As businesses have moved to automate mundane processes to reduce costs and mitigate resource challenges during the pandemic, they’ve also had to deal with new security challenges because of remote work and sensitive data being accessed from literally anywhere and anytime.
According to Gartner, “Currently, 60% of knowledge workers are remote and at least 18% will not return to the office.” With remote work can come increased exposure leading to increased cyber risk. Cyber attackers are agile, quick, and persistent. They’re always looking for vulnerabilities that can be exploited to get access to enterprises’ sensitive data. Unfortunately, they’ve been quite successful.
“More than 80 percent of U.S. companies indicate their systems have been successfully hacked in an attempt to steal, change or make public important data. [...] More than 85 percent of firms in Asia, Europe, Africa, and Latin American say they also have been hacked.” And the results can be expensive. One breach can cost a company millions of dollars for remediation efforts and loss of business and reputation.
Migrating automation to a cloud-native architecture enables faster scaling, higher availability, granular security, and innovation. To move at the speed of business, your automation platform needs to:
- Minimize risk of exposure and security incidents.
- Provide strong proactive risk mitigation and disaster recovery policies.
- Be compliant with key industry standards.
- Offer strong and centralized authentication and access control as well as extensions through integrations.
In addition to these platform considerations, here are five steps you can take to secure your automation platform, development life cycle, and data.
STEP 1: Ensure authentication and access are defined and controlled
To start off, you want to make sure that anyone who accesses your system is authenticated, so multi-layer authentication and fine-grained access control are essential for a tightly controlled environment. Here are some best practices to consider as part of ensuring you build the right authentication and access:
- Create distinct roles such as RPA Administrator, Bot Builder, Bot Tester, and RPA Operator within the basic architecture and primary functions of the automation platform. Grant users restricted access to content based on authorization to perform their support and troubleshooting job function. This type of control makes it possible to separate duties and establish high-fidelity roles with fine-grained access controls sufficient to meet the needs of the most stringent, secure, and compliance-regulated environments.
- Ensure your automation platform offers an embedded credential vault or ability to integrate with credential vaults. A credential vault stores all system and user credentials as well as credentials needed by automations at run time. As a result, bot builders can avoid the insecure practice of hard-coding credentials and other sensitive data/ arguments directly within their automations.
- Build multiple options for managing user authentication. For example, roles and permissions should be available such as Active Directory using LDAP, Active Directory using Kerberos, SAML2.0, and local authentication using an embedded credential vault.
STEP 2: Build a development environment that has high availability with robust software development life cycle management support
Once access is secure, you can move on to other areas to remove any potential vulnerabilities. For example, the following best practices can lead to the successful, safe development of automation software bots:
- Consider a security plan/protocol for code development that requires ongoing multi-tool, multi-layer scanning to detect and eliminate software vulnerabilities.
- Make sure your platform provider can proactively pen-test through code scans for vulnerabilities.
- Ensure the security posture of the device running the automation by leveraging endpoint detection and response (EDR) and data loss prevention (DLP) solutions for enforcing policies, detecting anomalies, and remediating threats proactively.
- Assess the component architecture. It should be capable of seamlessly fitting into your existing high availability/disaster recovery (HA/DR) infrastructure and processes.
STEP 3: Protect data at rest, in use, and in transit
Do you have end-to-end data protection? It’s necessary to maintain the confidentiality and integrity of business-critical processes and sensitive data. Your automation platform should provide safeguards that not only protect data at rest and in transit but also while it is in use on individual systems. Some safeguard examples include:
- Encrypting local credentials and selecting runtime data employed by bots, using the credential vault to provide secure storage for sensitive configuration parameters and details pertaining to the integral version control and email services
- Employing the data management and de-identification procedure pseudonymization. Pseudonymization transforms data into artificial identifiers so that it is no longer possible to use the data to identify a natural person without additional information that is held separately.
- All network services should use Transport Layer Security (TLS) 1.2 (or other industry standards) to assure data security and integrity during transport between components.
- The automation platform should follow industry-standard encryption technologies to ensure your data is encrypted. Traffic to/from users should be encrypted using HTTPS + SSL / TLS 1.2 to talk to the automation environment. Data stored in the service such as data at rest should be encrypted using AES-256.
STEP 4: Compliance
Now that your people have access to their job-appropriate areas in your enterprise and they’re working in a secure environment, you can step back and look at compliance.
Compliance assessment and management focuses on evaluating systems and processes to ensure industry standards and regulatory requirements are met. This should be an ongoing practice. As the business grows, departments bring on solutions to assist in scaling. New applications must be verified so that they don’t jeopardize multiple security compliances. Comprehensive and continuous audit logging capabilities on your platform will help make sure enterprise-level security and quality compliance. In heavily regulated industries such as health sciences or finance, organizations can receive fines and other penalties if compliance standards, including HIPAA, PCI-DSS, and FISMA, are not met.
STEP 5: Proactively monitor security operations
Security is not a one-time event. New vulnerabilities and cyber attacker techniques can surface at any time. So, your security operations should be monitored continuously and held to a high standard. To that end, here are some best practices to follow:
- Ensure your automation platform provides a secure software development life cycle (SDLC) process with checks and certifications performed by distinct administrators with different roles and privileges.
- Strict separation of duties and multi-layer controls should be built in to ensure the software development pipeline is reliable, scalable, efficient, secure, and compliant.
- Having a specialized security engineering team that is responsible for design review, threat modeling, manual code review and spot checks, and ongoing penetration testing ensures your cloud security.
- Along with operations, disaster recovery should be proactively managed so that incident monitoring and notification allows you to handle situations in a timely manner.
At Automation Anywhere, we can help you boost your defense to protect your data and operation with our cloud-native Automation 360™ platform and support.