Robotics Process Automation (RPA) brings a lot of benefits to organizations. By creating a virtual workforce, it improves business efficiencies, error reduction, standardization, faster time to complete, cost reduction, and enhance the customer experience. However, the more access and functionality we bring to bots, the more security risks begin to surface, primarily when the bots handle a considerable amount of confidential, enterprise data in daily business. This can involve entering data from one application into another, file transferring, order processing, payroll running, insurance policy processing, etc.
Any security risk in the form of abuse of administration privileges, data loss, or unauthorized access to sensitive and high-value information can have a considerable impact. Unfortunately, addressing the security risks often take a back seat to the technology’s promise of cost savings and agility.
The most common security challenges in RPA are the immediate results of poor governance, inefficient implementation, gaps in IAM controls, lack of Business Continuity preparedness, inadequate vulnerability management, regulatory non-compliance, and insufficient data protection.
One such common risk is the disclosure of sensitive data. Automation platforms typically have access to confidential systems and information such as inventory lists, credit card numbers, addresses, financial data, passwords, and other personal data of employees, customers, and vendors. If a bot is compromised, it can lead to sensitive information disclosure.
Denial of service is another critical risk. If an RPA ecosystem is compromised, it can lead to a service being stopped, modified, or even executed in rapid sequence to exhaust all resources. A vulnerability in robotics software is an opportunity for attackers to gain remote access to various critical systems in an organization’s network and launch attacks from within.
Abuse of privileged access is a significant challenge because privileged accounts are critical to performing specific tasks in RPA. If a highly privileged robotic user account is compromised, an attacker gains access to sensitive data and moves laterally within a network. A malicious insider can train a bot to destroy high-value data, interrupting key business processes, such as customers generating orders. A bot creator can even train a bot to upload credit card information to a database accessible through the web. It is also possible for a bot creator to leverage a generic account to steal sensitive intellectual property, leaving it difficult to identify the real sources of the leak.
How do we secure the RPA ecosystem?
- Establish a governance framework with clear roles and responsibilities for various types of users.
- Maintain a security requirement checklist.
- Build a security strategy in line with security policies and compliance. Assess the RPA platform regularly for security compliance.
- Create awareness among bot creators and business users around the risks of RPA and run formal risk management programs for RPA risks in the ecosystem.
- Strictly customize the RPA environment via active directory integration.
- Maintain regular security controls that include secure design, good governance, identity, and access management, and audit log management.
- Apply more stringent controls when the bots deal with personally identifiable information, regulated data, or compliance data.
- Regularly patch the RPA platform for any vulnerabilities.
- Always demand functional specification documents, unit test cases, code review checklist, system integration test cases, UAT and business handover documents, before you move a bot into production.
- Manage RPA risks only through a formal risk management program.
- Avoid using generic IDs for bots. Assign unique IDs to each bot to access an application or folder.
- Maintain a repository of the bots, IDs, applications, etc. as reference for the RPA team.
- Perform design review and security architecture risk analysis to identify flaws.
- Scan codes created in the backend for security vulnerabilities
Data and network security
- Store all sensitive information encrypted in a secure database.
- Use a centralized, encrypted credential vault to manage bots’ credentials.
- Review service accounts’ access periodically.
- Maintain proper segregation of processing machines, based on the nature of the tasks being carried out by the bots.
- Conduct compliance assessments while segregating the network.
Roles & responsibilities
- Clearly define and manage user access privileges/segregation of duties.
- Segregate access to data based on roles.
- Provide domain admin permissions and elevated access only if it is necessary.
- Create a set of business users for testing.
- Create a bot administrator who can create the workflow and manage schedules for BOTs, monitor their progress, etc.
- Handle the password policy and password request with the help of business owners
- Record every activity executed by your bots.
- Gather log data to monitor abnormal activity spikes, system access, and the use of privileged accounts.
- Conduct vulnerability scanning and execute threat modeling exercises to determine technical weaknesses.
- Perform independent audits and reviews.