File servers still exist for legacy storage and governance, but most modern workflows now happen in collaboration tools, code platforms, chats, and AI systems.
File servers remain, but they are no longer central to operations.
They still appear important on paper: legacy project shares with strict permissions, legal drives with structured folders, and network areas where data loss prevention (DLP), classification, and governance controls have been refined over the years. These remain prominent in legacy consoles, which can be reassuring for those familiar with that environment.
However, current workflows have shifted elsewhere.
Product teams now work in shared documents, kanban boards, and temporary comment threads. Engineering focuses on code review platforms and build systems rather than traditional file servers. Sales and customer success teams exchange sensitive information through tickets, chats, and embedded panels. Increasingly, this information is also processed by AI assistants for summarization, translation, or drafting.
If your tools are designed to monitor files on servers or scan cloud storage for similar patterns, they may detect some activity, providing a sense of control. However, these tools still operate under the assumption that data exists solely as files in specific locations.
The business no longer operates this way.
Data security posture management (DSPM) was introduced to address this shift. Early products promised to scan cloud environments, identify sensitive data in object stores and SaaS platforms, and provide a comprehensive map. For teams used to discovering unexpected S3 buckets through breach reports and incidents, this was a welcome solution.
Initially, this approach was effective. Architects could identify critical data locations, compliance teams could incorporate these findings into risk assessments, and CISOs could confidently discuss coverage with audit committees.
However, DSPM began to conflate awareness with control, similar to previous file-centric DLP solutions.
This is evident in many deployments: scans are performed, issues are reported, and some high-profile remediation projects are initiated. However, the focus soon shifts, and operational challenges continue to arise from familiar sources.
This is not due to negligence; it reflects the limitations of a map-only approach. Knowing a cloud store contains sensitive data is helpful, but it does not address how users or AI systems interact with that data.
Both the traditional DSPM and file-centric models are effective at identifying data locations but lack insight into data activity.
Feedback from those closest to the issue highlights these weaknesses.
CISOs value having an inventory, but they are also responsible when incidents occur involving key accounts or critical projects. In these situations, knowing which stores are sensitive is insufficient; they need to determine whether a specific user, tool, or agent interacted with that data in a way that requires regulatory explanation.
Security architects also appreciate data maps, but they recognize that risk ratings across repositories do not identify which ones are most vulnerable to workflow issues. Static risk scores cannot differentiate between stable and dynamic risk environments.
Engineers are tasked with integrating DSPM findings, DLP rules, and inputs from EDR and IAM systems to create a unified solution. When these components are separate products, engineers often serve as the connectors, which becomes problematic if key personnel transition to other teams.
SOC analysts manage the resulting alerts, which often come in separate formats such as file-based actions and DSPM issues. They are expected to correlate these streams manually. When unusual activity occurs, the effectiveness of the response depends on timely cross-referencing of relevant data.
There is extensive mapping, but limited intervention.
A new approach is emerging among teams seeking more effective solutions.
In this approach, DSPM is not eliminated but repositioned. It serves as a valuable source of information about critical data locations, though it is no longer the central focus of data security.
The primary focus shifts to a more direct question:
“Given that we know which stores and datasets are most important, how do we monitor data activity and intervene appropriately without disrupting workflows?”
Addressing this requires two elements that previous models did not prioritize.
The first is continuous data lineage: maintaining a real-time record of how content from critical stores moves throughout the environment. This includes not only files, but also reports, exports, cached copies, chat messages, and AI prompts that originate from these sources.
The second is implementing controls that recognize data lineage. DLP and related policies should consider the origin of content, not just patterns and paths. For example, treating any data derived from a specific dataset as critical when it moves to certain destinations is a more precise approach than simply blocking content based on pattern recognition.
When DSPM, DLP, and data lineage are integrated within a single platform, the system can automatically adjust how high-risk data is managed across endpoints, browsers, collaboration tools, and AI workflows. Analysts benefit from built-in correlations, reducing manual effort.
When these capabilities exist in separate products that only exchange data through exports and webhooks, it increases complexity and workload for those responsible for maintaining system alignment.
This is not a criticism of any specific vendor. File-centric DLP and map-only DSPM were appropriate solutions for their time and addressed genuine industry needs.
However, industry requirements have evolved.
If your unstructured data security strategy continues to prioritize file servers or static cloud inventories, you will remain unprepared for incidents that occur outside the scope of these tools.
Alternatively, by using a DSPM, that is integrated with DLP that uses data lineage, you gain the ability to detect and respond to potential data exfiltration before it is too late.
About the Author: Franklin Nguyen is a product marketing leader in AI and data security at Cyberhaven. With prior roles spanning Tenable, Zscaler, VMware, and IBM, he brings experience across cloud infrastructure, hyperscalers, and modern security platforms, helping organizations navigate the evolving challenges of protecting data in AI- and cloud-driven environments. Based in the San Francisco Bay Area, Franklin also leads the AI & Data Security Collective, a community of security leaders focused on advancing best practices, collaboration, and innovation in AI and data security.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, File Servers)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/189368/security/beyond-file-servers-securing-unstructured-data-in-the-era-of-ai.html