Gartner’s definition: “A citizen developer is a user who creates new business applications for consumption by others using development and runtime environments sanctioned by corporate IT.”
The idea of a citizen developer is edging its way into reality across many Robotic Process Automation (RPA) platforms. Through a simple graphical interface and smart building tools, non-tech users are empowered to automate processes via software bots into production environments. The benefits provided by RPA technologies and solutions are significant. Giving standard users the ability to drag-and-drop future-proof apps without touching source code or having to know anything about programming languages creates a force multiplier for speed and value.
RPA can enable more rapid innovation and provide a leg up on competition. It can also save time and money and enable the dev team to work on more impactful things.
The list goes on.
Domo Arigato, Mr. Citizen Developer
However, no technology is perfect – or perfectly safe – and RPA is no exception. In my previous blog, I touched on how RPA expands the organization’s overall attack surface and how rushing into this technology without examining security considerations introduces substantial risk. The genesis of many RPA projects can be found within the organization’s Center of Excellence (COE). At the COE-level, the first priority, before even beginning to consider the benefits of RPA, is securing and managing the access rights of this digital workforce. It’s important to make the security team a part of the conversation on RPA implementation from the beginning. Including the security team means that security issues are addressed up front before they can cause delays in the final stages of deployment. Sustaining world-class performance and value cannot be achieved if security is an afterthought.
Gartner reinforces this point in its “Predicts 2019: RPA Evolution“1 report:
“The rapid adoption of RPA software has created a lot of hype in the market, leading many organizations to jump into RPA initiatives without proper analysis, planning, defined strategies and COEs. All this elevates the risk of errors by failing to automate the right processes, identify the right guardrails, and focus on security issues and access rights for the new virtual users (RPA bots).”
What’s the Risk?
Security needs to be built in directly as part of the automation workflow. As citizen developers become increasingly common, “security by design” becomes even more critical. Anyone can make mistakes, but citizen developers – who lack both technical and security knowhow – are more likely to make the kinds of mistakes that unknowingly expose access to sensitive corporate networks and systems.
Many of the current low-code platforms do not have built-in security, but IT can hook the platforms into best-in-class security solutions, taking security out of the hands of the less security conscious citizen developer. If there aren’t enough developers to go around at the organization, before diving into low-/no-code environments or giving access citizen developers, credential management and security need to be top of mind. Moreover, they need to be at the top of the list of strategic objectives for the COE to ensure that RPA is implemented securely and the desired outcome of the program is achieved successfully.
Gartner reaffirms the importance of credential security in its “Best Practices for Robotics Process Automation Success“2 report:
“One of the most critical functions of the management platform is credential management. With robots actively accessing and manipulating data, thoughtful consideration and intentional implementation of credential management is a requirement of all RPA deployments. The management platform of an RPA system should allow for the creation, deletion and expiration of credentials for the RPA system, as well as the encryption of any locally stored credentials, if the use case requires them. “IGA, RPA, and Managing Software Robot Identities” is required reading for architects and technical professionals responsible for IAM.”
Why Security Matters
Developers often work fast and dirty. They have aggressive deadlines. They have internal and external pressures to get their code out the door at lightning speed. Anything that has even a remote chance of slowing code production takes a back seat and security is no exception to this rule. Now consider the citizen developer. The majority of traditional developers at least have some knowledge of the importance of developing secure code – whether they choose to maintain technical ethics and write their code in a secure manner is another story. However, the citizen developer doesn’t think like the traditional developer. The citizen developer is often times a standard business user in some sort of managerial/supervisory capacity. They probably know very little about application and credential security, so they introduce risk to the app development pipeline.
Here are a few things to consider to help maintain the correct balance of security and usability:
- Be selective in who’s using these platforms.
- Establish guardrails and ensure users stay within the bounds of IT best practices.
- Automate any elements of security that can be automated (e.g. remove the application’s hard-coded credential and force the software bot to validate/authenticate prior to connecting to mission/business critical apps).
- Secure the RPA console and establish individual accountability for users with highly privileged access
Embrace Digital Transformation with Confidence.
Move fearlessly forward into the new digital landscape with CyberArk and take the first step by requesting a demo today. See how easy it is to start securing RPA workflows and processes with the #1 leader in privileged access security. To learn more about how to get started securely deploying RPA, read Gartner’s analyst report, “Predicts 2019: RPA Evolution.”1
1 – Gartner, “Predicts 2019: RPA Evolution,” 6 December 2018, Analyst(s): Stephanie Stoudt-Hansen, Frances Karamouzis, Arup Roy, Arthur Villa, Melanie Alexander
2 – Gartner, “Best Practices for Robotic Process Automation Success,” 18 June 2019, Analyst(s): Gregory Murray