With more and more organizations getting fascinated about the Robotic Process Automation (RPA) and striving for the Automation First thinking there are various reservations and skepticism whether deploying the RPA robots can meddle with the enterprise security. Although this skepticism is natural but there are definitive ways and guidelines to maintain enterprise grade security while deploying a robust RPA solution in an organization.
There are a few steps and measures that when taken into account can get that peace pie out of the curiosity level to prevent unknowns to happen while RPA robots are running to automate the critical business processes:
- Recognize the potential security risks associated with the Robotic Process Automation in an organization.
- Understand what features are available out of the box from the solution being deployed. For instance if a solution being deployed is architecturally security supportive then we can make use of it to its best.
- Apply best practices while implementing and deploying an organization wide RPA solution.
The key to avoid security breaches is to first identify various potential security risks associated with an RPA project. The risks that a company must consider may include one or all of the following:
- RPA robots may have access to the credentials that are normally possessed and used by a human worker.
- Robots may have access to company privileged information. This information can be anything from personal staff data to financial data.
- There is also a risk of unauthorized modification of automation workflows or their run time parameters in the production environment.
- The modifications of automation workflows can also happen during development for which measures should be taken beforehand.
While choosing an RPA solution it must be considered that what all security features are already embedded in the platform to be used for developing and deploying the RPA solution. Once such a platform is chosen then it needs to be understood that proper guidelines that are laid out are to be followed at each and every step of RPA solution development and execution. The onus is on the person overlooking the whole RPA solution integration from Business Analysis and Solution Architecture to development and deployment.
There are various guidelines laid out by various RPA platforms and tools but they do have common points to be considered:
- Code Reviews: The RPA developers involved in creating robotic workflows tend to make mistakes that can compromise the security of the company’s data and information. These workflows should go through rigorous code review processes by authorized and experienced people to ensure that the process that will run on live data is safe and no security breaches are possible. This is where proper training of the people involved in RPA implementation can help in building that mindset which will ensure such practices are being followed.
- Environment Isolation: For any large enterprise it is a standard to isolate the development, testing and production environments. This principle can be applied to RPA projects as well. By ensuring that the RPA developers should not be able to adjust robot settings should be the first step. The development environment should not by any means be connected to the production deployment platform to plague it with malicious workflows. By making sure that the RPA developers are isolated from the production environments and only authorized personnel access and deploy the robots we can achieve more control on the security of the deployment.
- Version Control: Keeping track of every user’s or developer’s activity and any other changes to the RPA projects can help log and review the activities for any possible security threats. Maintaining a source control for every project created and deployed helps track the history of the changes. All the work packages uploaded and deployed to the Orchestrator are versioned and can be reviewed at any stage of the RPA execution.
The RPA robots can be deployed securely and can work from a security point of view as well. The following are the general considerations regarding the way robots work:
- Provisioning: A robot before being provisioned in the Orchestrator is assigned a unique key identifier.
- Authentication: Robots use the unique identifier key and the machine name to authenticate themselves.
- Elevated Access Rights: Accessing the settings of every robot where the unique key can be edited or the Orchestrator URL can be viewed requires elevated user access rights.
There are many features that make the RPA robots secure on their own and various guidelines to secure the automation in platforms like UiPath.
The credentials required by robots should be stored securely. The platforms like UiPath provide ways to store the credentials securely. For instance the credentials are stored as an encrypted centralized database in the form of assets that the robots can access at the time of their execution. An asset (credential) can be configured to be accessed by a particular robot through configuration.
The robots can also access the credentials from a local machine storage using the Windows credential manager. This can be used as a fallback for when the centralized database is offline and not available.
The RPA developers should strive for a trusted environment in which the development, deployment and execution happens. Configuring a trusted channel like VPN connections, secure FTP sessions and HTTPS websites can help. Data encryption and usage of limited access environments such as restricted shared folders or restricted SharePoint domains should be inculcated as a good practice.
A robust and secure RPA implementation considers the features and guidelines laid out for an enterprise grade security implementation. Retrieving credentials in a secure manner is the first feature that RPA platforms provide. UiPath Orchestrator has this feature built-in to support the security features. Making use of the multi-tenancy of the Orchestrator using multiple user roles for accessing various features is also part of using the in-built features according to the guidelines. Logging and audit trails of all the user and robot activity should be some of the features that we must look out for in an RPA solution while choosing and implementing. Features like authentication control and encryption provide an organization with a trust factor that the solution is secure enough to be integrated at that point of time.
As part of the business analysis and evaluating the security challenges in a company it is imperative for the Business Analyst to document and plan for all the challenges and incorporate them in the architecture and implementation plan.