RPA is about enabling robots to perform processes and activities being done by humans
Robots would also have access to confidential data/credentials
And if that combines with any faulty design of automation workflows
can pose a Security Threat…
And security is non-negotiable factor for any enterprise or organization.
Thus, understanding potential security risks (as outlined below) associated with a typical RPA project is important.
- Robots having access to credentials normally used by human workers.
- Robots have access to privileged information: personal data of company staff, financial data.
- Unauthorized modifications of automation workflows in the development or testing phases.
- Unauthorized modifications of automation workflows or runtime parameters in the production environment.
And below are the guidelines and features that UiPath has developed to address security concerns at studio level.
Guidelines are best practices that Uipath recommends when setting up or using the RPA solution as below:
Having proper #CodeReview can ensure that process running on live data is safe and no security breaches are possible. For example. Ensuring proper usage of credentials, preventing data sharing outside the trusted scope, avoiding hard coded values.
Having isolation between development, testing and production environments. For example, ensuring RPA developers can’t adjust Robot settings or upload packages in production Orchestrator, ensuring dev studio is not connected to prod Orchestrator.
Having version control in place to keep track of changes throughout RPA projects. For example, using source code control system(SCCS) such as TFS,SVN, GIT.
Features are characteristics that are embedded in the product or solution and implemented in order to enhance security and mitigate risks.
- UiPath offers a secure way to deploy packages to orchestrator.
Direct - when studio is connected to orchestrator and project can be published directly.
Indirect - when studio is not connected to orchestrator, so package will be save in local folder and then manually uploaded to orchestrator. Either of these methods require permissions to access orchestrator.
Hope this info helps.
Feel free to add your suggestions or any additional pointers…