Bolster Your Regulatory Compliance with Layered Security Measures

John Natale

Written by

John Natale

May 02, 2025

John Natale

Written by

John Natale

John Natale is the Global Content Marketing Manager for Akamai.

Regulators want proof that you're doing everything you can to prevent attackers from harming data and infrastructure.
Regulators want proof that you're doing everything you can to prevent attackers from harming data and infrastructure.

If your day job includes securing the enterprise against cyberthreats, you likely also have a side gig: regulatory compliance. More than 130 countries have enacted data privacy laws, and 156 countries (80% of the world) have enacted cybercrime legislation

What’s more, each privacy regulation has its own requirements and mandates for:

  • Performing risk assessments
  • Demonstrating security policies and plans
  • Reporting for audits (and, when needed, reporting data breaches)

Many CISOs are applying their teams’ limited time toward compliance efforts aligned with security mainstays. Take the EU’s Network and Information Security Directive 2 (NIS2) regulation, for example. Service providers in EU countries are implementing “least privilege” access controls, to meet NIS2’s requirements for protecting sensitive data. 

Common practices include keeping privileged IT users’ credentials stored in vaults and compiling reports for regulators on who has access to what resources. You’ll see a similar focus in industries such as healthcare, in which organizations that handle U.S. citizens’ protected health information (PHI) must safeguard patient records in accordance with the Healthcare Information Portability and Accountability Act (HIPAA)

Focusing on common security practices is good for data protection and, therefore, good for data compliance regulations. But guarding the doors and hiding the keys only covers some layers of the attack surface. 

To dig deeper, you’ll need to know how the organization is protecting the resources themselves in the all-too-likely event that an attacker identifies a vulnerability and gets in. And if we’re “assuming breach,” is the organization doing everything they can to limit attackers’ mobility, so they can’t engage in lateral movement, escalate privileges, and do serious damage?

In this blog post series, we’ll talk about the layers of the attack surface that today’s regulators need to see that you’re protecting — and we’ll offer best practices for getting the job done.

How mapping to a security principle can improve compliance

Industry experts recommend mapping an enterprise’s compliance efforts to a set of trusted security guidelines from organizations like the National Institute for Standards in Technology (NIST framework) or the International Organization for Standardization (ISO standards). This provides a practical way to:

  • Adopt best practices from well-regarded agencies and gain trust
  • Align compliance efforts to a variety of regulations and gain efficiency 

However, as attack surfaces — and the regulations — evolve, we should ask: Why not also map your organization’s data compliance efforts to a longstanding cybersecurity principle? Some might call this defense-in-depth, but we think of it as layered security. Either way, this principle of a layered security approach is well understood.

Relying on a layered approach

Instead of relying heavily on one type of security tool or control, you can create multiple security layers that combine into a series of interconnected obstacles, traps, and attacker-unfriendly surprises — all designed to thwart threat actors by limiting their options, access, and visibility. Through a layered approach, security controls intended for specific risks can complement one another’s strengths. If one security control fails, another stands behind it, ready to act. If another one picks up an attack signal, its counterpart  can act on the insights and block a threat actor’s movement. If one tool protects human access, the other secures non-human access and, well, you get the idea.

Organizations can apply this approach to compliance. Regulators want proof that you're doing everything you can to prevent attackers from harming data and infrastructure. This includes attacks that publish the personal information of millions of consumers’ or disrupt operations for critical infrastructure fields, such as water treatment plants. 

The stakes are high: regulatory noncompliance boosted the average cost of a data breach from US$4.88 million to nearly US$5.12 million in 2024.

From demonstrating more comprehensive plans to shoring up your reporting capabilities, let’s explore some common gaps and how to address them.

Key examples of layered security applied to compliance standards

Many organizations have made gains in securing their IT users’ credentials that, in the wrong hands, could give attackers control over networks and access to sensitive data. From Payment Card Industry Data Security Standard (PCI-DSS v4.0) to General Data Protection Regulation (GDPR), regulators expect strong privileged access capabilities. 

However, it also helps to have controls for isolating and securing the data into segments, where each type of data is protected with authorization controls tailored to its unique attributes; this includes data sensitivity and region-specific regulatory requirements. 

When the network is divided into smaller, isolated segments — each with its own information security policies — security teams acquire more precise control over data access and lateral movement. 

With the right microsegmentation tools in place, this granular approach:

  • Reduces the attack surface
  • Limits the potential damage in the event of a breach or ransomware attack 
  • Gives security teams the ability to demonstrate how they’re protecting data, systems, and operations — both in their overall plans and in recurring audits

How else can security teams apply layered security thinking to regulatory compliance? Let’s look at the always essential role of data protection.

Addressing API security requirements

According to the 2025 Verizon DBIR report, 60% of breaches stem from the “human element” (think employees falling for phishing schemes that lead to data theft). So, naturally, companies implement identity and access management controls to prevent costly fines and reputational damage. Many regulators and frameworks insist upon it. 

Your organization may be able to show regulators how you’re reducing reliance on passwords, and enforcing two-factor authentication methods for users. But what about the non-human element? 

In a single enterprise, potentially thousands of application programming interfaces (APIs) work behind the scenes to rapidly exchange data. Attackers know that APIs are often misconfigured, lack authentication controls, and are easy to manipulate into returning sensitive information. 

Indeed, 84% of organizations experienced an API security incident in the past 12 months — with IT and security leaders citing an average cost of US$943,162.

By applying a layered security approach to compliance requirements, a security team can complement its workforce access controls with tools for monitoring and securing their API estate. This includes API security posture management capabilities for:

  • Analyzing an API’s behavior for anomalies against a benchmark of standard activity

  • Identifying malicious activity in real time, and alerting other tools in the mix to apply controls like blocking unauthorized access

  • Providing a continuous view of potential API security incidents mapped to the compliance frameworks that you follow

Data security compliance best practices: Covering four key security layers

Look for future blog posts in this series, in which we’ll explore ways that enterprise security teams can address compliance gaps and challenges. We believe that complying with data protection laws calls for a strategic approach that’s not so different from the way organizations implement layered strategies to protect every area of the attack surface. 

We’ll cover best practices that are directly linked to what today’s regulators are demanding, including gaining comprehensive visibility across the IT estate.

Learn more

Learn more about how Akamai can help you by visiting our cybersecurity compliance page.



John Natale

Written by

John Natale

May 02, 2025

John Natale

Written by

John Natale

John Natale is the Global Content Marketing Manager for Akamai.