Securing RPA

What is Robotic Process Automation?

Robotic Process Automation (RPA) is one of many automation technologies that apply elements of Artificial Intelligence (AI) to make workflows more efficient, and shift employees away from routine tasks to higher-value forms of work.  RPA is designed to emulate some forms of work done by humans, usually routine tasks and processes. Robots can perform 24/7, they don’t incur additional costs, they can reduce human error, and can process information far faster than humans. The higher the volume, and/or the simpler the task, the greater the value of RPA.

In fact, the opportunities for improving efficiencies in the public sector are so great that the adoption of technologies like RPA is being mandated. For example, Memo M-18-23 from the Office of Management and Budget, requires the 24 CFO Act agencies to follow a set of guidelines, including “developing and implementing strategies for shifting resources to high-value activities”. A key element of this new strategy is to “introduce new technologies, such as RPA, to reduce repetitive administrative tasks, and other process-reform initiatives”.

Focus on Security

For robots to effectively emulate humans in the workplace, they must be able to access data and applications across the organization. Robots and bot applications need to keep data just as secure as with human workers. RPA introduces new forms of threats:

  • External threats where a bad actor compromises a bot to gain access to sensitive data
  • Internal threats where an employee or contractor manipulates or trains a bot for malicious purposes
  • Poor design where the bot inadvertently exposes sensitive data – personal information, voter registrations, financial details, etc. – to unsecure sources such as the Internet or public WiFi
  • Unsecure data management, where the bot accesses sensitive data, but does not encrypt it before sending to or from the cloud
  • Network vulnerability, where a poorly-designed robot enables hackers to remotely attack the network
  • Denial of service interruption – this could arise if scheduled robot activities occur in such rapid succession that the network is overwhelmed, causing a ripple effect of service disruptions and possible security breaches across the organization

Access Control for Non-Person Entities

There are two operating modes for RPA – unattended and attended. The latter applies to cases where a task or process cannot be fully automated, so the robot works in tandem with humans. Since humans can intervene at any time, these applications pose fewer security concerns. Conversely, the business value is reduced since human labor is always involved.

Unattended robots enable end-to-end automation thus freeing-up workers for high value tasks. However, unattended RPA presents a distinct security challenge because traditional identity management has only been for humans; the need to support robots and other Non-Person Entities (NPEs) is new.  Memo M-19-17 notes an “intensified focus on risk management…and solutions that enhance privacy and security”. To address this, federal agencies “must be able to identify, credential, monitor, and manage subjects that access Federal resources”. This extends to how agencies “conduct identity proofing, establish enterprise digital identities, and adopt sound processes for authentication and access control”.

Existing forms of credentialing are PKI-based – such as smart cards – and can be extended to robots in the form of software certificates that comply with federal government requirements. These digital identity certificates can be stored onsite where the robots are hosted, or in a remote Hardware Security Module (HSM).

THALES TCT SOLUTIONS FOR SECURING RPA 

The Luna Credential System (LCS) introduces a new approach to multi-factor authentication by maintaining user credentials in a centralized hardware device that is securely accessible by endpoints in a distributed network.  It unites the familiarity of certificate-based authentication with the security of a FIPS 140-2 certified hardware security module (HSM).  LCS is a multi-purpose, secure credential system ideally suited for an environment in which the endpoints cannot use a traditional small form-factor token. Composed of the Luna Credential HSM and the Luna Credential Client, LCS supports a number of use cases including Windows Logon and authentication to PK-enabled applications and websites.

Resources

ImageTitleLink
On Demand Webinar: How To Issue Hardware-Based Identity Credentials To Software Robots
Robotic Process Automation Industry Insight
RPA Cryptographic Authentication — Thales TCT and Blue Prism
Securing UiPath Credential Stores with Luna Vault Solution Brief
UiPath RPA Cryptographic Authentication with Luna Credential System