Jeffrey Kok, Vice President of Solution Engineer, Asia Pacific and Japan, CyberArk, tells us that Robotic Process Automation (RPA) security must evolve with the changing business landscape to continue reaping the benefits of efficient and agile processes and systems.
Jeffrey Kok, Vice President of Solution Engineer, Asia Pacific and Japan, CyberArk
When Robotic Process Automation (RPA) burst on to the scene just a few short years ago, many held it up as the ultimate tech solution organizations had been waiting for.
Across various industries, RPA has enabled employees to use their resources and capabilities in a more engaging and beneficial way by taking over some of the more manual and time-consuming processes such as customer onboarding processes, report generation and compliance tasks.
This enables employees to spend their time on more business-critical, cognitive and creative work, resulting in greater efficiency across the organization.
Analyst reports show that the RPA market is estimated to reach a total value of US$9 billion by 2026, at a compound annual growth rate (CAGR) of 27.7% within the forecast period of 2021 to 2026. In addition, according to Forrester, the Asia Pacific region has been a growth engine for RPA in recent years, accounting for roughly 17% of the global market for RPA services.
In Singapore, the National University Health System (NUHS) adopted RPA to ease the administrative burden on medical workers who previously had to manually register patients and create records for COVID-19 swab test results.
By automating the registration process, NUHS increased the efficiency of data entry for the swab test results and reduced backlog as COVID-19 cases rose significantly in the foreign workers’ dormitories in April 2020. In addition, with up-to-date swab test results in the system, the National Electronic Health Record (NEHR) was able to leverage this database for tracking and analysis purposes.
The evolution of RPA and security risks it details
While automating processes offered many benefits, anxiety around handling over control also came hand-in-hand with RPA. Security teams become uneasy when a new and powerful entity – like cloud or Shadow IT – is introduced and needs to be understood, managed and controlled.
As non-IT employees, citizen developers help to bridge the gaps within business processes by creating application capabilities using IT-approved technology tools such as Robot Process Automation (RPA) and Business Intelligence (BI).
With unattended robots in automation created by citizen developers, organizations can help eliminate human errors, optimize man-hours and improve turnaround time for business processes.
For security teams, however, it introduces numerous risks and concerns. To connect to critical enterprise systems, live on networks, approve processes and execute tasks, robots need to be assigned high-level privileged access.
However, robot credentials are equally exposed to risk like those access identities assigned to a real-life person and, if not secured correctly, this can give cybercriminals another way to steal data and cause chaos.
Thus, it is understandable that the use of unattended bots can cause a rift between security and automation teams, with the former requiring more stringent security measures and the latter struggling to implement security measures either due to a lack of knowledge or lack of time.
Enforcement of strong security practices was difficult for cybersecurity teams and their ‘stern recommendations’ led to a split among citizen developers. Some were discouraged from using attended automation, which stifled innovation. Others went ahead and implemented non-sanctioned RPA applications, which created gaps in the organization’s cybersecurity.
How to secure unattended automation
Fortunately, security concerns about the use of unattended robots can be addressed. Without requiring extra work from the staff that the technology aims to free up, this can be done
via automated, centralized management of RPA credentials.
Rather than manually assigning, managing and updating the bot credentials to perform its task, all hard-coded privileged credentials are removed from robot scripts, and replaced with an API call pointing to automatically rotating credentials stored in a secure, centralized repository.
Automated RPA credentials management enables consistent implementation of security measures such as rotation of credentials, multi-factor authentication, password uniqueness and complexity requirements, and – given certain criteria – the suspension of privileged credentials.
Best practice also includes giving bots their own unique identity, credentials and entitlements to ensure that non-repudiation and separation and segregation of duties are adequately controlled. In addition, limiting access only to applications and databases needed for the bots to do their job can help in identity management.
This refers to the application of the principle of least privilege to robots just as a human user can be assigned minimum levels of access or permissions needed to perform tasks.
Unlock the power of RPA
An all-in-one automated centralized repository solution removes old roadblocks, but to truly unlock the power of the citizen developer and the ultimate benefits of RPA, organizations must embrace DevSecOps and bring together automation and security from the start.
Engaging with security teams and security professionals early on will allow RPA teams and citizen developers across various industries to speed past security concerns, and effectively scale the number of RPA bots in their organization without introducing security risks or slowing down innovation.
Click below to share this article