By Kevin Ross, Global Solutions Engineer, CyberArk
Robotic process automation (RPA) is one of the hottest technologies in the IT market today. These systems enable software robots to replicate the actions of human workers for tasks such as data entry, and they can bring greater efficiencies and accuracy to many key business processes.
The technology has the potential to deliver huge benefits to companies. These include increased efficiency of workflows, improved accuracy of transactions, and significant cost savings through the reduction of labor by automating the execution of repetitive, time-consuming manual tasks.
RPA can also be a significant IT security risk, particularly around the credentials used to manage RPA implementations. Because of that, organizations need to be vigilant about how they secure their RPA deployments.
The Benefits of RPA
Companies that include manufacturers, financial services firms, engineering firms, and insurance companies use RPA to automate all kinds of routine tasks. The software “bots” that are key components of the software follow a set of programmed rules to carry out activities people would ordinarily perform. In some cases, the RPA bots work together with humans for functions such as moving or copying data between applications.
Companies that rely on a large human workforce for process work, in which people perform high-volume, transactional functions, stand to gain from using RPA, according to the Institute for Robotic Process Automation and Artificial Intelligence (IRPA AI).
RPA software can deliver efficiencies to enterprise applications such as enterprise resource management (ERP), customer relationship management (CRM), supply chain management, and applications that support functions in human resources and finance.
Clearly the emerging technology is having a huge impact on the way enterprises perform day-to-day business processes.
According to Deloitte, 53 percent of organizations have started to leverage RPA to robotize and automate repetitive tasks to allow the human workforce to focus on higher-value work. Overall, RPA adoption is expected to increase to 72 percent in the next two years and, if adoption continues at its current level, RPA will achieve near-universal adoption within the next five years.
While RPA software is being deployed in all industries, the biggest adopters include banks, insurance companies, telecommunications providers and utility companies.
These companies traditionally have lots of legacy systems and implement RPA tools to enhance integration among these systems and quickly accelerate their digital transformation efforts while leveraging their IT investments.
This is creating new security risks that organizations need to be aware of.
Addressing the Security Risks
Considering the scale and speed at which bots work and the number of systems and applications they can access, security should be a primary consideration when deploying the technology.
As with any other newer technology, RPA can easily become a new attack vector for bad actors if security isn’t factored into the platforms.
RPA software interacts directly with critical business systems and applications, which can introduce significant risks when bots automate and perform routine tasks. Bots don’t need administrative rights to perform their tasks.
But they do need privileged access to log in to ERP, CRM, and other enterprise business systems to access data, copy or paste information, or move data through a process from one step to the next. Privileged access without security is a recipe for disaster.
According to a recent study, 84 percent of organizations believe that IT infrastructure and critical data is not secured unless privileged accounts are fully protected.
The typical approach in providing privileged access credentials to bots is to hard-code privileged access credentials into the script or rules-based process a bot follows. With another method, the script might include a step to retrieve credentials from an insecure location such as an off-the-shelf application configuration file or database.
As demand for RPA increases among lines of business, the number of privileged account credentials hard-coded into scripts or stored insecurely grows. That significantly increases the associated risks.
With these approaches, the credentials end up being shared and reused repeatedly. Unlike the credentials used by humans, which typically must be changed regularly, those used by bots remain changed and unmanaged.
As a result, they’re at risk from cybercriminals and other bad actors who are able to read or search scripts to gain access to the hard-coded credentials. They are also at risk from users who have administrator privileges, who can retrieve credentials stored in insecure locations
As RPA deployments expand to include larger numbers of bots, the risks become exponentially greater for organizations. If privileged account credentials used within an RPA platform are left unmanaged and unprotected, that can transform RPA processes into a backdoor through which attackers can gain access to corporate systems and do damage.
Organizations can take three critical steps to start mitigating the risk of the RPA pipeline becoming compromised, building security directly into their RPA workflows and processes.
- Store and manage privileged credentials securely
To keep privileged account credentials from falling into the wrong hands, they can remove credentials from bot scripts and other insecure locations.
Instead, they can be stored in a system that encrypts the credentials; holds them in a secure location; hands them securely to authenticated bots on-demand; automatically rotates credentials at regular intervals or on-demand; removes human intervention from the process; and scales to meet rapid growth in RPA use.
- Limit the bots’ application access
If an attacker acquires privileged account credentials, companies can minimize the impact by limiting the number of applications to which the credentials allow access.
That means granting bots privileged access only to the specific applications they need, preventing other applications from executing. This prevents bad actors from using multiple applications on a client machine and gaining the local administrator rights allowing them to install spyware and other malware.
- Protect administrator credentials or else
Companies should deploy a secure infrastructure that protects and manages administrator credentials in the same way as bot credentials, using encryption and secure storage and automatic rotation; and allows isolation and monitoring of administrator activity.
By taking the necessary steps, organizations can benefit from RPA and minimize the risks.
About the Author
Kevin Ross is a Sr. System Engineer at CyberArk (NASDAQ: CYBR). He is an experienced system engineer with a demonstrated history of working in the computer software industry. Previous to CyberArk, he was a support engineer and project manager at Barracuda (NYSE: CUDA). He’s skilled in Session Initiation Protocol (SIP), Domain Name System (DNS), Mac, Transmission Control Protocol (TCP), and more. He has a B.S. in Computer Information Services from Southern Adventist University. Kevin can be reached online at LinkedIn. For more information at https://www.cyberark.com/