This document describes the data security dashboard and how you can use it to monitor and analyze your data security posture.
If you're on the Security Command Center Standard tier, limited DSPM features are available.
The data security dashboard in the Google Cloud console lets you see how your organization's data aligns with your data security and compliance requirements.
The data map explorer on the data security dashboard shows the geographic locations where your data is stored and lets you filter information about your data by geographic location, how sensitive the data is, the associated project, and which Google Cloud services store the data. The circles on the data map represent the relative count of data resources and data resources with alerts in the region.
You can view data security findings, which occur when a data resource violates a data security cloud control. When a new finding is generated, it can take up to two hours for the finding to appear on the data map explorer.
You can also review information about the data security frameworks that are deployed, the number of open findings associated with each framework, and the percentage of resources in your environment covered by at least one framework.
(Preview) The dashboard also displays data security insights that you can use to proactively identify potential data risks. The insights are available only for resources that contain highly sensitive data. The resources must be scanned by Sensitive Data Protection, and the scan must be configured to publish results to Security Command Center.
The dashboard shows the following:
- Users that most frequently access highly sensitive data. A table that highlights which users and service accounts most often access sensitive data. It features an AI-centric view that lets you filter for AI agents. By default, the table displays only AI agent activity if present. Otherwise, the table shows all principals. You can toggle the filter to view all access. The data shown is limited to Cloud Storage buckets, BigQuery tables, and Gemini Enterprise Agent Platform resources.
- Instances of cross-border access (limited to Cloud Storage buckets, BigQuery tables, and Gemini Enterprise Agent Platform resources only).
- Instances where country-specific sensitive data is stored outside its associated region (applies to all Google Cloud resources).
The dashboard doesn't include security insights for the following:
- Assets encrypted by CMEK
- Resources in
me-central2region
Use the DSPM dashboard
Dashboard content and features depend on the Security Command Center tier. If you are on the Standard tier, see Data Security Posture Management in the Standard tier overview for what capabilities are available to you in the dashboard.
See All risk dashboard for more information about the dashboard in the Security Command Center Premium and Enterprise tiers.
Complete the following actions to use the dashboard to analyze your data security posture.
-
To get the permissions that you need to use the DSPM dashboard, ask your administrator to grant you the following IAM roles on your organization:
- Data Security Posture Management Admin (
roles/dspm.admin) - Security Center Admin (
roles/securitycenter.admin) -
For read-only access:
- Data Security Posture Management Viewer (
roles/dspm.viewer) - Security Center Admin Viewer (
roles/securitycenter.adminViewer)
- Data Security Posture Management Viewer (
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
- Data Security Posture Management Admin (
- Use the DSPM dashboard for data discovery and risk
analysis. When you enable DSPM, you can immediately assess
how your environment aligns with the Data
security and privacy essentials framework.
In the Google Cloud console, go to the Data Security & Compliance page, and then select your Google Cloud organization. After you select an organization, you are redirected to the Data tab in the Risk overview dashboard.
Go to the Risk Overview Dashboard
Use this information to review and remediate findings so that your environment better aligns with your security and compliance requirements.
When you view the dashboard from an organization level and you deploy applications in a folder configured for application management, you can select an application to filter the dashboard to show only the findings and insights that apply to the application. Consider the following scan latencies when reviewing the data:
- The top findings panel might show outdated resource configuration data. For example, a finding's primary resource might be associated with an outdated application.
- The application selector might not show the applications and resource registrations that were created within the last 24 hours.
The data map explorer might take 24 hours after you activate Security Command Center to populate all the data from Security Command Center and Cloud Asset Inventory.