Five best practices for Robotic Process Automation security

Get a free Techzine subscription!

RPA (Robotic process automation) is a powerful technology that streamlines and standardises process-related tasks. The technology is rapidly gaining popularity and is increasingly seen as a key element for digital transformation. When properly applied, RPA can increase productivity and data quality and ensure better compliance with laws and regulations. Employees can then focus on more strategic, more interesting work.

Great interest in RPA

The Global Advanced Threat Landscape report, an annual survey conducted by CyberArk, shows that 78 percent of respondents are already investing in RPA or will be doing so this year. According to a study by BluePrism, 94 percent of companies see the benefits of RPA, and a third of companies worldwide already automate 20 to 29 tasks. A quarter even automates more than 40 tasks.

Additional access rights

In order to perform their tasks, these digital employees often need access rights with extra privileges. This allows them to connect to systems and applications such as financial systems, ERP, CRM, supply chain and logistics software and sometimes even mail. If these additional access rights are not properly secured, they can become the target of targeted cyber attacks.

Rising risks with higher numbers of robots

Robots can be generated automatically. Therefore, the number of robots used within an organisation can grow rapidly, increasing safety risks. In addition, robot scripts that use access rights with additional privileges can significantly increase the risk if they are stored in an unsafe manner. The risks are even greater when organisations use RDA (Remote Desktop Applications) robots. These are often referred to as ‘unmanaged RPAs’, with shared access rights.

Combining automation with good security

As the number of RPA implementations increases and the number of software robots continues to rise, organisations are looking for ways to combine automation with security methods that help protect RPA investments while helping to get value out of them faster.

Equal access rights for human users and robots

Software robots should basically follow the same security standards as human users and applications. However, there are some differences specific to RPA technology and the life cycle of robots that also need to be implemented. These are five best practices that companies should include in their RPA workflows:

A proprietary identity and access rights to IT resources for software robots
Software robots need their own identity and access rights to IT resources so that non-repudiation and segregation of duties can be sufficiently controlled. Otherwise, as with human users, there is no practical way to guarantee the non-repudiation of a robot’s actions, and there is no way to manage their access and monitor their activities.

Removing hard-coded access rights
All hard-coded access rights must be removed from robot scripts and replaced by an API call, with each request directly referring to the appropriate access rights stored in a central repository. This creates an additional layer of security that reduces the risk of attacks.

Create a central repository for consistent implementation of security policies
It is essential to create a central repository for the consistent implementation of security policies, such as automatic rotation of access rights or a unique password. By adding an abstraction layer to a central repository using an API call, references can be changed without changing the robot code or taking them offline. In order to remain consistent, a large part of the management of login data can be automated. This is most convenient because manually modifying permissions for hundreds or thousands of software robots is not scalable and insecure.

Applying the principle of ‘least privilege’
Robots’ access to other applications and databases must be limited to what is strictly necessary to perform tasks; the ‘least privilege’ principle. By limiting the number of applications or databases to which software robots have access, damage in the event of an attack is minimised. This is especially important to prevent intruders from using multiple applications on a client computer in the event of a cyber-attack, and to give local administrator rights to install spyware and other malware.

Securing access to the RPA console
Finally, securing access to the RPA console is essential. RPA administrators should be considered privileged users and organisations should have their login credentials at their disposal in order to be able to identify individual user responsibility and track and record actions. The ability to isolate, monitor and record administrator activity is just as important to RPA administrators as it is to other users with additional rights. Security teams should be able to track RPA admin sessions in real-time and terminate them if necessary.

Conclusion

We are only at the beginning of how RPA technology is going to change companies, but, as with many innovations, RPA can significantly increase the risk of cyber-attacks if not implemented correctly. Several security companies can help with good security when using this technology.

This is a submitted contribution by Bart Bruijnesteijn of CyberArk. Through this link, you will find more information about the possibilities of the company.