In Your RPA Universe, Identity Is the New Frontier

Your organization is on a journey to Robotic Process Automation (RPA), and security is a key success factor to ensure you have the right level of privacy and are in compliance with your particular business scenario.

In this universe of RPA, your enterprise systems and platforms will be accessed by bots to run tasks faster, increasing accuracy, saving costs, and improving the employee experience. Bots will use their own credentials to handle this set of business data, so it’s important to ensure the highest level of control in this area.

Security built in

One of the classic pillars of security management frameworks is identity management. In Automation Anywhere Enterprise, this set of features is built in to ensure your organization can implement the desired scenario in the authentication schema, authorization control, and auditing tools to find the right balance between compliance and complexity/total cost of ownership.

The NIST Cybersecurity Framework core includes five high-level functions: Identify, Protect, Detect, Respond, and Recover. The Enterprise A2019 platform by default offers some features to implement key security controls in this NIST model, including the main ones in the access control, audit and accountability, and identification and authorization groups within the global framework.

That means you, our customers and partners, can easily — and without the use of other products or services — implement your identity management scenario with the best match in any specific compliance landscape.

Following the main principles of least privilege and separation of duties, Enterprise, for example, allows the use of a role-based access control (RBAC) approach to maximize the level of control over granted privileges and to accelerate changes as needed.

Other available options to authenticate users in the Control Room are Microsoft Active Directory (LDAP or Kerberos) and local authentication (with improved security due to the use of our Credential Vault, which keeps all the data inside encrypted).

Ensuring adequate control

In the internal architecture of Enterprise, you’ll find dynamic tokens to authenticate Bot Creators and Bot Runners with Control Room performing the “trusted path” principle (as described in the NIST SC-11).

These tokens follow NIST IA-5, and they’ll be generated again after a certain period to avoid attacks from external actors. The communication is based in HTTPS and sets a new barrier to attack the RPA scenario (the access token is unique to every Bot Creator or Bot Runner). You can learn more about other NIST controls used in this scenario in our documentation.

Another step toward ensuring the right level of control is Bot Runner management, which includes two levels of identity management: the first against the credentials (fetched from the centralized Credential Vault over HTTPS) and the second handling the authorization from the Control Room for every particular node.

In the Control Room, passwords are hashed according to solid algorithms, such as PBKDF2WithHmacSHA512, before being stored. Every time a Bot Creator or Bot Runner authenticates against Enterprise Control Room, its credentials are authenticated against the hashed credentials.

Prioritizing security governance

If the business scenario needs other extended schemas of authentication, you can implement multifactor authentication (MFA) or single sign-on (SSO) for better shared control of identities and performance improvement. Bots will use these authentication methods, and their level of access will be granted or denied in a transparent, efficient, and unattended way.

In the case of bot credentials associated with a high level of privileges, you can extend the features of Credential Vault with a CyberArk connection to handle the scenario with a solid third-party solution. Other privileged account managers and hardware security modules will be available for this kind of connection in the coming months.

The audit and accounting of all activity in the RPA platform is a key component of security governance. Your organization (compliance) or a third party (external auditor) can request a full review of all RPA activity to ensure everything in your environment follows internal best practices and external regulations (international or local) — with a focus on general (i.e., data privacy) or business-specific topics, such as payment methods (i.e., Payment Card Industry Data Security Standard (PCI DSS)).

You can then have this information ready to review for specific roles accessing the audit log in the Control Room (even external users from audit companies). Optionally, an external Syslog-compliant system can be used — the Control Room will regularly send new log information to other systems using this de facto standard (using UDP or TCP, configured to use TLS encryption between the Enterprise Control Room and the remote Syslog server).

This feature enables your organization to connect the RPA platform with your security information and event management (SIEM) software, such as Splunk.

Audit is automated for all privileged and nonprivileged roles to conform to best practices as defined by NIST AC-6. Other NIST controls are also implemented to enable access to this audit log.

Similar protection measures are in place to audit all Bot Runner activity and offer best practices in its management (following NIST AU-6 control). Additionally, the activity log in the Control Room is protected with extra features that cover the NIST AU-10 (non-repudiation) and AU-11 (audit record retention) controls.

In summary, the security approach in all of our products is always based on identity management. Your organization can implement any kind of security framework with peace of mind knowing the Automation Anywhere RPA platform will implement key features or enable wider solutions with the integration of third-party solutions and market standards.

Everything in your RPA universe will be secured, and identity will be the new frontier, even with bots.