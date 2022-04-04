Brandon Traffanstedt, Senior Director, Global Technology Office at CyberArk, writes of the challenges to embracing unattended bots.

Robotic Process Automation (RPA) was popularised a few years back, and heralded as a step-change, liberating organisations and workers from mundane and repetitive tasks. In fact, analysts expect the RPA market to be worth nearly $11bn by 2028; one of the fastest growing segments of the enterprise software market.

Implementing software robots frees up staff to spend more time on the interesting elements of their work, including business critical, cognitive and creative work, boosting satisfaction and helping improve efficiency, accuracy, and agility.

Like any new technology adoption cycle though, RPA was associated with a number of potential downfalls. These were twofold: worries about jobs; and concerns about security. The first of these has been largely debunked; RPA is being used to enhance human resources rather than replace them. It’s even predicted that the robot revolution will create 97 million jobs.

Security teams on the other hand, have been rightfully uneasy around this new, powerful technology initiative, just as they had been with cloud and Shadow IT in prior years. New technologies always come with a learning curve and navigating this without neglecting security can be tricky.

Watching RPA evolve

RPA’s potential as business problem-solver has brought wide acceptance of the technology. In the beginning though, RPA still required human oversight – semi-attended bots which needed a person to authorise tasks, alongside their digital identity.

The arrival of the ‘citizen developer’ – those who use low-code or no-code platforms to create their own automated processes – brought a group of people who wanted to progress this. The obvious next step was a fully automated process with unattended robots – a major goal of most RPA schemes.

Security teams however, highlighted the potential flaws in this model. Namely that letting unattended robots have access to the same networks, systems, and applications as their human counterparts means they also have access to critical enterprise systems which require high-level privileged access. Just like a human’s digital identity, these robot digital identities were yet another potential entry point for attackers – and much more valuable, as a robot wouldn’t ‘notice’ it’s being hacked in the way a human might.

So, an internal debate began; cybersecurity teams issued strict requirements for the use of unattended bots, and citizen developers could adhere to them, but be left unable to fully benefit from RPA. Or, they could march ahead with non-sanctioned RPA projects that allowed for innovation, but left gaps in their organisation’s cybersecurity.

Working the problem

Luckily, both developers and security experts are an innovative bunch, and it has become possible to address RPA security concerns without needing to compromise innovation or the newly freed-up time of employees.

This is done through automated, centralised management of RPA credentials. Instead of laboriously assigning, managing, and updating the credentials that a bot needs for a task by hand, credentials are removed altogether and replaced with an API call pointing to automatically rotated credentials stored in a secure, centralised repository.

This provides consistent implementation of security measures such as multi-factor authentication, password uniqueness and complexity requirements and – given certain criteria – the suspension of privileged credentials, significantly reducing the attack surface and limiting the potential damage an attacker could wreak.

Alongside securing what bots have access to, best practice includes giving bots their own unique identities. This ensures nonrepudiation and that separation/segregation of duties are adequately controlled, while also limiting access to apps and databases to only those needed to do the job. This follows the same principle of least privilege as with humans, and uses a Zero Trust philosophy to prevent unnecessary lateral movement.

Unleash the power of RPA

While an all-in-one automated centralised repository solution removes roadblocks, to truly unlock the power of the citizen developer and the ultimate benefits of RPA, organisations must embrace DevSecOps and bring together automation and security from the start.

Proactively engaging with security professionals at an early stage will allow citizen developers to safely speed past security concerns and effectively scale the number of RPA bots in their organisation, without introducing risks or slowing down innovation.