The Birth of RPA Identity: How to Keep Your Non-Human Workers Secure

Robotic Process Automation (RPA) is one of the first steps many firms have taken toward automation and intelligence in their IT systems. RPA is great at performing repetitive digital tasks fast and accurately, reducing errors, and improving productivity. It enables human workers to focus on more complex or higher-value tasks, and for the business to scale faster or for startups and high-growth firms to accelerate without the baggage that traditional businesses endure.

Recent statistics show the segment’s market size was $1.4 billion in 2019 and could reach $11 billion by 2027. Adoption is accelerating fast, with 53% of organizations surveyed by Deloitte having either implemented or begun incorporating RPA into their administrative and manual processes. What’s more, 96% of decision-makers believe that RPA is important for driving digital transformation.

RPA does have a significant impact, with typical stories touting RPA highlighting 50,000 hours saved and other big numbers. But with the great power of RPA comes the greater responsibility of securing them (and other automated processes) from the same cyber risks that every business IT system and human employee faces.

The birth of digital identity in RPA

CISOs and security leaders need to understand that RPA identities are just as vulnerable as human ones when they become the target of hackers and hacking groups. Hacking groups have already shown a great flair for breaking into “hack-proof” systems, using social engineering, snooping or brute force attacks, and any RPA is potentially one admin password away from being breached, and perhaps tweaked to do something it wasn’t supposed to.

As businesses rely more on RPAs, chatbots and other automation systems, all coded using largely standardized cloud systems, they will become a more tempting target for hackers. Whether it’s by stealing the access credentials stored in the RPA, routing the data content concerning high-value accounts or customers to the hackers, or siphoning off a few cents from RPAs that process millions of transactions per day to a compromised account, there are scary scenarios for any user.

For many businesses, because RPA is in the cloud or as part of some monolithic productivity service, they may assume it is safe. And as enterprises run thousands or millions of different automated services, keeping track of them, or losing awareness of them is likely to result in easy targets and significant security risks.

Non-human workers extend the enterprise attack surface

The huge volume of bots and automation tools extend the attack surface area of the enterprise or organization using them. Businesses with complex environments need to give the bots the same authorizations and access permissions to networks and data as humans do, expanding the risk, and if the RPA provider isn’t up on their encryption, identity and authorization, one or all the bots could be at risk of leaking that data during a breach.

Since bots are only “bots'' in the eyes of their creators, they’re often given simpler login passwords or authorizations. Also, while early RPA used to only access one or two document streams or files, modern “intelligent automation” RPA can access a broad swathe of files and services to access or scrape data, and apply it across increasingly complex (and business-critical) applications.

With all that extended risk, all it takes is one successful phishing attack, one network breach or man-in-the-middle (or bot-in-the-middle) attack, or even an insider attack by someone with a basic knowledge of RPA, to cause damage.

The challenges of securing RPA identities

With potentially huge numbers of bots in operation across an enterprise, there are many challenges to ensuring identity information remains secure. Bots can be forgotten about, as their creators move teams or jobs. They remain lurking, inactive but still able to access key files or surrender access details.

Many businesses also have no way to monitor the transactions across privileged access-based sessions, not knowing what their bots are up to or who is controlling them. And then, especially with legacy RPAs, they can be hard to integrate through APIs with other solutions, building silos that impact business performance.

Solutions are available to improve security and solve these challenges but can be costly and tough to integrate. However, as bots become a common feature, expect solution providers to secure them as part of typical security features, as long as you don’t mind the vendor creep or yet-another security service complicating an already hefty landscape.

How to keep RPA secure

To defend the bots and their valuable data, it’s down to the human creators and the IT security team to ensure they are treated just like any other user. Cataloging all bots is a starting point. Disabling and removing bots as they are no longer needed, deleting their authorizations and passwords, and keeping a log of all bots in operation (along with what they access and any expiration dates) is just the start of a secure operation.

The business, as with any IT evolution, should develop best practices and a strategy for the creation, management and erasure of bots. While using practical tools to protect data and operations.

Of practical value, Identity Access Management (IAM) solutions can help, just as they do with employee user accounts. These enable IT to provision user rights and access, report on privilege use or abuse, and use role-based access to ensure segregation of duties (SoD) while coping with issues like shared accounts or account pooling.

IAM automates many of these processes, reducing the workload on IT and enabling the business to benefit from and unlock the potential of RPA and future automation techniques or services. With most enterprises aiming to become digital businesses, automation is a key way of delivering value and efficiency across the business, but when it’s done wrong, it creates yet another security headache.