According to a recent report by Harvard Business Review, “30% or more of current work activities can be automated by available or announced technologies. In other words, [...] a day and a half’s worth of activities in each work week can be automated.” A day and a half of work. That’s nothing to sniff at, especially for companies operating in a global marketplace. Though these statistics can be seen as a prediction for the future of automation, many companies are already leveraging robotic process automation (RPA) to this or even a greater degree to increase efficiency and productivity.
Because of the volume of automation, RPA inherently deals with much confidential business data, regardless of whether the technology is deployed within a small-to medium-sized medical practice or a global financial services firm. In automating everyday business processes such as transferring files, processing orders, and running payroll, RPA’s software robots process information from various company databases and log into different accounts using supplied passwords. In this way, the automation platform gains access to all kinds of information (inventory lists, credit card numbers, addresses, financial information, passwords, etc.) about a company’s employees, customers, and vendors.
Thus, for many companies dealing with a significant degree of automation — or any degree of automation, for that matter — one of the biggest concerns is security. How can a company make sure that privileges given to the software robots are not misused? Which parties are able to access the data processed by RPA? What can be done to safeguard confidential information from non-privileged parties?
The challenges in RPA security
Our current age is marked by exploding increases in amounts of unstructured data (or Big Data) as well as great numbers of data security regulations: FISMA, HIPAA, GDPR, ENISA, etc. And a basic reason newer technologies, developed in the post-client server era, are more secure is that their design reflects a culture in which security is paramount.
How to prevent RPA security risks
In fact, some of the biggest risks with RPA, as with most other data processing services, are connected to security challenges: data security and access security, in particular. In the realm of automation, data security deals with preventing unauthorized users from getting hold of the data processed by the software robots. Simply put, the goal behind maintaining data security is to ensure privacy as well as to protect personal and corporate data. In this regard, access security is closely linked to data security.
Access security deals with preventing unauthorized users from accessing RPA’s data processing service (or individual parts of it) and the connected data sources without permission. Such unauthorized access is important to prevent because it can be used to access confidential data and manipulate the software robots and their automated tasks. In a less hazardous scenario, this could mean that an employee compromises the efficiency of the robots’ activity. In the worst case, a malicious hacker could retrieve desired information from company databases, network servers, and employee computers as well as compromise specific features and functionalities of the platform.
Making RPA security a reality
To promote both data security and access security, every part of the RPA system from the inside and to the outside has to be protected from threats. Much of the responsibility for this security lies with RPA vendors, who incorporate certain security measures into their software products.
Full audit logs
Supervision is a primary means of prevention. RPA platforms should offer full audit logs that trace and record every action the robots and the users perform within the automation. Full audit trails enable you to create quicker and cleaner audit reports, and ensure that you can retrace the steps that led to a specific problem, be it an error in the robot's performance, malicious code or other misuse by an employee.
Integration of data protection technologies
Robust data protection technologies used by leading financial services, energy, retail, and healthcare companies to protect data are also being incorporated into RPA technologies. CyberArk, for example, is a multi-layered security solution that provides an extra layer of protection for admin accounts: privileged password management, session recording, least privilege enforcement, and privileged data analytics. It’s also important to choose an RPA product that relies on the latest industry standard Transport Layer Security (TSL) 1.2 protocol, which is designed to protect the privacy of information communicated over the Internet. Incorporating such technologies into RPA allows organizations to best protect themselves against advanced internal and external IT threats.
It is important to choose an RPA product that stores sensitive information encrypted in a secure database. Throughout the automation process, encryption — the process of encoding data or passwords in a way that only authorized parties are able to access them — helps to ensure the highest level of access security. Encrypted data requires a direct transfer of a secret password to gain access, making it especially difficult for malicious hacking attempts to be successful. A credentials vault should also be used to store the encrypted passwords and credentials that the RPA software robots need to login to company databases and other websites during automation.
Resource- & role-based access control
Role-based access control is a built-in authentication system that allows companies to restrict RPA system access to authorized users and to segregate automation-related duties between employees. Based on this type of control, individual users of a company’s RPA system can be given different levels of access in View, Create, or Modify modes; these divisions are typically based on an employee’s role, position, and authority in their organizations. Similarly, resource-based access control can be used to determine access to a protected resource and allows for especially fine-grained access control per resource. These types of access controls are essential for ensuring high internal security levels where only those users with authorization are able to see and manipulate the actions of the software robots.
Conclusion:The Red Queen of cybersecurity
You've probably heard about the latest series of cyberattacks taking global companies by storm. Paranoia is rather justified; the more connected we are, the more exposed we become. The more artificial intelligence we bring to bots, the more security risks are introduced. However, every new problem could also generate new solutions.
There's a thesis by Matt Ridley proposing that sexual selection is essentially all about developing the genetic variability needed to battle virulent parasitic predators. In other words sex is a strategy devised to combat constantly mutating enemies. It's about having to fight something that always fights back.
"It takes all the running you can do to keep in the same place. If you want to get to somewhere else, you must run at least twice as fast as that. [Lewis Carroll]"
The same goes for cybersecurity. We constantly develop new technology and strategies meant to fight those always evolving computer viruses and security threats. Security, especially data and access security, represents a permanent concern for organizations seeking to digitize and automate. It even remains a challenge for those that have already implemented RPA. Especially because of the large volumes of sensitive data that an average RPA system juggles, these worries are justified.
Though we’ve already come a long way in terms of improving IT security, companies, more so than ever, must be vigilant of potential malicious threats — whether they come from the inside the organization or the outside. With a degree of proactive planning in choosing a stable RPA product and regular monitoring of security measures, most threats can be easily managed or entirely avoided.
This is a companion discussion topic for the original entry at https://www.uipath.com/blog/rpa/the-security-requirements-for-a-global-rpa-platform