How RPA is forcing businesses to redefine secure identities

Robotic process automation (RPA) is a growing megatrend. Gartner predicts that 90 percent of companies worldwide will have implemented RPA by 2022 and have received over $ 1.8 billion in investments in the past two years alone. While RPA has a huge impact on every industry, many don’t know how prevalent the technology has become, or actually realize that they interact with it on a regular basis.

Take into account the shift to remote work. Companies in all industries have implemented some form of RPA to simplify their operations and automate tasks. For example, when major airlines were bombarded with cancellation requests at the beginning of the pandemic, RPA became essential to their customer service strategies to deal with this influx of requests.

In fact, Forrester found that a major airline had to deal with over 120,000 cancellations in the first few weeks of the pandemic. By using RPA to handle cancellations, the airline has been able to simplify its refund process and provide timely support to customers. Without RPA technology, it would have been nearly impossible to deliver this type of streamlined process when it was in such high demand

It is clear that RPA will play an important role as companies continue to innovate, automate, and transform their operations. Indeed, interest in using RPA is at an unprecedented level. Gartner states that RPA-related inquiries grew more than 1000 percent in 2020.

However, as with many new and exciting technological innovations, there is one area that is often overlooked in RPA: security. If the security aspect of RPA is not implemented in the early stages of development, organizations are vulnerable to cyberattacks. Suffice it to say, if the security gaps associated with RPA in the project lifecycle are not addressed quickly, we will see a number of serious breaches in 2021 and beyond.

RPA – your new “digital employee”

Essentially, RPA creates new “digital workers” to automate repetitive manual tasks that would have been performed by humans in the past. As a result, these new hires interact directly with business applications, mimicking the way people use credentials and permissions to access them. Although this new RPA identity that is being created works much faster than any human identity – and it eats, sleeps, takes no vacations, does not go on strike, or even gets paid.

While a digital workforce sounds like a role model to employers, they also need access to the same networks, systems, and applications that their human colleagues need. Although they are not susceptible to “human” errors or motives, they are created by humans. Many organizations falsely grant RPA access to what are known as Keys to the Kingdom – or privileged credentials. Verizon attributes more than half of all data breaches to privileged credentials, making the unsupervised, unrestricted (and often unnecessary) permissions granted to RPA vulnerable to breach.

To avoid this risk, organizations must extend their identity governance and privileged access processes to manage both their digital and human employees. There is a problem today where businesses run their own RPA programs in silos that actively bypass existing centralized security controls for managing accounts. This is due to the need for greater speed, productivity, and agility, for which security is often viewed as a blocker.

To combine these silos into a managed process, it makes sense for a company to invest in a team dedicated to robot management or a center of excellence. Some companies go a step further and make their robot workers available as employees in the HR department. While this results in a new identity for the robot, the HR department was not designed for non-human resources, so new challenges arise. Especially given the rate of wear and tear, the various attribute classes assigned to a robot, and the methods used to instantiate robots at runtime. Existing mitigation controls are still relevant when used appropriately, particularly with regard to permissions creeping, orphaned accounts, erroneous attributes with no meaning or context, disclosure of passwords and secrets, and a defined ownership path.

Secure the future of RPA

In addition, with a PAM system that provides connectivity to RPA systems, organizations can effectively secure, control, and audit the credentials and permissions used by the robots. By choosing a PAM solution that is easy to deploy and integrate, this is accomplished without affecting the ROI of the RPA program. and it is also crucial that this has no impact on productivity.

The first step in solving a problem is realizing that there is one. In this case, realizing that these new digital employees have identities is the first and most important step in securing the future of RPA.

The clear business benefit from investing in RPA and the potential return on investment from increased productivity make it a fairly open and closed business decision, even with heightened security awareness. However, many security solutions make the investment unsustainable because they are too costly to deploy and integrate, making it difficult to get the investment returned – especially when security auditors knock on the door.

RPA solutions do not currently focus on solving security challenges as they are otherwise geared towards increasing productivity. As a result, third party security solutions need to be integrated to provide the correct controls to mitigate risk. The easiest of these controls to use is PAM (Privileged Access Management). Organizations need to take this into account when implementing an RPA project.

Case and point

An international private security company saw the benefits of this approach firsthand after investing in an RPA solution. With over 160,000 employees worldwide, the addition of digital employees made it possible to reallocate time from existing employees to focus on higher-value tasks.

By implementing a PAM system that fits seamlessly into the existing RPA solution, the company was also able to automate the control of the privileged access of its digital employees.

When digital workers need privileged access, the robot automatically pulls credentials from the PAM system without affecting the bot owners or developers. Not only does this provide a complete audit trail that digital workers had access to which applications, but also individual accountability and evidence that no one can obtain the password in an inconsistent manner.

This system allowed the company to scale its digital workforce to 14 business units in just two years and give back 350,000 hours to the company without compromising security.

Identity is the new scope

Who would have thought it would be until 2021 for organizations to have the answers to questions like: How are the robots in your organization created? How are their accounts created, used, and removed? Who controls the robot’s activity and how would you know if a bot has been compromised? Do you know how many of the records in your HR system are actually non-human resources?

Throughout 2021 and beyond, security teams will realize that these previously unrecognized security challenges of RPA, and many security challenges in general, will all trace back to one common scope – identity.

Alan Radford, regional CTO, One Identity

May 28, 2021