4 Security Must-Haves for a Safe RPA Solution
Robotic Process Automation (RPA) software robots, or bots, have the potential to touch every enterprise application, including customer relationship management (CRM), enterprise resource planning (ERP), and all the confidential data associated with those applications.
Because of that, a rogue or misconfigured bot represents a risk that could be costly for your organization in terms of stolen data, damaged reputation, and business disruption.
Threat actors are always looking for vulnerabilities to break through an organization’s defenses and steal data. An RPA solution could offer them the opportunity. How? There are a variety of ways, including:
- Information disclosed by accident — a bot could be poorly designed and expose sensitive data to the internet or other unsecured source
- Lack of or vulnerable encryption and access controls
- Weak authentication features
IT and business leaders need to be assured the automation solution they choose can be deployed without compromising security and compliance both internally and externally.
A secure, quality platform
When considering an RPA solution, it’s important to choose one that has a strong company commitment to making its solution safe and reliable. Automation Anywhere Enterprise is architected to meet security control requirements and overall security posture required for the Federal Information Security Management Act (FISMA) security controls when deployed in an on-premises IT system.
In fact, Automation Anywhere leads the industry with a web-based, cloud-native RPA platform that’s SOC 2 Type 1 certified. The company is ISO 27001 certified and adheres to EU-U.S. Privacy Shield requirements.
To protect your organization and customers, you want a security solution that has, at minimum, the four following key features:
1. Multifactor authentication
No access or action regarding RPA should be permitted without prior authentication. This applies to humans and bots, as well as unattended and attended automation. This is done with an Enterprise Control Room to manage and monitor all the processes of your RPA infrastructure.
Control Room authentication includes integration with Microsoft Active Directory using LDAP, Active Directory using Kerberos, and local authentication using the embedded Credential Vault or an external third-party-privileged access system, such as CyberArk.
Completing a task could involve a single authentication with one person and his or her credentials. Or, it could involve multiple authentications with more than one person and their credentials, as well as application credentials. You need a solution that accommodates all types: single and multifactor. Automation Anywhere offers that flexibility.
2. Comprehensive access control
Successful authentication is only the first level of security to consider. Within the typical architecture and primary functions of an RPA platform, bot access to systems should be centrally administered and controlled. That’s accomplished by using an extensive set of role-based access controls (RBAC) to determine which user may perform which action(s) in the system at scale.
Enterprise Control Room provides multilayered identification and authentication to restrict access of users and attended and unattended bots to systems and data. Administrative roles and steps are available to enforce principles of least privilege and separation of duties.
Automation Anywhere takes the separation of duties to a higher level with fine-grained RBAC that offers customization. Administrators can easily define custom roles, setting privileges/permissions of objects and functions — including user management, licensing, dashboards, and audit logs. This added capability makes it possible to share bots while separating access by business units and functions.
In addition, bots created with Automation Anywhere RPA can be restricted to only operate using a specific set of user IDs (human or system). This further strengthens the segregation of duties and auditing capabilities.
3. End-to-end data encryption
Equally important for a secure environment is maintaining the confidentiality and integrity of data. The solution should not only protect data at rest and in transit but also while it’s being used on systems.
For data at rest, Automation Anywhere encrypts local credentials and selected runtime data used by bots and provides secure storage for sensitive configuration information. For data in transit between components, Transport Layer Security (TLS) is employed. Runtime security includes distributed credential protection — no credentials are stored locally.
4. Application security
Not only do you want a platform solution you can trust, but you also want to be able to trust the applications — i.e., the bots that run on it. Have the bots been tested and certified to minimize risk? Choose an Automation Anywhere solution, and the answer is yes. Bots offered through the company’s Bot Store are certified by up to four levels of protection.
Every bot is checked for vulnerabilities with a malware scan. If your organization wants more protection, bots are available with a progressive level of security, including threat model and static source code analysis, as well as penetration testing to check an organization’s defenses.