Compliance Insights: How to Stop Lateral Movement and Boost Authorization

It’s no wonder that regulators are being clear in their expectations for limiting attackers’ options, with requirements like:

• General Data Protection Rule (GDPR): Article 32 — Implement technical and organizational measures to ensure a level of security appropriate to the risk, via controls such as network segmentation

• Payment Card Industry Data Security Standard (PCI DSS) v4.0: Requirement 1 — Implement firewalls to protect credit card holder’s data and ensure the firewalls are configured to restrict connections among trusted and untrusted networks

• International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 — Segregate information and data-processing facilities to protect the confidentiality, integrity, and availability of information

Today’s attack surface isn’t just wider; it’s deeper, and it comprises a series of complex  layers that are byproducts of an enterprise’s rush to innovate. This includes multiple cloud environments, rapidly appearing containers, thousands of APIs leading to data, and AI applications autonomously accessing and disseminating sensitive information. 

All these layers come with vulnerabilities that give threat actors more opportunities to freely navigate a compromised network and gain unauthorized access to sensitive data and intellectual property. Without appropriate configurations and enforcement of least-privilege principles, these assets become vulnerable to credential theft and privilege escalation.

It’s up to your organization to identify and address any gaps that could lead to lateral movement, data breaches, and costly fines. Security practices like threat hunting and behavior analytics can detect unusual user behavior and potential attacks, and allow your company to stay ahead of advanced persistent threats.

In a previous blog post in our compliance series, we made the case for applying a layered security mindset to your process of assembling the controls and tools necessary for meeting regulatory demands. 

For instance, if your company is beholden to mandates that require risk assessments, your layered security mindset should ask: What capabilities can I add to demonstrate that, if one layer fails, another will step up? 

In this post, we’ll explore layers for identifying, containing, and preventing lateral movement attacks, while improving authentication and authorization controls.

The average IT estate did more than just expand its acreage; it built new additions, floors, and virtual connections to other organizations’ IT estates. And it’s challenging for regulators to keep up with the resulting risks. 

For example, the EU published an update to the Network and Information Security directive (NIS2) in January 2023 to expand on the original NIS2 mandate. Just two years later, rapid developments in AI have led to massive shifts in how companies do business, and how malicious actors attack companies’ AI innovations. 

New threats like LLM prompt injection and AI data exfiltration jeopardize the US$632 billion global investment in AI that IDC predicts will happen by 2028. The newest attack methods may not have chapters in updated regulations like the NIS2, GDPR, or PCI-DSS v4.0. But a breach is a breach, and regulators will fine enterprises for noncompliance. 

This is the case with API protection. Every time a customer, partner, or provider engages digitally with a business, there’s an API behind the scenes facilitating a rapid exchange of data. Cybercriminals who, in the past, would have orchestrated complex attack paths now understand they can simplify their game plans by targeting APIs.

For example, threat actors can exploit API endpoints that are vulnerable to Broken Object Level Authorization (BOLA) by manipulating object IDs in API requests. This vulnerability enables lateral movement in the network, so threat actors can bypass authorization, escalate privileges, and gain access to customer data. 

BOLA is usually caused by business logic flaws, and many involve misconfigured authorization checks. Misconfigurations were the top-cited cause of API security incidents among the application security professionals surveyed in the 2024 API Security Impact Study. 

Here are some best practices for shoring up your API security posture to limit lateral movement,  mitigate malicious activity, and remediate in-progress attacks with strong authorization.

• Establish clear relationships among users and the resources they typically access; for example, setting behavioral baselines via machine learning algorithms that can detect anomalous access patterns

• Implement runtime protection capabilities that can differentiate between normal and suspicious activities with APIs

• Respond to suspicious behavior by integrating an API security solution with your existing stack; the solution should spot high-risk behavior and block suspicious traffic before it can access critical assets

These API security best practices are good for both cyber resilience and regulatory compliance, whether you’re protecting a business, a government agency, or a HIPAA-regulated healthcare organization.

As cybersecurity teams establish controls to meet newer regulations, it can be frustrating to realize that already-challenging security gaps can lead to noncompliance. For example, the Digital Operational Resiliency Act (DORA) — which went into effect in January 2025 — explicitly requires securing information and communication technologies (ICTs) through strong network security controls. And this applies not only to covered financial institutions, but also to the third parties they rely on for ICT systems and services.

We’ve discussed how DORA requires better visibility into risk. Now let’s explore the connection between improving network visibility and limiting attackers’ mobility. 

Specifically, DORA calls for adopting a risk-based approach to establishing sound network and infrastructure management, including automated capabilities that isolate affected assets during cyberattacks. DORA requires designing network connections that enable instant segmentation to prevent the spread of cyberthreats like ransomware attacks. 

Unfortunately, many security teams we speak with are lacking real-time visibility into network communication, and they aren’t seeing signals that indicate lateral movement by attackers who have breached the system, or point to the spread of threats like malware. This is especially difficult in a complex IT estate that involves on-prem and cloud components.

Many cybersecurity teams have implemented a baseline of segmentation controls that divide the network into smaller, isolated segments. Each segment operates independently, and access among them is controlled. The goal: Reduce the attack surface and limit the spread of threats.

We recommend taking this approach a step further with software-defined microsegmentation. 

Microsegmentation allows cybersecurity teams to create even smaller, more granular segments within the network. Each microsegment can have its own security policies and access controls — like least privilege — for identifying, isolating, and mitigating malicious network traffic. 

For example, with the right microsegmentation tools, security teams can create policies that block, segment, and restrict how applications interact with one another and the system. Isolating assets within clear boundaries can help organizations:

• Remediate vulnerabilities that can be weaponized by malware or compromised applications, which is a key threat identified by regulations like DORA 

• Reduce complexities in reporting to comply with regulations that require regular audits and documentation of security measures

Look for security tools that provide AI-recommended templates for remediating ransomware and other common use cases, with precise workload attributes like processes, users, and domain names. Combined with Zero Trust architecture, these security tools can help ensure stronger authorization and access controls — no matter what user account or asset is involved.

We believe that complying with data security regulations calls for an approach that’s not so different from how organizations implement layered security strategies to protect every layer of the attack surface. 

In this blog series, we’ve explored common compliance challenges and discussed best practices that are directly linked to what today’s regulators are demanding beyond traditional tactics like legacy network security tools. In the end, great security can lead to stronger compliance programs. Look for future posts that explore the connection between securing the enterprise and meeting regulatory requirements.