An increase in cyber attacks, combined with the shift to automating business processes using robotic process automation (RPA), introduces new risks that need to be addressed to secure sensitive data and build trust in your robotics platforms.
Additionally, the gap in cybersecurity talent, coupled with cost-management pressures, makes orchestration and cognitive learning an attractive option for many organizations to improve their security posture.
An organization must consider the technical, process, and human elements of the entire robotic ecosystem in securing RPA implementation. A secure design should cover the entire product lifecycle from requirements, selection, architecture, implementation, and ongoing operations.
How can I secure my RPA ecosystem?
- Establish a governance framework with roles and responsibilities for securing robotics
- Build strategy and security requirements for RPA within policies and monitor compliance with security policies related to RPA
- Manage RPA risks identified through a formal risk management program and increase awareness among bot creators and business users around the risks of RPA
Software and product security
- Perform security architecture risk analysis of chosen RPA solutions, including bot creation, control and running. Identify security architecture flaws in underlying product for connections across various environments, usage of virtualization methodologies, and authorization flaws
- Conduct secure design review, including data flow analysis to verify that controls around security are integrated into the bot authentication, authorization and input validation
- Integrate security scanning tools as part of the bot creation process to scan code created in the back end for security vulnerabilities
- Scan bot created for security vulnerabilities using dynamic testing or security fuzzing technology to determine security flaws
- Ensure schema for bot deployment has security considerations in place
Digital identity and access
- Improve auditability (every step could be logged) and control over error-prone manual activities that elevate risk and noncompliance
- Manage user access privileges/segregation of duties risk; for example, use of a specialized security matrix authorizes bots to only perform the tasks assigned to them
- Implement security controls to protect credentials during robotic session run-time; for example, use of single sign-on (SSO) with lightweight directory access protocol (LDAP) supports secured logon to RPA interface
- Enforce passwords consistently across robotic sessions and centralize robotic identity and access management process; leverage encrypted credential managers to prevent leakage of credentials
Data identification and protection
- Conduct compliance assessment to data regulations for use of robotics and automation
- Monitoring of sensitive data processed by robotics/automation to verify compliance with usage policies
- Integrity checking of robotics and automation code
- Gather log data from controller and bot runners to provide an audit trail of activities, monitoring for abnormal spikes in activity, access of systems and use of privileged accounts
- Conduct vulnerability scanning of your robotics platform and execute threat modelling exercises of robotics sessions to determine technical weaknesses or process gaps