The Critical Gap in Data Security: Governing Data in Motion Organizations have made significant progress in mapping their data landscapes, leveraging Data Security Posture Management (DSPM) tools to identify sensitive information, regulated records, and high-risk data concentrations. While visibility into data at rest has improved, a persistent blind spot remains: data in motion. Once information leaves secure repositories—via email, file-sharing platforms, APIs, or web forms—governance often becomes fragmented. This disconnect stems from legacy architectures where storage and transmission systems evolved independently, each with distinct security models and workflows. ### The Core Challenge: Decentralized Movement and Fragmented Policies Three key factors exacerbate this gap: 1. Decentralized Movement – Data flows through disparate channels (email, collaboration tools, automated workflows) without a unified control layer. 2. System-Centric Policies – Organizations enforce separate rules for email, file transfers, and partner access, but sensitive data doesn’t adhere to these boundaries. 3. Fractured Auditability – Tracking data movement requires piecing together logs from multiple systems, each with varying retention and detail levels. ### A Shift Toward Data-Centric Governance A promising solution lies in treating data labels as actionable policy signals. Traditionally, classification (via MIP labels, custom taxonomies, or DSPM insights) has been confined to storage systems. However, for labels to mitigate risk, they must travel with the data and influence decisions across transmission platforms. Recent integrations, such as the collaboration between BigID and Kiteworks, exemplify this shift. By connecting DSPM-driven classification with enforcement frameworks spanning email, file transfers, APIs, and web forms, organizations can enforce consistent policies regardless of how data moves. ### Impact on Managed Security Service Providers (MSSPs) For MSSPs, this evolution presents opportunities to: - Transform assessments into continuous programs by leveraging classification-driven enforcement for ongoing policy orchestration. - Reduce policy sprawl by defining data-centric rules (e.g., "encryption required for external sharing of sensitive data") that apply uniformly across channels. - Enhance third-party oversight with controls that persist beyond enterprise boundaries, improving supply-chain security. - Accelerate incident response by providing immutable logs tied to data classifications, reducing investigation time and regulatory uncertainty. ### Real-World Applications Connecting classification with enforcement addresses critical scenarios: - Outbound sharing of regulated data – Applying consistent controls (encryption, watermarking, or blocking) when sensitive data leaves via email or file-sharing. - Secure collaboration with partners – Retaining predictable controls for intellectual property, legal documents, or engineering files crossing organizational boundaries. - High-risk data intake – Routing web form submissions through governed channels to enforce access, encryption, and audit requirements. - Post-incident reconstruction – Using immutable logs to clarify data movement, reducing notification costs and regulatory friction. ### The Path Forward Data governance is transitioning from a system-centric model ("protect the repository") to a data-centric approach ("protect the information wherever it goes"). While DSPM has advanced visibility, the next phase involves integrating classification with enforcement across communication, transfer, and collaboration channels. The BigID-Kiteworks partnership reflects this broader industry trend, demonstrating how discovery and enforcement can work together to create a more coherent, auditable, and scalable approach to data movement governance.