Avoid a robotic misadventure – focus on the security that matters

Let’s say it loud and clear. A lack of effective controls will put your RPA environment at risk and will hold back your ability to scale. The hard truth is that most organizations have deployed RPA in a rush, treating security as an afterthought.

Organizations serious about scaling RPA should treat security as a foundational requirement. As RPA Center of Excellence (CoE) leads and IT and security executives, it is your job to deploy a meaningful security framework that addresses your critical security and compliance requirements.

Deploying RPA should be a walk in the park, but it can quickly turn into a trek through Jurassic Park if you don’t focus on the security that matters.

Repeat after me: Your RPA platform is an enterprise application

Enterprise applications require enterprise-grade security, and it’s not just large enterprises that should care about the security of their RPA environment. You can’t ignore these four key controls:

• Robust privileged access management (PAM) is necessary at the application, operating system, and database layers. Treat access to your runtime environments as privileged access, too. Robust PAM entails a full suite of mechanisms allowing automated password rotation, session recording, and usage monitoring against pre-determined policies. Unfortunately, the credential management functionality RPA vendors pre-deliver is not robust enough to appropriately secure bot accounts. You should integrate your RPA platform with specialized privileged account security solutions.
• Deploy a holistic access management framework to manage joiners, movers, and leavers. Ensure that your framework appropriately segregates roles and users in your RPA production instance, more importantly, across your three-tier system landscape. Performing periodic access reviews to verify that only legitimate users have access to the appropriate assets is a must-do.
• Embed a robust change control process in project and operational activities from day one. Manage bot deployment into the RPA production instance with strict change releases and govern the process with adequate approval workflows. Define pre-authorized change protocols to accelerate the implementation of fixes required for on-going bot recalibration.
• Gather and analyze abnormal usage and unauthorized changes with logging and monitoring capabilities. Insufficient audit trail capabilities in your RPA platform will be considered a major compliance failure for your risk and compliance oversight functions.

Focus on securing your RPA code, and stay away from the unnecessary access management debate

Over the last few years, the main security focus has been on bot access and, more particularly, managing underlying privileges in the myriad of target applications. It is certainly important to control the level of access you grant to your bots. But even more important is to control what your bots can do, and the code governs their conduct.

Give your bots a wide range of capabilities (in the interest of reusability and expandability) and use the code to control their ability to exploit these capabilities.

What matters is enforcing security checks when building your code and preserving their integrity during subsequent changes. “In Code We Trust” should be the motto of every RPA CoE.

Focus on two areas:

1. Ensure source code is free of vulnerabilities and 100% aligned with your Solution Design Document. Automate code profiling and execute it continuously. The effectiveness of the code review will be as good as the quality of the checks. Periodic review of code profiling policies is crucial to ensure completeness and accuracy.
2. Ensure that code is transported into the production instance following a very strict transport management process. Very few RPA tech vendors offer adequate functionalities to enable an appropriate code release management process. Integrate your RPA system landscape with a best-in-class version control and source code management tool, such as GitHub, to secure code transport between RPA instances.

Concentrate your monitoring efforts on bots that have the greatest impact on the bottom line, and don’t care too much about the rest

We can define the risk associated with a bot outcome as the probability of an error multiplied by the cost of an error. The resilience of your bot determines the probability of an error, and you can deem it resilient if it can withstand or recover quickly from contextual changes (process and technology). The cost of an error is the impact of a failure on existing operations. Quantifying how much money you could potentially lose due to a bot failure is a difficult but necessary exercise.

Keep the risk dimension in mind when defining the criticality of each bot and deriving the necessary security monitoring activities. A higher error cost or probability requires a higher level of continuous monitoring. You can’t survive in the long run with manual monitoring only, and you should aim to deploy from day one automated monitoring mechanisms.

For bots involving relatively little risk, out-of-the-loop problems are unlikely to have much impact, even if there is a complete failure.

For these critical bots, you must formally document and communicate a business continuity plan. Each bot should have a tailored action protocol to guide RPA operators during the recovery process. Remember, business users may not be as skilled in performing the recovery activities, so ensure ongoing training refreshers.

The Bottom Line: To succeed in your RPA journey, you need to focus your security efforts on what matters most, and you must do it very well from the get-go

There is one thing for sure that will bring your RPA journey to a grinding halt: the inability of your auditors to rely on the controls governing your RPA environment.

Focus on the controls that matter most and incrementally increase the level of automation when possible. It is not enough to just design good controls. What is even more important is to preserve the operating effectiveness over time, which mainly relies on proper end-to-end governance.

You must also do it at the right cost. Your internal security and IT functions should lead this effort with the help of dedicated service providers that will provide the right mix of expertise and labor arbitrage.