When robotic process automation (RPA) burst onto the scene just a few short years ago, many held it up as the ultimate tech solution financial institutions had been waiting for.
These software robots could take on an organisation’s most mundane and repetitive tasks, not only freeing staff up to work on business-critical, cognitive and creative work, but also helping improve efficiency, accuracy, agility and scalability.
But while automating processes offered many benefits, anxiety around handing over control also came hand-in-hand with RPA, just as security teams become uneasy when a new and powerful entity – like cloud, or Shadow IT – is introduced and needs to be understood, managed and controlled. Many employees worried that they’d lose their jobs, but analysts predict that the RPA market is going to increase by over 50% in 2022 vs. 2021, to over $3 billion (£2.3 billion). Thus far RPA has been used to augment rather than replace human resources.
RPA has instead enabled employees to use their experience and capabilities in a more engaging and beneficial way, by taking over some of the financial industry’s more manual and time-consuming processes. These include – but aren’t limited to – account opening, customer onboarding, mortgage lending, report generation, compliance, anti-money laundering and loan processing.
The Evolution of RPA
Throughout the financial sector, employees have embraced RPA as a way to solve business problems, bringing the fundamentals and practices of DevOps to a wider community. The citizen developer had arrived – people across the business who created their own automated processes using low or no-code platforms.
But while early RPA enabled automation, it also required human oversight. RPA applications used semi-attended bots that needed a person to press the ‘go’ button in order to undertake a task – and also required that user’s digital identity to complete it.
Citizen developers were keen to take automation to the next level and implement fully unattended robots – the holy grail of RPA. But this had serious security implications, as unattended robots require access to the same networks, systems and applications as their human counterparts. This often includes access to critical enterprise systems which requires high-level privileged access.
Robot credentials and identities etc., are just as much at risk as those attached to a real-life person and, if not secured correctly, give cybercriminals another way to steal data and cause chaos.
It’s understandable then, that the use of unattended bots caused a rift between security and automation teams, with the former requiring more stringent security measures and the latter struggling to achieve this either due to a lack of knowledge or lack of time.
Enforcement of strong security practices was difficult for cybersecurity teams and their ‘stern recommendations’ led to a split amongst citizen developers. Some were discouraged and resigned to using attended automation which stifled innovation. Others went ahead and implemented non-sanctioned RPA applications that created gaps in their organisation’s cybersecurity.
How to Secure Unattended Automation
Fortunately, it is possible to address security concerns in a way that supports the use of secure unattended robots without requiring extra work by the staff you’re looking to free up.
This is via automated, centralised management of RPA credentials. Rather than manually assigning, managing and updating the credentials a bot needs to perform its task, all hard-coded privileged credentials are removed from robot scripts and replaced with an API call pointing to automatically rotating credentials stored in a secure, centralised repository.
This provides consistent implementation of security measures such as rotation of credentials, multifactor authentication, password uniqueness and complexity requirements, and – given certain criteria – the suspension of privileged credentials.
Best practice also includes giving bots their own unique identity, credentials and entitlements to ensure that nonrepudiation and separation/segregation of duties are adequately controlled, in addition to limiting access to applications and databases they need to do their job. This is applying the principle of least privilege to robots, just as you would restrict a human user to the minimum levels of access or permissions needed to perform their job.
Unlock the Power of RPA
An all-in-one automated centralised repository solution removes old roadblocks, but to truly unlock the power of the citizen developer and the ultimate benefits of RPA, financial institutions must embrace DevSecOps and bring together automation and security from the start.
Engaging with security teams and security professionals proactively and early will allow RPA teams and citizen developers to speed past those concerns and effectively scale the number of RPA bots in their organisation without introducing security risks or slowing down innovation.
By Brandon Traffanstedt, Sr. Director, Global Technology Office at CyberArk.
