Securing the rise of RPA

locks and keys

When it came to their transformation efforts, enterprises went all in last year, and they’re going to remain all in throughout 2020. A central aspect of any successful business transformation is automation and, increasingly, robotic process automation. RPA, or software bots, helps to automate everything from repetitive business process tasks to cloud infrastructure management functions. According to multiple sources, like Gartner and Grand View Research among others, the global RPA market is among the fastest growing in the enterprise software space.

Increasingly, these bots collect and interact with confidential, sensitive, and even regulated data, so it’s crucial they be governed appropriately. In the years ahead, it’s likely that the access given to RPA bots will be exploited. And it’ll be those organizations that manage to securely leverage their bots that will succeed. Of course, this is easier said than done.

So, what to do? Simply put, it’s time to start treating bots like human users— at least when it comes to identity management. That includes monitoring how bots interact with other accounts, services, and the data within the organization. And certainly, these accounts should be set up with the least amount of privileges necessary to do their jobs.

In my discussions with CISOs and identity teams, one of the most common areas of concern is their service accounts (these are accounts used only for system configuration management, and they are often the first to be automated through software bots). To perform their tasks or services, these service accounts often rely on a complex network of access to other systems and service accounts, and it’s the access across that chain that needs to be evaluated for risk.

This isn’t something that can be set once and forgotten; the access needs to be evaluated and managed periodically, just like access levels are certified quarterly or annually at many enterprises.

For example, an identity manager at a national bank I recently interviewed is making certain that all of their bots — typically used as service accounts or to help schedule internal IT service requests — are assigned a human manager. This way, the access rights to these software bots become the responsibility of the bot owner. This is typically the same management process you see with access for staff, as business managers help decide what apps and services staff and other insiders need to do their jobs.

All of this is necessary because, in many ways, software bots are just like staff users – they can access data, applications, and other resources and act upon them. It’s that power that makes them useful, but it’s also what makes them targets. And as enterprises continue to accelerate their digital transformation efforts with software bots, they’d better put the same controls around their software bots as they do their human users, or they’re going to find their risk of data breaches increase substantially.

Comments

  1. Great insights on security of RPA, thanks for the share.

Speak Your Mind

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.