With great power comes great responsibility.
Nothing could be a better metaphor when it comes to the vast volume of data that organizations are in possession of today. However, with it comes the added responsibility of securing this data and ensuring that it does not fall into wrong hands.
As organizations evolve in how they serve their customers, automation is becoming increasingly critical to businesses. Repetitive processes and tasks are being automated to ensure speed and efficacy. Bots are replacing humans in tasks that require minimum diligence and more accuracy.
As all these actions play out, one factor that is continuing to grapple organizations is the security of critical data. As automation is done at scale, it deals with highly confidential data, which is transferred from systems, and processed across different verticals and accounts using individual passwords. This makes the automation platform prone to risk, as it has access to all kinds of confidential information such as financial statements, payrolls, invoices, deals and other information about clients, customers, and employees.
Implementing a secure automation warrants certain controls to be put in place during the automation journey. Identifying the right automation platform that takes into account the security aspects, is a key task for the architect at the design stage itself. One of the most frequent yet critical issue is that the digital workers are often run under the credentials of a human worker. This leads to a traceability problem and reduces audit worthiness of the entire workflow. A unique identity and separate access for the bots is a must to ensure that tracking and auditing the process is efficient. Without this, it becomes easy to do bot hijacking, or other manual proxy actions carried out by humans under the identity of bots.
A typical automation process undergoes multiple stages in its lifecycle, and it becomes essential to embed relevant security controls at all stages to ensure a secure process. Whether it is process discovery, design, build, validation or deployment, an ideal automation platform should be well-equipped to address the security issues at each stage and ensure a robust process to deliver a seamless experience in the long run.
Some of the key aspects that need to be addressed in this regard are:
Firstly, ensure that the RPA software itself is engineered using secure SDLC methodology with mandatory security assessments including SAST, DAST and manual penetration tests. It is also desirable that there are periodic independent third-party penetration tests and audits conducted to eliminate any security threats. The software should also support at least AES256 encryption for storing the robot’s own login credentials and target application login credentials. Further, the encryption key should also be encrypted with KEK (Key Encryption Key). The RPA software’s integration with other enterprise security vendors such as CyberArk, Windows Credential Vault etc. is also an essential part. For data in motion and in rest, the software should support TLS1.2 and AES256 at a minimum.
Enabling traceability and auditability:
Continuous supervision is a critical aspect to ensure prevention. Choose a platform that provides complete audit logs, which enable tracing and recording of every action the robots and the users perform within the automation process. Traceability and auditability are key to root cause analysis or initiate retrospective investigation into issues – both techno-functional and security related. The software should provide adequate transaction logging during process execution and user-friendly interfaces to inspect the transactions to enable easy traceability.
A secure design:
Some of the best practices for making the automation software secure is by following a secure design framework with a threat model created after defining the threat surface, identifying the threat actors and potential weak links.
The design process itself should include:
- An Application Security Architecture
- Network and Deployment Security Architecture and
- Data Privacy Considerations
A typical automation project comes with a promise of enormous productivity improvement, cost optimization and reduced errors / rework. However, not selecting the right tool with strong security features can not only deprive the enterprise of the benefits of automation, but also cause a nightmare of audit issues, data corruption, data loss and breach of privileges in applications that are automated. While there are many time-checks and controls that are essential during implementation, the battle of automation is half won if the right software is chosen.