this means a customer can see that a database tagged as containing PII is also internet-facing, which is genuinely useful correlation. But the DSPM module was built by acquisition and bolted onto an already sprawling console; Palo Alto's own 2024 platformization pitch to investors acknowledged that customers were struggling to adopt modules beyond the two or three they bought first. Vendors increasingly market this layer as "ai data security solutions" — automatic classification, anomaly detection, natural-language querying of risk — but here, data security is treated as one more posture signal inside a 30-plus-module platform, not as a first-class problem with dedicated depth, and it stops at the cloud boundary. It has no visibility into how the code, dependencies, or CI/CD pipeline that provisioned that database got there in the first place.

Where Do CNAPP Platforms Like Prisma Cloud Fall Short on the Software Supply Chain?

CNAPP platforms fall short because they secure data and workloads after they exist in the cloud, while the majority of exposure is decided earlier — in the build pipeline, the package registry, and the commit history that produced the artifact. The 2020 SolarWinds compromise and the 2024 XZ Utils backdoor attempt (caught days before it would have shipped in major Linux distributions) were not cloud misconfiguration problems; they were build-time and dependency-integrity problems that no amount of runtime DSPM would have caught. Sonatype's 2024 State of the Software Supply Chain report logged over 512,000 malicious open-source packages discovered that year alone — a 156% jump from 2023 — and none of that activity shows up in a tool that starts scanning at the point data lands in an S3 bucket. Prisma Cloud's supply chain module, built on the 2022 Cider Security acquisition, covers CI/CD posture and pipeline hardening, but it treats source-to-cloud provenance as a bolt-on checklist rather than a cryptographically verifiable chain. If you can't prove which commit, which build, and which signer produced the artifact sitting in your registry, classifying the sensitive data around it is solving the wrong half of the problem.

What Did Recent Breaches Reveal About Gaps in Cloud Data Security Tooling?

Recent breaches revealed that identity and pipeline compromise, not storage misconfiguration, is now the dominant path to cloud data theft — Verizon's 2024 DBIR found stolen credentials involved in 31% of breaches over the past decade, the single largest category. The 2023 Okta support-system breach let attackers pivot into customer environments using session tokens, bypassing every cloud storage control those customers had in place. The 2024 npm and PyPI typosquatting waves, which Socket's research tracked delivering info-stealers through hundreds of lookalike packages, moved data out through developer laptops and CI runners before it ever reached a monitored cloud data store. In each case, a DSPM or CSPM tool watching production cloud resources would have had nothing to alert on, because the compromise happened upstream in identity and build infrastructure. This is the structural blind spot in treating "cloud data security" as a cloud-perimeter problem: by the time data-classification tooling sees a resource, an attacker with a compromised build pipeline or stolen token has often already had access to what matters.

How Should Teams Evaluate Cloud Data Security Solutions in 2026?

Teams should evaluate cloud data security solutions and public cloud security solutions generally on provenance coverage first, not module count, because a platform with 30 dashboards and no cryptographic chain from source to artifact leaves the highest-value attack path uncovered. Concretely, that means asking three questions in any vendor evaluation: can the tool attest, with signed evidence, which commit and build produced the artifact now holding your data; does it detect anomalous dependency or package behavior before merge, not just after deployment; and does data classification connect back to the pipeline that provisioned the resource, so a compromised build shows up as a data-risk signal, not a separate alert in a different console. Gartner's own guidance in its 2024 CNAPP Market Guide flagged consolidation fatigue as a real cost — teams paying for broad suites while under-configuring the modules that would have caught their actual incident. A narrower platform with real depth in supply chain provenance, paired with a data security tool that understands where the artifact came from, consistently closes more of the actual attack surface than a wide CNAPP with a bolted-on DSPM tab.

How Safeguard Helps

Safeguard was built on the premise that cloud data security starts at the commit, not the S3 bucket. Instead of scanning cloud resources after they exist and hoping to correlate backward, Safeguard establishes a verifiable chain of custody from source code through build to deployed artifact, so every piece of cloud infrastructure holding sensitive data can be traced back to the exact commit, dependency set, and build process that created it. That means when Safeguard flags a data exposure risk, it comes with provenance: which pipeline built it, which packages it pulled in, and whether that build matches an attested, signed source — closing the exact gap that let SolarWinds, XZ Utils, and hundreds of thousands of malicious npm and PyPI packages slip past tools that only watch the cloud perimeter.

Concretely, Safeguard continuously monitors dependency and package behavior pre-merge, catching typosquatting and supply chain tampering before code ever reaches a build system, and generates cryptographically signed build attestations so security teams can prove — not just claim — that the artifact in production matches the source that was reviewed. For teams already running Prisma Cloud or another CNAPP for cloud posture and workload protection, Safeguard doesn't ask you to rip that out; it fills the upstream gap those platforms structurally can't reach, feeding provenance and build-integrity signal into the same risk picture so a compromised pipeline shows up as a data-risk event, not a blind spot. In a market where the average CNAPP customer adopts a fraction of the modules they bought, that focus is the point: fewer dashboards, deeper coverage of the part of the chain where the highest-impact incidents of the last five years actually originated.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.