**The Critical Gap in Data Security: Governing Data in Motion**
Organizations have made significant progress in mapping their data landscapes, leveraging Data Security Posture Management (DSPM) tools to identify sensitive information, regulated records, and high-risk data concentrations. While visibility into data at rest has improved, a persistent blind spot remains: data in motion.
Once information leaves secure repositories—via email, file-sharing platforms, APIs, or web forms—governance often becomes fragmented. This disconnect stems from legacy architectures where storage and transmission systems evolved independently, each with distinct security models and workflows.
The Core Challenge: Decentralized Movement and Fragmented Policies
Three key factors exacerbate this gap:
- Decentralized Movement – Data flows through disparate channels (email, collaboration tools, automated workflows) without a unified control layer.
- System-Centric Policies – Organizations enforce separate rules for email, file transfers, and partner access, but sensitive data doesn’t adhere to these boundaries.
- Fractured Auditability – Tracking data movement requires piecing together logs from multiple systems, each with varying retention and detail levels.
A Shift Toward Data-Centric Governance
A promising solution lies in treating data labels as actionable policy signals. Traditionally, classification (via MIP labels, custom taxonomies, or DSPM insights) has been confined to storage systems. However, for labels to mitigate risk, they must travel with the data and influence decisions across transmission platforms.
Recent integrations, such as the collaboration between BigID and Kiteworks, exemplify this shift. By connecting DSPM-driven classification with enforcement frameworks spanning email, file transfers, APIs, and web forms, organizations can enforce consistent policies regardless of how data moves.
Impact on Managed Security Service Providers (MSSPs)
For MSSPs, this evolution presents opportunities to:
- Transform assessments into continuous programs by leveraging classification-driven enforcement for ongoing policy orchestration.
- Reduce policy sprawl by defining data-centric rules (e.g., "encryption required for external sharing of sensitive data") that apply uniformly across channels.
- Enhance third-party oversight with controls that persist beyond enterprise boundaries, improving supply-chain security.
- Accelerate incident response by providing immutable logs tied to data classifications, reducing investigation time and regulatory uncertainty.
Real-World Applications
Connecting classification with enforcement addresses critical scenarios:
- Outbound sharing of regulated data – Applying consistent controls (encryption, watermarking, or blocking) when sensitive data leaves via email or file-sharing.
- Secure collaboration with partners – Retaining predictable controls for intellectual property, legal documents, or engineering files crossing organizational boundaries.
- High-risk data intake – Routing web form submissions through governed channels to enforce access, encryption, and audit requirements.
- Post-incident reconstruction – Using immutable logs to clarify data movement, reducing notification costs and regulatory friction.
The Path Forward
Data governance is transitioning from a system-centric model ("protect the repository") to a data-centric approach ("protect the information wherever it goes"). While DSPM has advanced visibility, the next phase involves integrating classification with enforcement across communication, transfer, and collaboration channels. The BigID-Kiteworks partnership reflects this broader industry trend, demonstrating how discovery and enforcement can work together to create a more coherent, auditable, and scalable approach to data movement governance.
General Dynamics Information Technology cybersecurity rating report: https://www.rankiteo.com/company/gdit
"id": "GDI1765641604",
"linkid": "gdit",
"type": "Vulnerability",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Organizations with fragmented data '
'governance'}],
'data_breach': {'data_encryption': 'Recommended but not consistently applied',
'data_exfiltration': 'Potential via email, file sharing, or '
'APIs',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Regulated data (e.g., '
'financial, health records)',
'Personal data',
'Intellectual property',
'Engineering files']},
'description': 'Organizations face a structural gap in data governance where '
'visibility into data at rest outpaces governance of data in '
'motion. This blind spot arises from decentralized data '
'movement systems, fragmented policies, and fractured '
'auditability, leading to risks in email, file sharing, APIs, '
'and web forms. The incident highlights the need for '
'integrating data classification with enforcement frameworks '
'to govern data movement consistently.',
'impact': {'brand_reputation_impact': 'Potential erosion due to regulatory '
'scrutiny or data breaches',
'data_compromised': 'Sensitive, regulated, or personal/financial '
'data',
'identity_theft_risk': 'Elevated due to exposure of personally '
'identifiable information',
'legal_liabilities': 'Increased risk of fines and legal actions '
'due to non-compliance',
'operational_impact': 'Increased risk of data breaches, regulatory '
'violations, and incident response '
'challenges',
'payment_information_risk': 'Elevated due to exposure of financial '
'data',
'systems_affected': ['Email',
'File sharing platforms',
'Managed file transfer systems',
'APIs',
'Web forms']},
'lessons_learned': ['Data governance must extend beyond storage to include '
'data in motion',
'Fragmented policies increase risk and complicate '
'compliance',
'Auditability of data movement is critical for incident '
'response and regulatory disclosures',
'Labels and classifications should be actionable signals '
'for enforcement'],
'post_incident_analysis': {'corrective_actions': ['Unified data movement '
'governance',
'Consistent enforcement of '
'data-centric policies',
'Integration of '
'classification and '
'enforcement frameworks'],
'root_causes': ['Decentralized data movement '
'systems',
'Policies written for systems '
'rather than information',
'Fractured auditability across '
'platforms']},
'recommendations': ['Integrate DSPM insights with enforcement frameworks for '
'data movement',
'Define data-centric policies that apply consistently '
'across communication channels',
'Improve third-party oversight with persistent controls '
'beyond enterprise boundaries',
'Enhance incident response with immutable logs tied to '
'data classifications'],
'references': [{'source': 'BigID and Kiteworks Integration'}],
'regulatory_compliance': {'regulations_violated': ['Potential violations of '
'privacy regulations '
'(e.g., GDPR, CCPA, '
'HIPAA)']},
'response': {'containment_measures': ['Connecting classification engines with '
'transmission platforms',
'Applying consistent controls across '
'email, file transfer, APIs, and forms'],
'enhanced_monitoring': 'Immutable logs tied to data '
'classifications for post-incident '
'reconstruction',
'remediation_measures': ['Unified data-centric policies for data '
'in motion',
'Enhanced auditability of data movement',
'Persistent controls beyond enterprise '
'boundaries'],
'third_party_assistance': 'Integration of DSPM tools (e.g., '
'BigID) with enforcement frameworks '
'(e.g., Kiteworks)'},
'type': 'Data Governance Blind Spot',
'vulnerability_exploited': ['Decentralized data movement systems',
'Fragmented policies for data in motion',
'Fractured auditability across communication '
'channels']}