CyberArk, a company involved in privileged account security, shared recommendations from information security executives at Global 1000 enterprises on how to securely drive innovation via Robotic Process Automation (RPA).
The report, “The CISO View: Protecting Privileged Access in Robotic Process Automation”, examines attack techniques and provides practical advice from early RPA adopters on how organizations can mitigate the risks associated with non-human privileged access, including providing robots with more privileges than required to perform functions and tasks.
According to the report, less than half of organizations have a privileged access management strategy in place for digital transformation technologies, like RPA. The report recommends tightening access to RPA tools, mandating secure practices for developing robot scripts, and emphasizes integrating RPA and enterprise security technologies in order to automate the management of credentials and detect misuse.
What is Robotic Process Automation?
RPA is an enterprise-wide strategy with mandates from executive leadership. In RPA, software applications known as “robots” interact with the user interfaces of business applications. RPA requires less technical expertise than automation methods that use application programming interfaces (APIs). Also, more functions can be automated through a UI than through APIs. With RPA, professional-level software development skills are not necessarily needed to get robots up and running. A business team with little understanding of application security could buy an RPA tool out of their own budget and program a robot without involving the security team. In many organizations, business units are racing to identify tasks that can be automated.
The report also highlighted key recommendations from industry experts on how organizations can securely adopt RPA while mitigating potential risks, which includes:
Limiting access for reprogramming robots – Reduce the risk that comes with RPA permissions – like the ability to reprogram robots – by securely managing credentials to RPA tools and training RPA teams on secure software development practices.
Automating credential management – Successful RPA deployments require automated credential management, including machine-generated passwords, automatic password rotation, identity verifications, and just-in-time or time-limited credential access.
Establishing robust processes for monitoring RPA activity – Rapidly detect and respond to unauthorized or anomalous robot behavior by assigning human managers, enforcing least privilege and making actions traceable.