Robotic Process Automation (RPA) has been a favorite among IT leaders for a few years now. It is a key component of the digital solutions offered by IT service providers for both back-office and front-office operations. RPA has successfully waded through its share of skepticism and has found greater acceptance among enterprises. RPA tools have also become better and more sophisticated over the years. What simply started as mimicking human actions has now branched out and has incorporated analytics insights and machine learning, thus helping businesses generate and analyze more data.
For the benefit of the uninitiated, RPA in layman terms can be understood as a solution that allows the automation of business processes end-to-end, irrespective of the type and number of applications involved and the environments in which they are used. Automation itself is not a new concept though and has been around for a long time. However, it has been limited to certain applications or areas of use. RPA is different from “conventional” automation as it is non-invasive and can be used to automate larger business processes instead of creating multiple point solutions. RPA “Bots” can be quickly deployed to automate repetitive tasks, and they save a considerable amount of time and money for the organization. They improve accuracy, efficiency, and even compliance.
RPA bots are responsible for carrying out crucial processes across multiple business functions. They operate as a human and replicate steps to execute repetitive tasks that a user would do on a day-to-day basis. They can access databases and use supporting services. This creates a possible risk and a potential challenge. Since the bots handle sensitive data and the solution may involve moving it across systems from one process to another, it can be exposed if it is not secured. Thus, it must be made sure that things work out as planned.
What are the challenges?
RPA bots are not built like enterprise applications. Enterprise applications are built over a long period, and huge inputs and overheads in development and testing are involved. RPA, on the other hand, is a quick implementation. Development and deployment of RPA bots only take 1-2 months on average. As a result, it is more susceptible to threats if proper security frameworks are not applied and best practices are not followed.
RPA bots help organizations process a huge quantity of data 24/7. As the RPA tools have matured, the scope of data that can be handled by bots has also increased. The emergence of process intelligence features has helped significantly in increasing the variety and volume of data. This varied and massive volume of data helps in uncovering more insights than before. At the same time, however, the risks of data being compromised have increased as well.
One of the main risks associated with RPA, and the concern of many, is data security. It may either be from the point of view of the bot transactions or data leakage. Transaction safety is always a concern for enterprises when they opt for RPA. It is difficult for them to trust the bot to function with minimal supervision. Data has become and will remain for some time, the most important asset of an organization. Any untoward incident can lead to huge problems. Two of the primary reasons that can lead to this problem are improper governance and lack of adherence to best practices.
Data leakage can be broadly understood as exposure of bot/user credentials or the customer data that the RPA bot handles. The bots use the organization’s credentials to log in, and they need access to passwords. Therefore, it is really important to keep track of who has access to the bot for execution and maintenance. Unauthorized access to an RPA system could result in intellectual property damage. As world bodies are taking note of the importance of data and bringing in regulations to protect it from unauthorized access and use, it is of prime importance that problems like access abuse and data disclosure are weeded out of RPA solutions completely.
What can be done?
The good news is, the problems described above can be remedied and avoided altogether. To address security failures in RPA projects and manage associated risks, the following things need to be kept in mind.
- There should be a distinct difference between an RPA user; the person who will operate and run the bot and the RPA bot itself. A unique identity should be assigned to each RPA bot along with dedicated credentials. This will help in demarcating bot and human actions and will attach accountability to bot actions. It will provide the complete audit trail of what the bot does. The trick is to not create a bot but a virtual employee.
- Manage access on two fronts. First, who has access to the bot? Limit the number of people who can access the bot for both execution and maintenance. This will eliminate the chances of rogue changes being made in the bot and the bot will act on tested lines. Second, access to systems. Creating a separate bot entity as discussed earlier will help in this. Using user credentials can provide more privileges to the bot than actually required. Dedicated credentials will limit the scope of system and application access the bot has. Reduction in the possibilities of unwanted actions and transactions will help in avoiding breaks in security
- The development and deployment of RPA bots is a continuous process. It is not a one-time activity that ends when the bot goes live. Thus, it is imperative that the threats and vulnerabilities are also tackled continuously. The people handling the bot may leave the organization, the applications involved in the automation solution may change/update, the process itself may change based on business requirements. This makes it necessary that the security team is as much of a stakeholder in the RPA initiative as the RPA CoE (Centre of excellence) or the line-of-business team. Creating a risk framework that evaluates RPA implementation as a whole, as well as the individual scripts, periodically reviewing and testing RPA scripts with a special focus on business logic vulnerabilities, will go a long way.
- Focus on the security features of third-party plug-ins. The RPA tools available in the market come with the possibility of adding plug-ins to enhance their scope, use, and performance. The passing of data from one application to another requires special supervision. It is important to ascertain the security and trustworthiness of the plug-in that is used. Perform a product architecture risk assessment before buying into it.
- The last is to follow all the best development practices. Create separate environments for development, quality assurance, and production. Avoid hard coding of credentials and use credential vault protect passwords. Use configuration files to provide flexibility to the bot. Test the bot rigorously over all the possible business cases and variety of data that it may encounter. Maintain detailed log reports so that they can be reviewed when the RPA security fails. Complete, system-generated logs without any gaps help in investigating the root cause and taking mitigating steps.
The benefits an RPA implementation provides to the organization are immense. Proper selection of the RPA tool that suits the type of process and applications in consideration, vetting of any plug-ins that may be used, creating a security framework, and following best practices for development will help eliminate any security or data leak threat that may be posed. Undoubtedly, the rewards can be reaped for a long time.
Pratik Sharma is a Sr. Business Consultant in the automation practice at IGT Solutions. He has 4 years of experience in RPA in multiple capacities. Outside of work, Pratik is passionate about football and reading.