Cyber attacks, combined with a shift to automating business processes using robotic process automation (RPA), introduces new risks. They need to be addressed to secure sensitive data and build trust in all robotics platforms.
Additionally, the gap in cybersecurity talent and cost-management pressures, make orchestration and cognitive learning an attractive option for many organizations to improve their security.
An organization must consider the technical, process, and human elements of the entire robotic ecosystem in securing RPA implementation. A secure design should cover the whole product lifecycle from requirements, selection, architecture, application, and ongoing operations.
How can I secure my RPA ecosystem?
- Establish a governance framework with roles and responsibilities for securing robotics
- Build strategy and security requirements for RPA within policies and monitor compliance with security policies related to RPA
- Manage RPA risks identified through a formal risk management program and increase awareness among bot creators and business users around the dangers of RPA
Software and product security
- Perform security architecture risk analysis of chosen RPA solutions, including bot creation, control, and running. Identify security architecture flaws in underlying product for connections across various environments, usage of virtualization methodologies, and authorization flaws
- Conduct secure design review, including data flow analysis to verify that controls around security are integrated into the bot authentication, authorization, and input validation
- Integrate security scanning tools as part of the bot creation process to scan code created in the back end for security vulnerabilities
- Scan bot created for security vulnerabilities using dynamic testing or security fuzzing technology to determine security flaws
- Ensure schema for bot deployment has security considerations in place
Digital identity and access
- Improve auditability (every step could be logged) and control over error-prone manual activities that elevate risk and noncompliance
- Manage user access privileges/segregation of duties risk; for example, use of a specialized security matrix authorizes bots only to perform the tasks assigned to them
- Implement security controls to protect credentials during robotic session run-time; for example, use of single sign-on (SSO) with lightweight directory access protocol (LDAP) supports secured logon to RPA interface
- Enforce passwords consistently across robotic sessions and centralize robotic identity and access management process; leverage encrypted credential managers to prevent leakage of credentials
Data identification and protection
- Conduct compliance assessment to data regulations for the use of robotics and automation
- Monitoring of sensitive data processed to verify compliance with usage policies
- Integrity checking of code
- Gathering log data from controller and bot runners in order to provide an audit trail of activities such as monitoring for abnormal spikes inactivity, system access and use of privileged accounts.
- Conducting vulnerability scanning of your robotics platform and execute threat modeling exercises to determine technical weaknesses or process gaps.