Let’s Chat about Security
July 16, 2019
92% of companies in Europe aim to implement robotic process automation (RPA) by 2020, finds the Information Services Group (ISG). Yet, 42% of them attribute security as an important reason for their reluctance today. Quite natural, I’d say. When it comes to matters of data, nobody can be trusted, in the least, a bot.
Imagine you’re performing bank reconciliation and are using RPA for SAP automation. In order for the bot to perform its task, it needs access to data that is secure behind passwords. This means that the bot requires the secure credentials of the business owner to function.
How do I securely give my credentials to the bot designer?
Every few weeks, these passwords might need to be changed.
How do I securely update the bot designer of the password change?
Certainly, there is more than one bot that needs the same credentials.
How do we ensure that the change is reflected across all bots?
Obviously, the password should not fall into the hands of anyone. So, it can’t be hardcoded into the bot. If we do that, anyone who can see the script will have access to the password as well.
Yet, the bot should be able to input the password in plain text, whenever there is a need.
While performing its task, the bot might trigger the transmission of data between various machines or servers involved in the automation. Every communication needs to be encrypted and proper protocol followed.
Not only that, organizations also expect RPA solutions to have audit trails — which credentials were accessed by which bot and when.
How does a business user ensure that the credentials s/he’s provided is used only by the bot for a specific task? What if the bot designer uses it for automating some other process?
One bot needs to perform a task and another check the task. Now, one bot can’t be doing both, can it?
How do we ensure segregation of duties isn’t jeopardised?
I get to hear a lot of these questions in my line of business. Every customer I meet has a ‘how’ question about security, specifically credentials management.
Well, the most common way is integration with external data/security management solution. CyberArk, one such solution, enables privileged access security. Other products use global variables and store credentials globally, so it can be accessed by all the bots. While this avoids the problem of modifying each bot when password changes, it doesn’t address the concerns of audit trail still remain.
So, how do we solve this problem?
Throughout our time working with global enterprises and building RPA systems, we couldn’t find the perfect solution for the credential management aspect of RPA security. There was always something lagging. So, we stopped looking around and set to build one on our own.
Segregation of duties
To begin with, we ensured that no bot has independent powers of its own. We assigned ownership of each bot’s tasks to its respective business owner, giving them complete control over the process.
As no two people are likely to have conflicting duties, no two bots will either.
After careful consideration, we built processes by which the business user never has to give the password to the bot designer at all. While using JiffyRPA, the business user will simply enter the credentials into JiffyVault. The vault will keep it safe and only give a key or token to the designer, who gives it to the bot. The bot will then use the key to extract credentials from the vault and perform its task.
Secure design stage
With JiffyVault, the bot designer never has access to your data. All tests during the design phase are performed using dummy data, dummy credentials and the associated key. The bot will have access to your data only when it is executed in the production environment, and the business user validates it.
Uninterrupted password changes
Every time the password changes, the business user can login to JiffyVault and update his/her credentials. The key will remain the same and the bot will continue to run without interruptions. By the way, all the bots using that JiffyVault will also continue to run, without the need to update passwords individually.
Detailed audit trails
JiffyVault enables an audit trail for each bot, and the capability to define which bot can use which key for which task. Business users have complete control over this too.
Security is an important part of any automation solution, it’s one that we take very seriously. To know more about JiffyRPA and JiffyVault, speak to our consultant today!
Copyright © 2019 Option3. All Rights Reserved.