Robotic process automation (RPA) is a growing megatrend. Gartner predicts that by 2022, 90 percent of organizations globally will have adopted RPA and it has already received over $1.8 billion worth of investments in the past two years alone. While RPA is making a major impact across every industry, many don’t know how common the technology has become or, indeed, realize that they interact with it regularly.
Take into account the shift to remote work; companies across every industry have implemented some form of RPA to simplify their operations and automate tasks. For example, when major airlines were bombarded with cancellation requests at the onset of the pandemic, RPA became essential to their customer service strategies to deal with this influx of requests.
In fact, Forrester found that one major airline had over 120,000 cancellations to deal with during the first few weeks of the pandemic. By utilizing RPA to handle the incursion of cancellations, the airline was able to simplify its refund process and assist customers in a timely matter. Delivering this type of streamlined process when it was in such high demand would have been nigh on impossible without RPA technology
It’s clear that as businesses continue to innovate, automate and transform their operations, RPA will play a major role. In fact, interest in the usage of RPA is at an unprecedented high, with Gartner citing that enquiries related to RPA increased by over 1000 percent during 2020.
However, as with many new and exciting technology innovations, there is one area that’s commonly overlooked when it comes to RPA: security. If the security aspect of RPA isn’t implemented in the early stages of development, it leaves organizations vulnerable to cyber attacks. Suffice to say, if the security vulnerabilities associated with RPA aren’t addressed quickly in the project lifecycle, we will witness a string of significant breaches in 2021 and beyond.
RPA – your new “digital co-worker”
With RPA, essentially, new “digital workers” are created to automate repetitive manual tasks that would have been performed by humans in the past. Therefore, these new workers interact directly with business applications, mimicking the way humans use credentials and privilege to access them. Although this new RPA identity that is created operates much faster than any human identity - and it doesn’t eat, sleep, take holidays, go on strike or even get paid.
While a digital worker might sound like a model employee to employers, they also need access to the same networks, systems and applications that their human counterparts require. Though they are not prone to ‘human’ error or motive, they are created by humans. Many organizations errantly grant RPA access to the so-called keys to the kingdom – or privileged credentials. Verizon attributes over half of all data breaches to the misuse of privileged credentials, thus making the unmonitored, unrestricted (and often unnecessary) access privileges granted to RPA susceptible to a breach.
To avoid this risk, organizations must extend their identity governance and privileged access processes to manage their digital workers as well as human ones. There is a problem that exists today, where lines of business are running their own RPA programs in silos that actively circumvent existing centralized security controls put in place for managing accounts. This is driven by the need for increased speed, productivity and agility, for which security is often seen as a blocker.
In order to consolidate these silos into a managed process, it is healthy for an organization to invest in a team dedicated to robot management or a center of excellence. Some companies are taking things a step further and are provisioning their robot workers as employees in human resources. While this does result in a new identity for the robot, HR was not designed with non-human resources in mind and so new challenges are created. Especially given the rate of attrition, different classes of attribute associated with a robot and the methods in which robots are instantiated at runtime. Existing controls for mitigating risk are still relevant if used appropriately, most notably around privilege creep, orphaned accounts, erroneous attributes lacking meaning or context, the exposure of passwords and secrets, and a defined path of ownership.
Securing the future of RPA
Furthermore, with a PAM system that provides connectivity to RPA systems, enterprises are able to effectively secure, control and audit the credentials and privileges being used by the robots. By choosing a PAM solution that is easy to deploy and integrate, this is achieved without impinging on the ROI the RPA program brings; and crucially, does not impact productivity either.
The first step in solving any problem is recognizing that there is one. In this case, realizing that these new digital workers have identities is the first and most important step into securing the future of RPA.
The clear business benefits from investment in RPA and the potential return on investment from increased productivity, make it a pretty open and shut business decision, even with a heightened sense of security awareness. However, many security solutions make the investment untenable as they are too costly to deploy and integrate, making it difficult to preserve the returned investment - especially when the security auditors come knocking.
RPA solutions currently do not focus on solving security challenges because they are otherwise focused on increasing productivity. As a result, third party security solutions need to be integrated in order to provide the correct controls to mitigate risk. The easiest of these controls to apply is in the form of Privileged Access Management (PAM). Organizations need to keep this in mind when implementing any RPA project.
Case and point
An international private security company saw the benefits of this approach first-hand following investment in an RPA solution. With over 160,000 employees worldwide, the addition of digital workers allowed the re-allocation of time from existing employees, to focus on higher-value tasks.
Through the implementation of a PAM system that seamlessly integrated into its existing RPA solution, the company was able to also automate the control of its digital workers’ privileged access.
Now, when digital workers need privileged access, the robot retrieves credentials from the PAM system automatically, without any exposure to the bot owners or developers. This not only provides a full audit trail of which digital workers had access to what applications, but also provides individual accountability and proof, that no one can obtain the password in a non-compliant manner.
Through this system, the company has been able to scale its digital workforce across 14 business units in only two years, giving 350,000 hours back to the business, without compromising security.
Identity is the new perimeter
Who would have thought it would take until 2021 for organizations to get serious about the answers to questions such as: How are the robots in your organization created? How are their accounts created, used and removed? Who controls the robot’s activity and how would you know if a bot was compromised? Do you know how many of the records in your HR system are, in fact, non-human resources?
Throughout 2021 and beyond, security teams will realize that these previously unconsidered security challenges of RPA, and many security challenges in general, will all point back to one common perimeter – identity.
Alan Radford, Regional CTO, One Identity