[Yandex Cloud documentation](../../index.md) > [Yandex Security Deck](../index.md) > [Concepts](index.md) > Data Security Posture Management (DSPM)

# Data Security Posture Management (DSPM)

{% note info %}

This feature is at the [Preview](../../overview/concepts/launch-stages.md) stage.

{% endnote %}

[Data Security Posture Management](https://center.yandex.cloud/security/dspm/), or DSPM, is a tool that helps you quickly detect sensitive information stored in Yandex Object Storage [buckets](../../storage/concepts/bucket.md) and Yandex 360 disks for timely action to protect it through [access policies](../../storage/concepts/policy.md), anonymization, etc.

## Data analysis {#discovery-mode}

{% note info %}

The data analysis feature is currently in [Preview](../../overview/concepts/launch-stages.md) and provided free of charge.

Upon General Availability, data analysis will be billed independently of data source [scans](dspm.md#scanning).

{% endnote %}

A key feature of DSPM is automatic analysis of all data stored in buckets within a given environment. The [analysis](../operations/dspm/discovery-mode.md) starts as soon as an environment is created and scans all bucket data.

These insights help you more accurately identify which resources may contain sensitive data and provide you with a data source for your next detailed scanning. Identifying sensitive data this way takes less time than scanning a manually created data source.

## Scanning for sensitive information {#scanning}

DSPM scans _data sources_ for sensitive information in buckets. You can run a scan once or on a schedule.

To run scans for sensitive information, use a [service account](../../iam/concepts/users/service-accounts.md).

To [create a scan](../operations/dspm/create-scan.md), the user must have the `dspm.editor` [role](../security/dspm-roles.md#dspm-editor) for the folder [specified](../quickstart-overview.md#configure-sd) in the Security Deck settings as the default storage as well as the `iam.serviceAccounts.user` [role](../../iam/security/index.md#iam-serviceAccounts-user) for the service account that will run the scan.

{% note warning %}

To run the scan, make sure the service account is [assigned](../../iam/operations/sa/assign-role-for-sa.md) the `dspm.worker` [role](../security/dspm-roles.md#dspm-worker) for all buckets you want to scan. If the buckets are [encrypted](../../storage/concepts/encryption.md), your service account also needs the `kms.keys.decrypter` [role](../../kms/security/index.md#kms-keys-decrypter) for the relevant Yandex Key Management Service [encryption keys](../../kms/concepts/key.md).

{% endnote %}

Before you start scanning, select a data source and specify the _data categories_ to search for.

### Data source {#data-source}

A data source contains settings and information about the _resources_ to scan:

* Object Storage buckets
* Yandex Cloud [folders](../../resource-manager/concepts/resources-hierarchy.md#folder)
* Yandex Cloud [clouds](../../resource-manager/concepts/resources-hierarchy.md#cloud)
* Shared Yandex 360 [disks](https://yandex.com/support/yandex-360/business/disk/web/en/share/shared-disks)
* Shared Yandex 360 [folders](https://yandex.com/support/yandex-360/business/disk/web/en/share/shared-folders)

When you add folders and clouds to a data source, all buckets of the selected types in your selected clouds and/or folders will be scanned. This includes both the existing buckets and any other buckets added to these clouds and folders by the time of the scan.

You can set the following scan scopes for a data source:

* `All files`: To scan all files saved in the buckets.
* `DOC / TXT`: To scan `.doc`, `.docx`, and `.txt` text files.
* `XLS / CSV`: To scan `.xls`, `.xlsx`, and `.csv` spreadsheet files.
* `PPT`: To scan `.ppt` and `.pptx` presentation files.
* `PDF`: To scan `.pdf` document files.
* `HTML / XML`: To scan `.html` and `.xml` files.
* `Images`: To scan `.jpg`, `.jpeg`, `.png`, `.gif`, `.webp`, and `.svg` image files.
* `Custom filter`: To scan all files whose names do or do not match the specified patterns:

    * **The file name contains**: To scan files whose names match the specified pattern.
    * **The file name does not contain**: To ignore files whose names match the specified pattern.

    Specify the patterns using the [RE2](https://github.com/google/re2/wiki/Syntax) [regular expression](https://en.wikipedia.org/wiki/Regular_expression) syntax. You can specify patterns in both fields, in which case the scan will use the `AND` logic to select files.

You can select multiple filters at the same time; the system will use the `OR` logic to apply them.

You can add multiple buckets, folders, and/or clouds as well as create multiple resource groups with different scan scope settings in a single data source at once. You can also add a bucket to multiple data sources with different scan scope settings at the same time.

### Data categories {#data-categories}

When creating a new scan, you can select data categories separately for text and images.

You can select all the available categories at once or any combination of them.

Data categories available for scanning:

* **In text**:
  * `Personal data`: Full names, email addresses, phone numbers, and social security numbers (SNILS).
  * `Financial data`: Bank card details.
  * `Secrets`: Cloud access keys, passwords, tokens, SSH keys, etc.
* **On images**:
  * `Personal data`: Full names, email addresses, phone numbers, and social security numbers (SNILS).
  * `Financial data`: Bank card details.
  * `Medical data`: Data from medical documents and images.
  * `Other`: Data from personal documents, including military IDs, pensioner IDs, academic certificates, etc.

To create data sources, set up and run scans, and view scan results, the user must have the appropriate [roles](../security/index.md).

#### Useful links {#see-also}

* [Creating a DSPM data source](../operations/dspm/create-data-source.md)
* [Creating a DSPM scan](../operations/dspm/create-scan.md)