To Meet Compliance Challenges, Focus on Building Great Security

One potential downside of a traditional checking-the-boxes approach to cybersecurity compliance, however, is that it can create a false sense of enterprise security. In my discussions with corporate security leaders, I frequently hear the same lament: They passed their compliance audit for a particular cybersecurity regulation with a great score … only to then fall victim to a data breach.

The simple fact is that many vulnerabilities lie outside the scope of compliance regulations and audit checklists. After all, most regulations are a response to past security incidents — but new cyberthreats and vulnerabilities are constantly emerging.

With so many regulations by country or region, for specific industries, and for different data types, how can you create a cybersecurity compliance strategy that covers all your bases?

It’s time to flip the script from focusing on compliance to stay secure to focusing on great security to stay compliant. By taking a holistic approach and focusing on great security, compliance always stays in the picture.

By creating a strong and agile security foundation, organizations can position themselves to defend against current and emerging cyberthreats, which will naturally lead to a strong compliance posture.

At Akamai, we believe great security means building a strong security foundation that positions organizations to defend against current and emerging cyberthreats and that also naturally builds a strong compliance posture. That foundation is based on four key pillars: provide comprehensive visibility, prevent lateral movement, prevent unauthorized access, and protect sensitive information.

Failure to properly identify data assets across your entire IT estate increases the risk of data breaches — and the risk of noncompliance. You need to understand what kind of data you have, where it is, who has access to it, and how it's protected.

Creating this context requires a comprehensive effort to discover and inventory both physical and digital assets. Since APIs and web application scripts are common areas of vulnerability, it is critical to inventory and evaluate them — both in development and in the production environment.

In addition to providing valuable insight into potential vulnerabilities, achieving this level of visibility also simplifies and speeds compliance auditing and reporting.

Given the constantly changing strategies employed by attackers, it’s nearly impossible to completely eliminate the risk of access to your environment. If they do get in, preventing lateral movement reduces the blast radius of malware and greatly reduces recovery time from an attack. Limiting attackers’ ability to move across your network, applications and APIs is the key to mitigating risk.

Understanding workflows and data paths enables you to implement effective microsegmentation policies to isolate sensitive data, apps, and workloads. With secure communication, access, and authorization between systems in place, you not only prevent data leaks but enable compliance with regulations focused on protecting sensitive data. Moreover, continuously monitoring and auditing API traffic and segmented zones enables you to spot suspicious behavior in time to stop it and reduce the risk.

Preventing unauthorized access to critical systems and data is a major focus of data breach prevention, as well as cybersecurity compliance. Preventing unauthorized access requires implementing granular access security controls and policies based on the least-privilege access model inherent in a comprehensive Zero Trust approach. Strong authorization and authentication processes help ensure that verified users have access only to the data they need to perform their function. That goes for both applications and APIs.

Exfiltration of sensitive data is a major concern for both security and regulatory compliance. Ineffective protection of your web applications can put business-critical data, personally identifiable information, and customer account information at risk of loss, leakage, compromise, or abuse. That can lead to costly incidents — including penalties for noncompliance.

Protecting sensitive data involves securing all network traffic, applications, and APIs. That means monitoring and securing both east-west traffic as well as north-south traffic. Defining normal API behavior will enable you to quickly spot abnormal behavior and anomalies that could indicate a cyberattack.

This holistic approach to building a strong security foundation on four key pillars helps position you to defend against the OWASP Security Top 10 and the OWASP API Security Top 10 and also strengthens your compliance posture.

It’s important to remember that regulations are usually crafted to address a narrow and specific issue, often for a particular industry, region, data type, or process. But attackers don’t conform to those constraints. Focusing too much on meeting compliance regulations can be like putting blinders on, limiting your ability to see the bigger picture.

By taking a holistic approach that encompasses those four pillars of security, organizations can create a cybersecurity framework for countering threats systemically. This improved security posture positions them to meet the constantly changing threat landscape as well as the continually evolving regulatory environment.