The security challenges of unattended robots

Someone shaking hands with an AI through a laptop screen.
(Image credit: Pixabay)

When robotic process automation (RPA) first appeared on the market a few years ago, it was heralded as a step-change technological solution, with the global RPA market size expected to reach $11 billion by 2027. As software robots took on the most monotonous and repetitive activities, they would free up employees to focus on more important, cognitive, and creative ones while also improving efficiency, accuracy, agility, and scalability.

About the author

Brandon Traffanstedt, Sr. Director, Global Technology Office at CyberArk.

At the time, many employees expressed concerns that RPA would lead to them losing their employment, rather than allowing them to concentrate on higher-level, more thoughtful work. However, RPA is successfully being utilized to supplement, rather than replace, human resources, enabling workers to use their experience and capabilities in a more engaging and beneficial way, rather than focusing on manual and time-consuming processes. Automating operations in this way has its advantages for businesses too. But RPA does come hand-in-hand with some specific security issues, which forward-thinking organizations will want to consider.

As with other new and powerful technological initiatives that come into the business, cybersecurity teams have shown concern about handing over control of RPA. Because this is a market that is set to grow however, businesses and their security teams must act now to better understand, manage and control RPA.

The evolution of RPA

Organizations across multiple industries have embraced RPA as a means of solving business problems. Early implementations of RPA allowed for automation, but also necessitated human supervision. Semi-attended bots were employed in RPA applications, which required a person to hit the ‘go’ button in order to accomplish a task – and also required that user’s digital identity to do so.

As we move into the digital-first world however, ‘citizen developers’ – employees who use low-code or no-code mobile app development software to design their own automated processes – came to the fore. Many of these developers wanted to take automation to the next level by implementing entirely unattended robots – the RPA holy grail.

The ‘but’ is this: Unattended robots require access to the same networks, systems, and applications as their human counterparts. This includes access to mission-critical enterprise systems which require privileged access at the highest level. This access makes robot credentials and identities just as vulnerable as those tied to a real-life person, and if they’re not properly secured, can provide hackers with another avenue for stealing data and causing havoc.

It's unsurprising, then, that the usage of unattended bots created a schism between security and automation teams, with the former demanding more strict security measures and the latter struggling to implement them owing to a lack of knowledge or time. The stern recommendations some security personnel were recommending had an adverse impact on citizen developers, discouraging many. This led to some resigning themselves to relying on attended automation, which hindered creativity and innovation, while others went ahead and adopted non-approved RPA programs, creating gaps in their company's cyber security.

Securing unattended automation

Fortunately, these security problems may be addressed in a way that allows for the usage of secure unattended robots, improved innovation for citizen developers, and without demanding additional work from the people organizations are wanting to free up.

This is accomplished by the automated and centralized management of RPA credentials. All hard-coded privileged credentials are removed from robot scripts and replaced with an API call pointing to automatically rotate credentials maintained in a secure, centralized repository – rather than manually assigning, managing, and upgrading the credentials a bot needs to do its work.

This ensures that security mechanisms, such as credential rotation, multifactor authentication, password uniqueness and complexity requirements, and the suspension of privileged credentials are all implemented consistently.

Giving bots their own unique identity, credentials, and entitlements is also a best practice. It ensures non-repudiation and separation/segregation of duties, as well as limits access to the applications and databases bots need to do their job. This is similar to limiting a human user's access or rights to the bare minimum required for their work.

Unlock the power of RPA

An all-in-one automated centralized repository solution removes previous hurdles, but organizations must adopt DevSecOps and bring automation and security together from the start to completely unlock the power of the citizen developer and the ultimate benefits of RPA.

By engaging with security teams and professionals proactively and early, RPA teams and citizen developers will be able to effectively scale the number of RPA bots in their organization, without introducing security risks or slowing down innovation.

We feature the best identity management software.

Brandon Traffanstedt, Sr. Director, Global Technology Office at CyberArk.