The Whys and Hows of Deploying a Secure RPA Solution
•
0 likes•141 views
Segregation of Duties, Maintaining Platform Security, Managing Change Management & Audit and Securing Data Access and Credentials are just some of the challenges of securing a Robotic Process Automation Deployment
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to The Whys and Hows of Deploying a Secure RPA Solution
Similar to The Whys and Hows of Deploying a Secure RPA Solution (20)
Recently uploaded
Recently uploaded (20)
The Whys and Hows of Deploying a Secure RPA Solution
- 1. © 2018-19. All Rights Reserved. Option3 Deploying a Secure RPA Solution
- 2. © 2018-19. All Rights Reserved. Option3 AGENDA RPA Security Architecture Challenges in RPA Security Vault Vs Credential Store Benefits Why CyberArk Integration
- 3. JiffyRPA – Intelligent Automation © 2018-19. All Rights Reserved. Option3 Segregation of Duties JiffyRPA RPA Security Platform Security Change Management and Audit Securing Data Access & Credentials ▪ Application configuration: Bots can be designed without application credentials. ▪ Configurable role-based access to applications ▪ Centralized control for provisioning, tracking and enforcement of bot duties ▪ Access control to bot/task repository ▪ Bots can be implemented by users with the least privileges. ▪ AES-based encryption for password data at rest ▪ TLS 1.2 for data in motion ▪ Masked passwords ▪ Communications between Jiffy User, Jiffy Web Console and Jiffy Service are performed through outbound WCF TLS communications and inbound SSL ▪ Bots work independently and within their own sandboxes. ▪ All actions are audit-trailed and history maintained. ▪ Reusable bundled work flows, expressions, UI components are all version controlled. ▪ Execution history and logs can be enabled for: • UI and back-end actions • JDI events for user action • DB level audits ▪ Secure Vault Stores, and tightly controls access to: ▪ Tokens ▪ Passwords ▪ Certificates ▪ API keys, and other secrets. ▪ Stored data is encrypted. Vault secrets will be automatically revoked once the lease period ends. ▪ Detailed activity audit logs are maintained.
- 4. JiffyRPA – Intelligent Automation © 2018-19. All Rights Reserved. Option3 • Jiffy is web-based and all access to bots are centrally managed through JiffyRPA console. No Jiffy instance on individual user desktops • Best-in-class security with AES 256 for data at rest. TLS 1.2 for data in motion • Single factor authentication to Jiffy console. • Only the Jiffy Service runs outside the core Jiffy Linux server and communicates over http/https. • All components are setup in- premise and sandboxed. No internet or communication with cloud. Jiffy Web Console Jiffy core server Jiffy bots on Windows desktop/Server Desktop apps Web apps Mainframe Excel TCP+TLS1.2 APIS (HTTP/HTTPS) Browser on user desktop JiffyRPA Technical Security Architecture
- 5. © 2018-19. All Rights Reserved. Option3 CHALLENGES Securing Credentials The Need to share application credentials with Bot designer. Internal applications can be secured with SSO and Credential rotation etc. How to secure external application credentials? Password Resets As part of security protocols, passwords have to be changed frequently What happens when there are many accounts accessed by bots which have to be updated? Managing Bot credentials How to ensure that the credentials of the bot, Windows login itself is not accessible to anyone not even the RPA admins. Ensuring that no human can login on behalf of the bot and execute specific activities Securing data in logs Ensuring that credentials/secured data do not appear in logs Many RPA solutions hide credentials in scripts, but they appear in the logs Storing other secured info Secured data is not limited to credentials. For example, bank security questions for login on bank portal. Handling of sensitive data like SSN, Credit Cards etc.
- 6. © 2018-19. All Rights Reserved. Option3 SOLUTION Solved using combination of technology and business process study Improvements in the development and deployment process A RPA Platform provided Secure Vault for storing data at run time integrated with CyberArk.
- 7. © 2018-19. All Rights Reserved. Option3 SAMPLE PROCESS FLOW FOR INTEGRATED VAULT •Business User stores credentials and secure data including login questionnaire on vault and shares key with designer. •Bot designer has access to vault •Designer will define values for keys in the vault •Designer designs and executes bots •During execution, bots extract values for keys during run time •Retrieves keys defined by designer, not what is defined by business user •Task moved to Staging area of production •Business walkthrough of script •Business User approves the Bot Design on Jiffy •Bot scheduled to run in production •Bot is run under the business user’s ID •Bot picks up key assigned by the business user giving it production access. • A tight integration with RPA platform and Secure Vault is the basis of a secure implementation.
- 8. © 2018-19. All Rights Reserved. Option3 SECURITY VAULT VS CREDENTIAL STORE Jiffy Security Vault Standard Credential Store CYBERARK Integration Ability to store non credential information like Bank login questionnaire YES NO YES Security/encryption levels of storage High Medium High Built in business review and approval of task Comprehensive Non existent Non existent Ability to deactivate access to secure data on modification of bot Yes No No Prevent sharing of credentials with Bot Designer Yes No Yes Provides granular control for Business users to change credentials Yes No Yes Credential rotation No No Yes (for internal apps only) Audit log of access Yes Yes Yes
- 9. © 2018-19. All Rights Reserved. Option3 JIFFY - CYBERARK INTEGRATION JIFFY’S SECURE VAULT JIFFY SERVER 2 3 Operations 1 - Requests for Credentials 2 - Search for Secret(Internal Vault/CyberArk) 3 - Get CyberArk Username 4 – Request CyberArk Password 5 - Get Cyberark Password 6 - Bot Receives Credentials Secure Processing 5 JIFFY BOT 1 4 6
- 10. © 2018-19. All Rights Reserved. Option3 CYBERARK INTEGRATION • Bot Designer maps Jiffy secure vault token to CyberArk credentials • Bot to be designed with Cyber Ark credentials for internal apps and Jiffy Secure vault tokens for external access. • No storage of credential information other than user token in Jiffy SECUREVAULT & CYBERARK • Seamlessly use with CyberArk credential or Jiffy SecureVault credentials • No change in user interfaces • Test runs will invoke the secure processing engine which will seamlessly connect to CyberArk DESIGNER INTERFACES • Logs to reflect only user tokens • Request credentials in real- time on need basis • Identify and invoke CyberArk credential at runtime on need only basis. BOT EXECUTIONS
- 11. © 2018-19. All Rights Reserved. Option3 BENEFITS No sharing of passwords Complete control of bot execution lies with the owner of the bot. If the bot is modified after approval, the access is automatically revoked JiffyRPA automatically ensures that the secure data is not appearing any logs Best in class security with AES 256 for data at rest. TLS 1.2 for data in motion - ensuring that the no data can be spied upon Not just the credentials, any secure data can be managed through the vault like bank login security questions etc. Complete audit log of secure data
- 12. © 2018-19. All Rights Reserved. Option3 THANK YOU