Come and join us for this informative meeting on how you can secure your environment with UiPath & CyberArk Technologies. In this session we will cover the following topics:
Updates from UiPath
Securing your UiPath environment
CyberArk and Security
Security Discussion
2. 2
Diana Gray
Community Marketing
Manger, AMER @UiPath
Meet the Team
Brian Carpenter
Joshua Gregory
Jeremy Patton
Stuart McEntree
Polo Perez
Sales Engineer @UiPath, Inc.
Senior Presales Technical
Consultant @UiPath, Inc.
Solutions Engineer – DevOps
@ CyberArk
Sales – Secrets Manager
Sales Specialist @ CyberArk
Senior Director of Business
Development @ CyberArk
3. 3
Date/Time Topic Status
Mar 20, 1:00
PM EST
Secure your environment with UiPath and
CyberArk technologies - Session 1
Happening Now
Apr 3, 1:00
PM EST
Efficiencies in RPA with UiPath and CyberArk
Technologies - Session 2
Register Now
12. 12
Quick Overview
In the next slides, you’ll find the most important topics that needs to be covered in order to reach out total RPA potential:
Bot Identity Credential management Delegated permissions/
segregation of duties
User Access
Review (UAR)
Governance SOX/Business
Critical automations
01 02 03 04 05 06
While RPA (Robotic Process Automation) is
becoming more and more part of our lives,
it’s mandatory to define appropriate security guidelines to
ensure a maximized benefit of this technology meant to
makes our work more enjoyable.
13. 13
Bot identity
Traceability Role Management Authentication Audit Process Inventory
Easily identifying robot vs
human work in system/
application logs and
differentiating the work
done by bots
Each robot account should
have the minimum required
permissions/roles in order to
perform their tasks
Since Two Factor
Authentication requires
human identification, robots’
accounts must be created
as Service Accounts
that can bypass additional
login steps. Also, when
possible, API authentication
is recommended
Since change management
is paramount during audits,
bot identities allows
system admins to easily
identify and get the evidence
required for all changes
performed by the robots
Easily document which
automation uses which
account with which
permissions
While software robots are here to take over our repetitive and inefficient work,
they require their own identity in the systems/platforms they are operating.
Here is why:
14. 14
Bot identity (cont.)
As previously mentioned, each process
should have its own associated account,
but robots also require a place to
"stay and play“, in a
Virtual Environment
A Virtual Environment will also
require an identity, that will be
mapped with the automation.
Enforce naming conventions for each type of accounts used(bots: svc-***@***.com, VM
names: vm-***, VM users: vm-***@***.com). This way, it will be easier to access relevant
process information from your Process Inventory mappings
Bots' accounts will have by default minimum permissions allocate: ActiveDirectory Identity
(email address) and a Mailbox attached (O365, Google, etc.)
From licensing optimization point of view, you can setup shared accounts between your
automations (e.g.: one shared account per department for Salesforce)
All other platforms accesses will be provided on demand
(e.g.: Sharepoint, GoogleDrive, etc.) based on automations requirements, roles and
permissions etc.
(Virtual Machines grouped in Environments at
orchestrator level)
Here are some recommendations on how to manage all of this:
15. 15
Credential
Management
Now we highlighted the importance
of bot identities, it’s mandatory to
periodically check and maintain
all accounts’ permissions
and configurations
Credential manager
All accounts should be stored in a common credential manager that allows each team
member to access required dev/prod accounts based on their team role
(dev, support, business analysts)
Periodically change account passwords to enhance
security and compliance guidelines
Regularly rotating account passwords limits risks of sharing or leaking
Some processes might have been decommissioned
and the associated account is no longer required
This can be easily tracked with an Internal Process Inventory that contains real-time
production processes information like name, deployment location, accounts used etc.
17. 17
Delegated permissions/segregation
of duties
Working with robots requires human responsibility –
for that, each employee should have the appropriate roles and permissions
in the RPA environment.
Production environment must be separated from development/
testing ones
For production, the access must be restricted to appropriate
employees based on their roles
Developers and business users should access only the
development/testing environments
18. 18
User Access Review (UAR)
UAR is an audit control that requires to periodically check
user’s access and permissions on platforms/systems.
In RPA, the checklist for user access review must contain:
Properly define which platforms are the subject of audit inside
the RPA team (e.g.: Orchestrator, GitHub etc.)
Periodically check if the defined roles/permissions are aligned with
the company structure
All access request must be properly documented (requests with
manager’s approval)
19. 19
Accurate automation logging
When it comes to audit,
another mandatory task is to have a
clear view of what the bot is actually
doing and in case of an incident,
This can be achieved by enforcing logging guidelines
that must include:
Proper logging level (trace, info, warning, error)
Logs for workflow’s start/end
Information about each processed transaction (id, name)
Information about the actions performed on the processed transaction
(update, inserted values)
As a best practice, it’s recommended to log anonymized sensitive information
when applicable (partial id’s, names, addresses)
to easily identify the root cause
20. 20
Governance
The main governance key points are the following:
01 Defining and using a standard development framework template that
suits the company’s RPA area
02 Using a project management platform in order to track, trace and
report effectively projects' statuses
03
Enforcing documented Sign-Offs for major project steps from the
appropriate stakeholders (Business, Infrastructure, etc) to have a
clear view on collaboration/decision making (PDD, UAT, Deployment,
Change Requests etc)
UiPath provides a powerful
governance framework that
makes RPA more secure.
Using AutomationOps in your
company, you can easily:
Enforce your organization's rules and
configurations for UiPath products using
governance policies
Manage content feeds by defining which
sites and packages are trusted and can
be safely used
21. 21
SOX/Business Critical automations
An automation is labeled as SOX Compliance/Business Critical if:
NOTE: currently this checklist only applies to Unattended process, and by default Attended processes can be considered as “Non-business critical”.
Performs changes (edit/modify/insert/
update) in sensitive production data
(e.g., financial, sales reports)
Collects PII data
(Personal Identifiable Information)
Requires elevated permissions than
normal user (edit, admin roles)
Business decides the automation is in
scope for SOX (relevant stakeholder
confirms it is related to SOX Controls,
e.g. Finance processes)
From an audit perspective, SOX automations must be documented and implemented in a more effective way:
It’s recommended to use a dedicated
tenant and robots (VMs)
Infrastructure
Based on the level of data sensitivity, all bot’s related
documents should be accessed only by privileged users
Documentation
Bots should save the reports with the data before
and after the automatic processing is finished;
screenshots/evidence of the input information: date/filters
used for the reports, queries etc; proper logging
Development
22. 22
Allow security and development teams to
dynamically manage the applications’
secrets required to access resources and
services across hybrid and multi-cloud
environments without impacting agility.
Privileged credentials are often called “SECRETS” and refer to a private piece of information that
acts as a key to unlock protected resources or sensitive information in tools, databases,
applications, containers, DevOps and cloud-native environments.
Secrets manager goal
22
Human Access
Non-Human
Access
1 person
45 apps/tools
workloads
service accounts
Cloud- Hybrid Cloud
Data Center
Kubernetes
RPA CI/CD
Scripts Containers
Vulnerability Scanner
Home grown apps
SolarWinds
Octopus
Codecov
Uber
Stuart McEntee, CISSP
CyberArk Secrets Manager Specialist
stuart.mcentee@cyberark.com
www.cyberark.com
SEC Ruling:
https://www.sec.gov/news/press-release/2023-139
24. 24
Policy Enforcement Point
Policy Administrator
Policy Engine
Policy
Decision
Point
Access Request Access Enabled
Identity - Zero Trust
Based On NIST SP 800-207: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
Protect Subject Identities
and Devices
Protect Identities within
Resources
Protect Identities within the
Zero Trust Network
People
Users
Devices
Applications
Systems
Data
Applications
Computer
services
APIs
Secrets Management
Privilege Access Management (PAM) for Machine/Non-Human
25. 25
Islands Of Security Create Challenges at Scale
Puppet Hiera
Chef
Databags
Ansible Vault
Islands of Security
AWS
IAM /KMS
Microsoft
Azure IAM /
KMS / KMS
Google Cloud
IAM / KMS
Docker
Secrets
Kubernetes
Secrets
OpenShift
Secrets
Native tool solutions for secrets: Create
“Security Islands”
• Are you using open source or enterprise?
• How do you perform the following :
• Password rotation?
• Separation of Duties?
• High Availability?
• Database Configuration?
• Change Management?
• Scalability – Containers?
• How many Vaults across your enterprise?
• Audits?
UI Path
Credential
Store
.NET Config
Files
J2EE
Credential
Store
26. 26
26
Key
Benefits
Developers
Simplicity: Native
integrations simplify
securing DevOps tools,
CI/CD, ISV to zOS and
everything in between.
Security
Robust Security:
Centralized management,
rotation, audit and strong
authentication ensures
workloads securely access
to secrets.
Operations
Efficiency &
Availability: Architected
to ensure secrets are
always available when
and where they are
needed.
Secrets
Hub
28. 28
Secrets Hub - AWS & Azure Native Secrets
Stores (Google Future)
• Centralized management of secrets/visibility across
organization
• Enforce consistent polices across the organization to meet
compliance and security standards
• Can enforce ad-hoc rotation in case of security event
• Unified audit using SIEM
• Native cloud experience
• Enables the same cloud-native tools
and workflows as before.
• Secures the application without any
impact on workflows
Security Developer/DevOps
CyberArk
PAM (self-hosted or
Privilege Cloud)
Secrets
Hub
29. 29
MOST COMPLETE &
EXTENSIBLE IDENTITY
SECURITY PLATFORM
BROADEST INTEGRATION
SUPPORT
IDENTITY SECURITY
INNOVATOR
PROVEN EXPERTISE IN
SECURING IDENTITY
• Manages secrets for apps,
automation scripts, non-human
identities AND human users
• Centralized secrets management
• 200+ integrations with top DevOps
tools, platforms and COTS apps
• Work with partners and open-source
communities to certify and expand
• Secrets rotation with zero downtime
• Zero /minimal code changes for
devs, e.g., ASCP, Secretless
• Data segregation with centralized
management
• Entire company focused on security
• Expert in partnering with security
teams
• Trusted by over half Fortune 500
ARCHITECTED FOR THE
MODERN ENTERPRISE
• High availability architecture
• High performance & scale -
unique read-only follower
architecture
• Innovative solutions for securing
mission critical legacy apps
SECRETS MANAGER
ALIGNMENT TO
CYBERARK
DIFFERENTIATORS