Automation Helps Meet Regulatory Requirements for Privileged Accounts

Privileged account security has become a focal point of many government and industry regulations. Take, for example, the latest version of the Payment Card Industry Data Security Standard (PCI-DSS), which mandates security practices and controls that must be implemented by organizations that store, process, or transmit payment card data. PCI-DSS 3.2 requires that organizations change vendor-default passwords for privileged accounts, limit access to payment card data on a need-to-know basis, and monitor and log all access to systems within the PCI-DSS scope. HIPAA, Sarbanes-Oxley, and other regulations have similar requirements.

Regulators are right to be concerned about the security of privileged accounts. If compromised, they could give attackers free rein to infiltrate an organization’s IT infrastructure. According to security firm CyberArk, 80 percent of targeted attacks exploit privileged accounts.

However, many organizations don’t follow best practices when it comes to securing privileged accounts. They use default user IDs and don’t change default passwords, making it easy for hackers to crack privileged account credentials. They allow multiple administrators to share the same credentials, making it impossible to track access at the individual level. Regulators are cracking down on these deficiencies and beefing up fines and penalties for noncompliance.

But simply following government and industry regulations is not enough. Organizations must also prove they’re compliant. How are privileged identities assigned, approved, and reviewed? What is the process for changing passwords? Who is accessing privileged accounts and when? What specifically are those individuals doing while using those accounts? Auditors must be able to produce accurate reports showing these activities comply with regulatory requirements.

That’s a tall order given the number of identities, systems, and applications in a typical enterprise. A large corporation could have thousands of privileged user sessions running on its IT infrastructure each day. With enormous amounts of security data and privileged session recordings to sift through, it becomes nearly impossible for audit and compliance teams to manually identify risky or suspicious activity. To meet audit and compliance requirements in a non-automated environment, dozens of full-time auditors must focus exclusively on the task of manually reviewing a certain percentage of all privileged session activity. Automated solutions, however, can significantly ease those manpower requirements.

While a number of solutions are available for automating privileged account management, we believe that CyberArk’s Privileged Account Security Solution can help organizations meet increasingly stringent regulatory requirements. CyberArk provides a suite of tools for improving privileged account security, including Enterprise Password Vault, SSH Key Manager, Privileged Session Manager, and Privileged Threat Analytics. These tools are based on a Shared Technology Platform with a policy-based engine that improves security, reliability, and scalability.

To make the CyberArk Privileged Account Security Solution even more effective, CyberArk recently announced enhancements that deliver a new level of automation for compliance and audit teams. The solution applies risk scores to live and recorded sessions based on customer-defined policies, empowering auditors to prioritize privileged account activity for review. This enables auditors to work more efficiently and reduce IT audit costs. It also helps them create a consistent approach for examining the risks associated with privileged account activity, delivering greater value to the business.

It’s clear that manual processes for monitoring and reporting activity related to privileged accounts are simply not sustainable. Let us show you how the CyberArk Privileged Account Security Solution can help streamline these processes while reducing risk.


For more information on Privileged Account Security, please reach out to us by email at

Leave a Comment