Ensure your bots have the right security in place, starting with the digital worker profile.

Robotic process automation (RPA) is the fastest-growing technology that Gartner says that they track. One critical aspect to consider when implementing automation technology and RPA bots is their security, particularly the digital worker profile. The following best practices will help you develop a digital worker profile with efficiency and security in mind.

RPA Security Best Practices: Digital Worker Profile

What is a digital worker and what kind of security do they require?

What access should a digital worker be granted?

How should we assign privileges to the digital worker? In what ways can we develop the identity for the digital workers we implement into our systems? How do we build a worker’s profile that does not pose threats to security?

We can gain some initial clarity by stepping back to look at the definition of a digital worker.

Some regard the digital worker as a division of automated co-workers designed for particular tasks or organizational processes—often in conjunction with human counterparts. Within the RPA industry, a digital worker is commonly a software-based set of utilities for executing specific tasks.

In this RPA context, a digital worker constitutes a form of employment. And this employment involves a set of skills. Each of these skills is then assigned to accomplish particular tasks. Execution on functions can be multi-dimensional, meaning a digital worker can achieve a variety of tasks. For example, a CEO may be speaking on a topic while also analyzing the audience for ways to adapt their presentation. Digital workers are also skilled in numerous fashions to execute on a reasonable scope of tasks and engage with humans to produce an effective workflow.

The digital worker profile refers to the access and privileges granted to a bot for specially designated functions. Such automation can improve a company’s security, but it is imperative to follow the proper protocol to ensure this defense.

Best Practices for Creating a Digital Worker Profile

Assign Appropriate Security Access and Privileges

A digital worker—also known as a ‘bot’—profile for automation must be constructed carefully and securely. Bots must be assigned access and privileges to ensure that a company does not permit abuse by any worker, whether an outside agent or an agent involved in the bot’s operation.

It is critical to assign proper and unique accounts for each bot. This account will be the unique assignment of the bot and accessible only by this specific bot worker. Any assignments to a bot should follow the principle of least privilege (POLP). This ensures the scope of the work assigned is limited only to work that is planned. As the scope of a bot’s work expands or changes, privileges can be added or removed. It is also crucial to confirm that passwords are unique and secure.

Utilizing a credential managing software can help maintain a diversity of credentials and promote a necessary separation of duties (detailed in the next section).

We also provide risk scenarios for each of the practices in this guide.

In planning access and privileges for your bot, consider the risk that a hacker may manage to compromise a highly privileged bot user account, access sensitive data, and move through your network. The protective measures accounted for in this article will help limit the scope of possible damage from the hacker.

Minimize Risk by Separating Duties

It is vital to ensure that employees have the minimum access necessary to a bot’s digital worker profile to complete their tasks. The roles of bots, developers, and bot operators can be separated to minimize risk. This prevents abuse from any single party.

For high-risk processes, you can utilize additional and segmented manual or automated processes to verify transactions. The purpose of this strategy is to maintain independent oversight of the automation, resulting in less abuse.

An example of a risk scenario in this context is a potentially disgruntled employee changing crucial banking automation to deposit credit card chargeback funds into their account instead of the required account. Separating duties and roles ensures that the employee could execute this change, and the verification process would provide an alert on the failed transactions.

Build-in Regular Security Audits

Security and auditing provide two primary opportunities. They will identify abuse early, and they can prevent unauthorized changes to a bot.

Proper RPA tools are an asset for this effort, issuing a full audit for trailing and logging. These audits and documentation can be used to identify potential errors in the operation of a bot. Types of errors can include those caused by malicious changes to the code, inaccurate development and testing, or applied modifications from a third party.

RPA scripts should be approved from a security perspective before they are implemented. Any compliance risks should also be addressed before developing the code. The RPA team and any application owners should discuss requirements. Clarity from these discussions can avoid costly stops or delays to operation, and circumvent the need to revisit bot development, testing, or change management.

Any change to the RPA lifecycle should be approved by the entire RPA team to prevent any individual person from updating a bot.

An associated risk scenario in these efforts could involve a bot creator training the bot to handle credit card information but failing to encrypt this data in transfer to an external database. Such a compliance risk will eventually cause a breach that could result in devastating losses to a company.

Ensure Your RPA Vendor Has Cybersecurity Competency

CyLumena and SDLC Partners provide an RPA service that balances confidentiality and transparency while maintaining control over the entire operation and providing verification of automation results. Contact CyLumena to discuss the necessities for a secure RPA lifecycle.

Contact Us

CyLumena - Roman Cano

Insight Contributor:

Roman Cano, Consultant

Roman Cano is a cybersecurity consulting professional with experience in developing and implementing automation solutions along a variety of corporate spaces.  Roman is certified in both RPA and UiPath and has also helped clients by generating process documentation, handling test scripts, and reviewing their environmental setups.