In my previous post, I wrote about why companies need to focus on security while creating bots. In an age where cybercrime is preying rapaciously on vulnerable systems, companies should take bot security very seriously.
Since bots operate in an ecosystem that comprises critical data, applications, APIs and connectors, (which are also accessed by third party vendors and clients), the entire ecosystem — including your client’s network — is vulnerable to multiple threats. In the previous post, I outlined the three principal pillars — security features, vulnerability assessment, penetration testing — to ensure your bots incorporate the necessary security protocols and operate in a secure environment.
In Part-II of this series, I elaborate on these three pillars with actionable details you can employ in your bot development cycle:
Advanced Security Features
Ensure you employ strict security codes and principles throughout the development cycle from planning, building, testing to deployment.
- Industry standard encryption: Throughout the automation process, encryption — the process of encrypting data or password hashing in a way that only authorized parties are able to access them — helps to ensure the highest level of access security; SHA-2 is an example of an industry-tested and accepted hashing algorithm you could use
- Data security through encryption and time-bound destruction of persistent data: Data should be encrypted at all three stages, i.e., data at rest (hard disk), data in use (memory) and data in motion (network). For example, when a bot is handling confidential data, such as protected health information (PHI), use chipper text in all the three stages instead of plain text.
- Firewall and intrusion prevention system: Since the bots would most likely be working across various firewalls, make sure that they are not usurped and employed as Trojan Horses, by employing an effective firewall and intrusion prevention system; make sure they are patched to the latest release
- Deployment policies: Make sure that all RPA implementations follow laid-down policies for deployment, such as documentation, testing, version control and signing-off processes
- Built-in AI/ML to detect security breach: Incorporate machine learning practices. With machine learning, the software could eventually provide security intelligence by analyzing past process activity, possibly giving faster and more accurate warning than a human expert, doing the same analysis.
- Behavioral analysis:
- Maintain audit logs that record all bot activities as well as those that bot users perform within the automation framework; logs help to reconstruct the activities preceding the incidence when bots behave in an unexpected way
- Employ tools such as User and Entity Behaviors Analysis (UEBA) that use AI-based machine learning to identify changes in bot behavior
As the bots constantly work across networks and firewalls, make sure you check the security integrity of the ecosystem periodically.
- Regulatory compliance: All the regulatory compliance controls that are applicable to a human operator should be compiled and applied to bots. For example, under the HIPAA security rule, a unique user name and/or number is required for identifying and tracking user activity, this should be mandated for the bots working on processes that deal with PHI
- Risk-management preparedness: The Risk Management team should be involved during the planning stage of bot implementation to understand, determine and provide solutions for risks involved in implementing the bots
- Network and application security:
- Effective network security helps to identify when attacks are happening inside the network (endpoint security), collect evidence of network intrusions and defend against network attacks
- Application security prevents attacks/threats from various sources like input validation, session hijacking, cross site scripting (XSS), cross site request forgery (CSRF) and Denial of Services (DoS)
- Ensure bots use E2EE (End to End Encryption) for all communications between client and server; this helps prevent Man-in-the-Middle (MITM) attacks in network security
Penetration Testing (specific for process bots)
Evaluate the security of the entire ecosystem by doing a series of simulated attacks, or penetration testing.
- Secure configuration and hardening of critical devices: Ensure secure configuration to reduce unnecessary vulnerabilities on servers, workstations and network devices
- Logical access control: Ensure logical access control so bots do not have inappropriate access to information that is sensitive
- Security patches management: Create an inventory of all software used to build up bots and ensure proper ownership to monitor and ensure timely application of patches
- Password management
- Password management, such as two factor authentication or credential vault, should be an integral component of an RPA tool to manage and secure various passwords and associated login details. The details should be protected using high-level encryption protocols; also ensure high security between processes during the ‘handshake’ while implementing business logic on applications and transferring data from one to the other
- Application code security, such as SQL injection and cross-site scripting (XSS)
- Co-opt IT and InfoSec teams into the RPA governance team right from the beginning; InfoSec teams should start identifying vulnerabilities right at the planning stage
- Use Static Application Security Testing (SAST) tools for static codes analysis during the design phase and Dynamic Application Security Testing (DAST) tool for dynamic code during run times
- Ensure you obfuscate application source code to prevent reverse engineering before migrating bots to the production environment
Bot security needs to be treated with utmost urgency, earnestness and discipline. Organizations need to ensure that bots are coded under a secure process, implemented in a secure environment and undergo regular security and penetration testing cadence. More importantly, bot security should be made an integral part of the governance protocol.
I hope this detailed guideline helps you build a secure foundation for your RPA journey.
Post Date: 12/14/2017