Top 5 Questions Answered About RPA Security and Use for Government
The general benefits of Robotic Process Automation (RPA) are well known at this point. RPA reduces costs, boosts efficiency, shifts repetitive, tedious work to software robots ("bots"), and promotes employees from doing manual, low-value tasks to high-value work. To add to this list, according to Deloitte, global organizations are achieving ROI within 12 short months.
But government agencies worldwide—local, regional, or national—are confronting challenges that are unique to the public sector. They face aging workforces: employees who will take an enormous amount of undocumented process knowledge with them when they retire. At the same time, revenues and thus budgets are dropping while citizen expectations and needs from their governments increase due to the pandemic and accompanying economic downturn. Constituents want easy-to-access, consumer-grade services with digital interfaces. And all this has to be delivered with utmost transparency.
RPA to the rescue
RPA is the answer to many of these woes. And the world is turning to it. Today's global Robotic Process Automation market is a $5 billion business, and it's expected to have a robust CAGR of 29.30% between 2019 and 2026. Although the public sector lags behind other industries in deploying RPA, the situation is changing.
According to the 2019 survey by the National Association of State Chief Information Officers (CIOs) in the United States, 65 percent of state CIOs say RPA ties to artificial intelligence to be the most impactful emerging technology for the next three to five years. And in April 2019, the U.S. General Services Administration (GSA) created a community of practice for RPA to help federal leaders explore RPA opportunities, share ideas, and work together. The GSA's goal: to help civilian agencies win back $1 billion worth of productive time across agencies by deploying RPA. There are already more than 25 U.S. federal agencies with active RPA initiatives.
Yet, many government agencies have concerns related to RPA security. RPA introduces new kinds of potential risks, especially when accessing cloud-based data. And when you consider that bots can work 24/7, unattended by humans, the risk surface can seem intimidatingly large. That's why leading RPA vendors have instituted robust security into their products and can allay these fears.
This blog addresses some of the most common public sector questions related to RPA security and use.
1. Can you assure us a bot won't go rogue on our network?
The grim scenarios about digital robots—especially those enhanced with AI— are myths that need to be debunked. The fact is, bots are tightly controlled, are much more secure, and much less likely to go rogue than human workers.
Leading RPA vendors make sure of this by following DevSecOps best practices and using "bot lifecycle management" (BLM). BLM is a framework for continuous testing and deployment of bots and their dependencies in separate software development lifecycle environments. Bots are exported and imported using APIs and are secured at rest with AES 256-bit encryption and in motion with TLS1.2. Role-based access control (RBAC) provides the highest security and compliance levels, ensuring that only bots with a "need to know" status get access to systems and data.
What does all this mean? Leading RPA makers have robust measures to ensure bots don't abuse their ability to access systems. The bots get assigned the least privileges for accessing applications, which means they can only log into specific systems for specific tasks involving very specific data. Clear separation of duties keeps them from straying from the right path. All this helps government organizations protect the integrity and security of critical applications and data.
Additionally, the controls you get over your bots enable you to program them to meet stringent regulatory mandates and comply with regulations such as Sarbanes-Oxley (SOX), HIPAA, and GDPR.
2. Who owns our data, and where is it stored?
Whether kept on-premises or in the cloud, your data is arguably your agency's most important asset. You want to maintain control over it, as well as your ownership rights. Most RPA vendors will promise that your data is your data, no matter where it is stored. In your contract with the RPA vendor, this ownership will be specified, as will the steps you will need to take if you ever decide to switch your RPA operations—and your data—to a different vendor.
Additionally, leading RPA vendors will not have visibility into your data. This means they will not look at the data that your bots are processing. The exception is when support services need access to your systems to troubleshoot and resolve issues. But that would only proceed with your express permission.
If you are subscribing to a cloud-based RPA platform, your data will be stored in some combination of a private and public cloud. In many cases, the RPA vendors use multiple private and public clouds to reduce risk and improve performance. You should be able to choose the country or geographic region and even an option for a physically isolated enclave at an additional fee where you want your data to be stored if your agency has strict data privacy rules.
3. What is an authority to operate (ATO), and why is it important?
When any technology company wants to do business with a U.S. federal agency, it must obtain an authority to operate (ATO) for that particular agency or even sub-group within an agency. Getting an ATO involves a rigorous examination of the firm's security systems to see if the risks of operating that technology are acceptable to the government agency in question.
The US government has three protection mandates when deciding whether to award an ATO to an RPA vendor. These are:
Confidentiality—The technology must have authorized restrictions on information access and disclosure.
Integrity—The vendor must guard against unauthorized information modification or destruction.
Availability—The agency must have timely and reliable access to its information.
An ATO sets a high bar. Only select RPA vendors have been awarded ATOs thus far. At Automation Anywhere, we have gone through the ATO evaluation process numerous times and are proud to possess a growing number of ATOs in the Federal Civilian, DoD, and Intelligence Community.
4. Are bots auditable?
All IT solutions should come with extensive audit capabilities, including advanced logging, monitoring, and reporting. RPA solutions are no exception to this.
According to Deloitte, five stages are required in an audit:
Planning—Gain a comprehensive view of the business areas and processes where RPA has been deployed.
Walkthrough—Understand the relationship between the automated process and IT and identify risks as well as controls.
Design evaluation—Evaluate control design, identify the exception-handling process, and identify any gaps in security.
Operating effectiveness—Perform substantive testing of all controls.
Reporting—Report on gaps between risks and controls and make recommendations for how to fix them.
Leading RPA platforms will give you embedded tools to do these things quickly and easily. For example, at Automation Anywhere, we offer extensive and non-repudiable audit logging for more than 185 activities on our platform. This allows government agencies to identify and alert security professionals to unusual activities such as bot performance errors, employee abuse, malicious code, or anything else that might be of interest for further analysis and investigation.
5. How long does it take to learn how to build bots?
With today's no code RPA solutions, even non-technical business users can get a bot up and running in a matter of minutes. Indeed, leading RPA solutions are empowering a new breed of citizen developers. Drag-and-drop interfaces allow these citizen developers to almost immediately build rule-based automation bots that can perform repetitive tasks such as checking emails or transferring data from one system to another.
Agencies with just minimal training can layer new software-based processes on top of existing processes or streamline processes from scratch. Because of its ease of use, RPA is especially useful in agencies constrained by a lack of skills and expertise to integrate applications.
The choice for government
RPA is an easy to learn and highly cost-effective way for government agencies under pressure to provide better services to constituents and mission partner achieving more with less. The bots help agencies by automating manual time-consuming, manual tasks and allowing human workers to become more engaged in higher-value work.
When considering an RPA solution for your organization, pick one offering a platform that incorporates enterprise-grade security for systems and data. With Automation Anywhere, your agency can be confident that your RPA platform can be used without negatively affecting your risk profile. Instead of worrying about security or compliance, your organization can focus on reaping all of RPA's many benefits.