Your Enterprise is secure,
your RPA platform should be too...

Best Practices in Implementing RPA Platform Security

Copyright © 2019 Option3. All rights reserved.

TOP 5 QUESTIONS FROM THE WEBINAR ANSWERED

One way of securing data in the logs is by using tokens instead of the actual data itself. If you do not want to add a process overhead and a token management system, you can secure data by masking it. Though masking can leave the data in readable form, it de-sensitizes the data.

Yes, data can be spied upon if the communication channels are not secured. You can secure the communication channels between systems by using cryptographic protocols like TLS. For example, JiffyRPA is built with AES encryption for data at rest. For data in motion, we use TLS 1.2. This means, your data cannot be spied upon during transmission either.

JiffyRPA stores both credential and non-credential data in its proprietary SecureVault. All levels of storage are encrypted and business reviews are in-built. The sharing of credentials from a business user to the bot designer is done through keys and not raw data. JiffyRPA also has a comprehensive access log which enables easy audit. Apart from this, no credential is stored on the bot machines; the authentication is done on the Jiffy server and only the processes are triggered on the bot machines. However, if you already have a CyberArk license, JiffyRPA can integrate with that too and enhance your security.

Yes. Every activity of the bot in an RPA platform can be tracked and monitored. This is essential for improving efficiency as well as streamlining the process for complex automations. JiffyRPA maintains an audit-trail of all the actions of the bot from the beginning. There is a history/ logs for everything.

In JiffyRPA's built-in SecureVault, the business stores credentials and shares with the designers in the form of a key instead of the actual password itself. This way, the bot designer will not have access to secure data and cannot misuse it.

With JiffyRPA, bot design is not done on anyone's local computer. It is done over a browser, on the Jiffy Linux server. During the process, the server will send the request to the bot machine, where the execution will take place and the results are extracted from the bot machine and then stored in the server for audit and control purposes. All these communication layers are encrypted.

This depends entirely on what processes you are automating. Most bots have access to applications and access credentials. Bots can also come across sensitive, non-credential user data like financial data, security questions etc. If you are automating an invoice process, the bot might have access to vendor information. If you are automating HR processes, the bot might have access to sensitive employee information. An RPA platform will typically have credential data for the bots and downstream systems where it can trigger processes.

Your Enterprise is secure, your RPA platform should be too...

92% of companies in Europe aim to implement robotic process automation (RPA) by 2020, finds the Information Services Group (ISG). Yet, 42% of them attribute security as an important reason for their reluctance today. Quite natural, I'd say. When it comes to matters of data, nobody can be trusted, in the least, a bot.

Imagine you're performing bank reconciliation and are using RPA for SAP automation. In order for the bot to perform its task, it needs access to data that is secure behind passwords. This means that the bot requires the secure credentials of the business owner to function.

How do I securely give my credentials to the bot designer?

Every few weeks, these passwords might need to be changed.

How do I securely update the bot designer of the password change?

Certainly, there is more than one bot that needs the same credentials.

How do we ensure that the change is reflected across all bots?

Obviously, the password should not fall into the hands of anyone. So, it can't be hardcoded into the bot. If we do that, anyone who can see the script will have access to the password as well.

Yet, the bot should be able to input the password in plain text, whenever there is a need.

While performing its task, the bot might trigger the transmission of data between various machines or servers involved in the automation. Every communication needs to be encrypted and proper protocol followed.

Not only that, organizations also expect RPA solutions to have audit trails which credentials were accessed by which bot and when.

How does a business user ensure that the credentials s/he's provided is used only by the bot for a specific task? What if the bot designer uses it for automating some other process?

One bot needs to perform a task and another check the task. Now, one bot can't be doing both, can it?

How do we ensure segregation of duties isn't jeopardised?

I get to hear a lot of these questions in my line of business. Every customer I meet has a 'how' question about security, specifically credentials management.

Well, the most common way is integration with external data/security management solution. CyberArk, one such solution, enables privileged access security. Other products use global variables and store credentials globally, so it can be accessed by all the bots. While this avoids the problem of modifying each bot when password changes, it doesn't address the concerns of audit trail still remain.

So, how do we solve this problem?

Throughout our time working with global enterprises and building RPA systems, we couldn't find the perfect solution for the credential management aspect of RPA security. There was always something lagging. So, we stopped looking around and set to build one on our own.

Segregation of duties

To begin with, we ensured that no bot has independent powers of its own. We assigned ownership of each bot's tasks to its respective business owner, giving them complete control over the process.

As no two people are likely to have conflicting duties, no two bots will either.

Secure sharing

After careful consideration, we built processes by which the business user never has to give the password to the bot designer at all. While using JiffyRPA, the business user will simply enter the credentials into JiffyVault. The vault will keep it safe and only give a key or token to the designer, who gives it to the bot. The bot will then use the key to extract credentials from the vault and perform its task.

Secure design stage

With JiffyVault, the bot designer never has access to your data. All tests during the design phase are performed using dummy data, dummy credentials and the associated key. The bot will have access to your data only when it is executed in the production environment, and the business user validates it.

Uninterrupted password changes

Every time the password changes, the business user can login to JiffyVault and update his/her credentials. The key will remain the same and the bot will continue to run without interruptions. By the way, all the bots using that JiffyVault will also continue to run, without the need to update passwords individually.

Detailed audit trails

JiffyVault enables an audit trail for each bot, and the capability to define which bot can use which key for which task. Business users have complete control over this too.

Security is an important part of any automation solution, it's one that we take very seriously. To know more about JiffyRPA and JiffyVault, speak to our consultant today!