Robotic process automation, or RPA for short, is one of those hefty technical terms that can be tough to explain without a lot of jargon. But at the highest level, RPA is all about using software to improve human experiences.
RPA automates repetitive tasks so employees can focus on meaningful work, while customers reap the benefits of superior products and services. In the healthcare field, for example, RPA is used to automate manual scheduling, billing and claims management processes so providers can spend more time with their patients.
But without a strong Identity Security framework in place, RPA can run counter to its core purpose, driving up cybersecurity debt and exposing the organization to risk. Development and deployment challenges only increase as RPA scales, evidenced by the 74% of organizations that say they’ve slowed RPA and bot deployments due to security concerns. Much like a tightrope walker navigating a line, unlocking the full value of RPA requires a careful balancing act between two extremes: security and speed.
RPA Risks and the Security Imperative
As with every digital initiative, RPA deployments create multitudes of new digital identities in the form of RPA bots. Each of these bots requires privileged credentials to access business-critical applications, resources and other sensitive systems to do their jobs — whether that’s data entry, reconciliation, data transfer, report generation or something else. And in the case of “unattended bots,” there’s no human interaction or supervision over this process, which can be risky. If attackers get their hands on these privileged credentials — as they so often try to do — they could reprogram bots for malicious purposes such as destroying data, shutting down operations, sabotaging systems, redirecting payments or distributing malware.
RPA and the Need for Speed
In some organizations, bot developers are on the IT team, but increasingly, “citizen developers” — non-IT employees using technology to make workflows more efficient for themselves and their teams — assume the role of handling automation and scaling RPA initiatives. These users aren’t necessarily focused on security or aware of how common security shortcuts can create potentially huge problems. Bot developers need an intuitive, automatic way to manage bot credentials — otherwise, speed will trump security nearly every time.
Striking the Right Balance as RPA Scales
Following these five steps can help bring the two seemingly conflicting priorities of security and speed into alignment:
1. Involve security from the start. In many cases, security teams don’t even know about RPA initiatives until they’re called in to approve them at the last minute, which can hold things up and create frustration on both ends. Involving security from the start of an RPA project to help establish security standards and get everyone on the same page will save time in the long run.
2. Examine existing bot controls. Review existing credential management policies to identify potential gaps: Where are credentials stored? Are parameters in place to help ensure passwords are unique and complex? How often are these credentials rotated? Are authentication layers in place for credential retrieval? Is there a way to monitor and audit credential use?
3. Eliminate excessive permissions. How data is handled is just as important as how it’s accessed. As a rule, bots should not be able to access other applications or databases outside of their required tasks. Take steps to review and understand what each individual bot can access and eliminate excessive permissions wherever possible.
4. Put a moratorium on hard-coded credentials. Embedding authentication data directly into source code expands the attack surface and can create major issues. For one, hard-coded credentials are difficult — if not impossible — to rotate, as this practice prevents passwords to critical systems from being changed without causing major disruptions to operations. Worse still, hard-coded credentials expose credentials when scripts are shared (including publicly when scripts are in code repositories). And when credentials are reused, attackers can use bots to move laterally and escalate privileges.
5. Look for every opportunity to automate. While straightforward, implementing the above best practices at scale is very difficult to do manually across thousands — or even hundreds of thousands — of bots. Automating credential management processes wherever possible will help remove much of the security burden on employees — whether they’re developing RPA bots or tasked with approving deployments. For example, by storing all credentials in a centralized repository, organizations can enforce fixed security standards for bots and applications, automatically create complex passwords and rotate them regularly, and remove hard-coded credentials from bots and secure them.
Establishing a secure, automated Identity Security framework can help ensure RPA initiatives do what they’re supposed to do: improve experiences by eliminating delays, simplifying deployments and addressing security issues — before you even know you have them.