Transcription
ISSADEVELOPING AND CONNECTINGCYBERSECURITY LEADERS GLOBALLYRobotic Process AutomationMeets Identity and AccessManagementBy Maria Schuett – ISSA member, Minnesota ChapterThis article describes a way to manage and secure software robots by extending identity andaccess management (IAM) capabilities and establishing a foundation from which the organizationcan effectively evolve and sustain Robotic Process Automation.AbstractIn order for an organization to gain the anticipated benefitsfrom Robotic Process Automation (RPA), it is important torealize that its adoption can bring challenges when key operational security management practices are less than optimal.Since software robots can take over repetitive manual tasksthat humans perform, it is necessary to expand the management of digital identities to include RPA robots. This articlewill articulate the essential steps to help build a secure foundation for RPA robots. Within the context of this article, RPArobots and software robots are synonymous.RPA adoptionThe evolution of technology overshadows the capabilities of organizations to sustain effective managementof digital identities. “Digital identity is the data thatuniquely describes a person or a thing and contains information about the subject’s relationships” [4]. A key initiativethat strengthens business process capabilities centers on automation. “Robotic process automation (RPA), sometimescalled smart automation or intelligent automation refers toadvanced technologies that can be programmed to perform aseries of tasks that previously required human intervention”[5].Common to RPA products are three components: Developertools, robot controller, and software robots. All three components collectively enable process automation. “Softwarerobots (also known as “clients” or “agents”) carry out instructions and interact directly with business applications to process transactions” [8]. The use of software robots to impersonate, replace, or augment repeatable processes performedby humans cannot be excluded from the digital identity man22 – ISSA Journal July 2019agement realm. When implementing RPA, organizationsmight find that: Current identity and access management capabilities dowell with managing users and resources but not with software robots, which require accountability of the processowner utilizing a software robot, as well as the approvalof the data owner allowing a software robot to access data. Management of software robots may become decentralized when accommodating various RPA initiatives. Lack of standards and patterns for access rights of RPArobots can result in lack of visibility and auditability.To put things into perspective, software robots can be deployed as attended and unattended: “Attended robots complement tasks that cannot be automated end-to-end” [7]. “Attended robots share a runtime environment with a human.These robots augment their human operator and are oftentriggered by local user activity or, less frequently, scheduledtasks” [6].In comparison, “unattended RPA robots execute tasks andinteract with applications independent of human involvement” [7]. Furthermore, “unattended robots have a dedicated, isolated runtime environment that is separate from allhuman operators. These robots are triggered by schedules orremote activity—either through an API or some observableevent like the creation of a file in a directory or the arrival ofan email into an account monitored by the robot” [6].Unattended robots use artificial intelligence (AI) and therefore have cognitive capabilities. “RPA is a software robotthat mimics human actions, whereas AI is the simulation ofhuman intelligence by machines” [2]. Cognitive automationcapabilities for unattended robots include natural language 2019 ISSA www.issa.org editor@issa.org All rights reserved.
Robotic Process Automation Meets Identity and Access Management Maria Schuettprocessing (NLP), optical character recognition (OCR), andmachine learning (ML) [1]. To clarify, “RPA is associated withdoing whereas AI and ML are concerned with thinking andlearning respectively” [2].RPA implementations may seem easy at first but can becomeunmanageable as the demand for their use continues to grow.“The robotic process automation market is expected to growat approximately USD 2,700 million by 2023, at 29% of CAGRbetween 2017 and 2023” [9].This article will describe practical steps for building a securefoundation for RPA robots. A sensible approach starts longbefore product selection. Business process automation withRPA necessitates the following initiatives: Evaluation of business processes Establish RPA robot life cycle and governance RPA adaptionEvaluation of business processesBusiness process management (BPM) is a discipline thathelps organization gain efficiency and value. Business processanalysis (BPA) and RPA are tools that help refine processes.To help organizations, the Object Management Group hasdeveloped a standard business process model and notation(BPMN). “The primary goal of BPMN is to provide a notationthat is readily understandable by all business users, from thebusiness analysts that create the initial drafts of the processes,to the technical developers responsible for implementing thetechnology that will perform those processes, and finally, tothe business people who will manage and monitor those processes. BPMN has become the de-facto standard for businessprocesses diagrams. BPMN creates a standardized bridge forthe gap between the business process design and process implementation” [10].Business processes incorporate many activities that fulfillmany objectives. The reason for business process analysisis to gain visibility and understanding of current processes.Business processes include manual processes and work flowstriggered by pre-configured events. The underlying objectiveis to determine which areas involve numerous manual processes executed by humans. For instance, within the contextof identity and access management (IAM), the life cycle of anemployee includes events like onboarding, promotion, leaveof absence, etc. Any of these events trigger business processes,which include work flows and repeatable manual processes.The idea is to dissect a business process to identify the manual processes that humans perform. A practical approach isto focus the discovery of business processes in key areas likeHR, IT service management, and vendor management. Eachof these areas has diverse business processes to meet deliverables and service level agreements within the enterprise.Process discovery along with BPMN will uncover simple,straightforward processes versus complex ones. Note, thediscovery may present challenges because, “business-processowners have no incentive to automate themselves or theirstaffs out of jobs” [9]. To ensure objectivity, business processevaluation can be more productive if facilitated by a thirdparty in collaboration with process owners.The outcome of the business process evaluation will at least:1. Measure the organization’s readiness for RPA adoption.2. Identify the top manual processes that can benefit from RPA,realizing that not all processes can be enhanced by RPA.3. Identify the manual processes that access sensitive andconfidential data.4. Differentiate between manual processes that need AI/cognitive robots versus non-cognitive RPA robots.The ISSA Journal on the Go!Have you explored the versions for phones and tablets?Go to the Journal home page and choose “ePub” or ”Mobi.”Mobile Device ePubs ePubs are scalableto any size device:iPad/tablet providean excellent userexperience You’ll need anePub reader suchas iBooks for iOSdevicesiPad/tabletiPhoneNOTE: choose ePub for Android & iOS; Mobi for KindlesTake them with you and readanywhere, anytime 2019 ISSA www.issa.org editor@issa.org All rights reserved.July 2019 ISSA Journal – 23
Robotic Process Automation Meets Identity and Access Management Maria Schuett5. Develop use cases that span across multiple disciplines(IT, Security, HR, Operations, etc.).Determining readiness takes into consideration the organization’s receptiveness to culture change due to technology;competency of management to support infrastructure changes; and lessons learned from past initiatives. Socializing thepurpose and benefits of RPA long before implementation willeducate the workforce and set the stage for a successful implementation.To help achieve the described outcomes, the following tablecan be used to document the findings and manual processesthat potentially can utilize RPA.INFORMATIONRATIONALEProcess nameA unique name for the manual processProcess ownerThe owner of the manual process is responsible forknowing how the process works and access rightsrequired.DescriptionProvides detailed information about the action,intent, or outcome of the manual processSourceWhere the information comes fromDestinationWhere the information is goingIs the data structured?(e.g., spreadsheets,database, LDAP)This means that the data is organized in a structured manner and can be consistently accessed bya human and an RPA robot.Is the data unstructured? (e.g., imagefiles, Word documents, PDF files)This means that the data cannot consistentlybe accessed by an RPA robot because it requiresknowledge that only the human can provide. Acognitive RPA robot may be a good alternative.Rules-based actionThe task is straightforward, repeatable, and basedon rules. A software robot can perform this task.Knowledge-basedactionThe task is strictly based on human knowledge. Forinstance, an aggregate of information from varioussources may be required. A cognitive RPA robot is agood alternative.Does the operatorrequire authentication?If the human is required to authenticate to executethe manual process, then the software robot willneed to authenticate as well.Does the operatorrequire authorization?If the human is required to have certain accessrights or entitlements to execute the manualprocess, so does the software robot.Group membership-based authorizationDoes the execution of the manual process requirethe human to be authorized based on group membership? How will group membership be managedfor an RPA robot?Role-based accesscontrolDoes the execution of the manual process requirethe human to be authorized based on roles? If so,role assignment is necessary for the RPA robot.Is the manual processworking effectivelywith consistentoutcomes?If so, then this process will potentially benefit fromRPA. If not, then the manual process is not ready forautomation. The information in here is helpful indetermining the organization’s readiness for RPA.24 – ISSA Journal July 2019What value is RPAgoing to provide thebusiness unit?This is important for metrics purposes. Devise away to measure quality and response time prior toRPA implementation and after implementation todetermine positive or negative effects. The use ofBPMN can provide insights.The idea is that by the end of business process evaluation,there is knowledge of the stakeholders, a diverse set of usecases to be tested during the proof-of-concept phase, and anoverall understanding of the requirements needed for a potential request for proposal (RFP) from RPA vendors.The following sections describe the groundwork for integrating software robot digital identity management into the enterprise IAM program.Establish RPA robot life cycle and governanceComplementing business processes with RPA results in business process agility and efficiency. It enables resources to focus on other initiatives. RPA implementation can increaserapidly as soon as the benefits are realized. Therefore, a wellplanned approach with a security posture that provides visibility to all aspects of RPA robots’ entitlements and activitiesis needed.The adoption of RPA greatly relies on the support systembuilt around it. The support system includes the followingIAM capabilities: Identification Authentication and authorization GovernanceIdentificationFrom an IAM perspective, an employee can be identified bya unique identifier (i.e., employee ID) that is generated fromthe HR system. HR is the authoritative source of record foremployees. An employee can be given an account in numerous resources (e.g., email, database, app1, app2, SaaS1, SaaS2,etc.). The common thread in all of the employee’s accountsin various resources is the unique identifier, which links allthe accounts back to the employee’s identity record. Case inpoint, one may be able to see all IAM-connected resourcesprovisioned to this employee so that when there is a need toaudit, modify, or de-provision, it is a straightforward task.Conversely, an RPA robot needs to be identifiable becauseits actions need to be trackable and auditable by the organization. The RPA robot’s identity needs to be maintained ina source of record. The purpose of maintaining a source ofrecord is to ensure that all robots are centrally on-boardedand off-boarded when no longer in use. A commercial offthe-shelf (COTS) RPA product may have its own source ofrecord for its own robots. However, if there is more than oneRPA product deployed, there needs to be a centralized sourceof record for all robots from all RPA products in the organization.Can an RPA robot own many accounts where each accounthas a unique purpose on each system? Alternatively, should a 2019 ISSA www.issa.org editor@issa.org All rights reserved.
Robotic Process Automation Meets Identity and Access Management Maria Schuettrobot only have one account for one purpose on one system?It is possible to implement both use cases depending on theobjective. The point is, a robot should have its own uniqueidentifier that links its account or all of its accounts back toitself for accurate identification.What would comprise a robot’s identity record? The following is a partial list of how a robot’s identity record might lookin the authoritative source of record.RPA ROBOTIDENTITYRECORDVALUERobot uniqueidentifierFor a person, it’s usually the employee ID; similarly, a robotshould have one (e.g., 30012)Robot givennameA unique identity policy for a non-human, a non-identifying name would be secure (e.g., RB0145)Robot point oforiginVendor it came from (e.g., Automation Anywhere, BluePrism, etc.)ISSA Journal 2019 CalendarPast Issues – digital versions: click the download link:JANUARYBest of 2018FEBRUARYLegal & Public PolicyMARCHCloudSeparate from a robot source of record ought to be a databasethat will maintain a record of all operational functions, asdepicted by the following table.RPA ROBOTENTITLEMENT RECORDVALUERobot unique identifierTaken from the RPA robot source of recordRobot point of origin(e.g., Automation Anywhere, Blue Prism,UiPath, etc.)Robot given nameA unique nameRPA robot ownerThe owner will periodically certify the robot’saccess rights and entitlements in one or morethan one resource to be accessed by the robot.Ensure there is segregation of duties in all of therobot’s entitlements.APRILInfosec BasicsMAYRPA robot account nameRPA robot’s account nameRobot authenticationmethodSpecify the authentication method used toexecute the taskResourceWhat does this robot access (e.g., databasename)Resource/data ownerWho owns the resource or data that the robotaccessesRPA robot’s roleA role specific to the robot’s jobRole entitlementsDerived from the role (e.g., read/write todatabase)Authentication and authorizationCryptographyJUNEPrivacyJULYInternet of ThingsAUGUSTThe ToolboxEditorial Deadline 7/1/19SEPTEMBERInformation Security StandardsEditorial Deadline 8/1/19OCTOBERThe Business Side of SecurityEditorial Deadline 9/1/19NOVEMBERSecurity DevOpsEditorial Deadline 10/1/19DECEMBERLooking ForwardThere are numerous authentication methods for humansbut limited for RPA robots. For instance, a human can utilize biometric authentication, while an RPA robot cannot. Sodepending on the RPA product, authentication methods canutilize NT LAN Manager (NTLM) and Kerberos. Some vendors can access third-party systems via SOAP web servicesAPIs. Various authentication schemes for REST API calls in-Editorial Deadline 11/1/19If you have an infosec topic that does not align with themonthly themes, please submit. All articles will be considered.For theme descriptions, visit www.issa.org/?CallforArticles.EDITOR@ISSA.ORG WWW.ISSA.ORG 2019 ISSA www.issa.org editor@issa.org All rights reserved.July 2019 ISSA Journal – 25
Robotic Process Automation Meets Identity and Access Management Maria Schuettcluding OAuth 2.0 and JSON Web Tokens [6]. For use casesinvolving software robots’ access to external resources (i.e.,IaaS, PaaS, and SaaS) federated single sign-on using SecurityAssertion Markup Language (SAML) is an option but shouldbe complemented with a second factor of authentication.Unlike humans, not all RPA robots may need to authenticate.For instance, an attended software robot may not need to authenticate since a human is part of the work flow. In this usecase, the assurance level relies on the human, as being authenticated and authorized, to trigger the RPA robot to performa task. In comparison, an unattended RPA robot needs to establish trust by asserting its identity and therefore authenticates, especially if it is expected to interact with applicationsto execute a task without human assistance. From a COTSproduct perspective, the opportunity to test and understandvarious authentication methods through a proof-of-conceptis significant to the design of RPA architecture.Authorization incorporates static and dynamic access capabilities. Role-based access control is static and pre-defined foreach user. Attribute-based access control is dynamic as policy or attribute decisions are granted in real time. As always,granting access to a software robot requires these questionsto be answered.1.Which robot needs to access the resource?2.What type of access does the robot need? The answer canbe derived from the robot’s role.3.Which resource is going to be accessed by the robot?4.When does the robot access the resource?ISSA International SeriesSecurity Standards Organizations:The Good, the Bad, and the Ugly120-minute Live Event: Tuesday, July 23, 20199 a.m. US-Pacific/ 12 p.m. US-Eastern/ 5 p.m. LondonThis session covers the evolution of a number oftechnologies to address the evolving threat models.Changes to the SOC and response technologies will beincluded. CLICK HERE TO REGISTER.For more information on these or other webinars:ISSA.org Events Web Conferences26 – ISSA Journal July 2019Active Directory (AD) group membership, role-based accesscontrol (RBAC), or attribute-based access control (ABAC) areways to authorize access to a resource. It may be practical tostart with RBAC as an authorization method for RPA robots.One can create roles and assign entitlements to each role sothat when it is time to create an account for a robot, role assignment can be precise and transparent.Apart from authentication and authorization is session management. Enabling the software robot to only login as neededand logout upon task completion can ease the management ofsession timeouts. Alternatively, when a software robot’s session has timed out, it can be indicative of an issue.To summarize, a sensible approach is to require RPA robotauthentication and authorization based on operational risk.The classification of data (i.e., public, internal, confidential,restricted) helps gauge the operational risk level (e.g., low,medium, high). For instance, contextual access managementis an approach that is applicable to controlling the accessrights of an RPA robot when the operational risk level is high.Specifically, the use of ABAC can provide fine-grained accesscontrol (i.e., contextual) for managing an RPA robot’s accessrights when the risk level is high.GovernanceTo reflect, current IAM capabilities do well with managingusers and resources but not with RPA robots, which requireaccountability of the process owner utilizing RPA robot, aswell as, the approval of the data owner allowing the RPA robot to access data. To ensure separation of duties and leastprivilege, it is necessary to extend access governance capabilities to RPA robots.Implementing RPA necessitates assigning roles, via RBAC,to software robots to ensure separation of duties and leastprivilege, or ABAC where fine-grained access is required.Governance becomes effective when certification is deployed.Access certification involves process owners and data ownersto validate the current roles and entitlements assigned to eachRPA robot. For instance, based on operational risk, it may benecessary to run certification every quarter to ensure that therobot is functioning as designed, access to data is still justified, and the data it accesses has not changed in classification(e.g., internal to restricted). On the other hand, if an application is decommissioned, de-provisioning the RPA robotassociated with the application is required. Governance is away to manage RPA robot life cycle and ensure compliance toregulations and standards.RPA adaptionAdaption is about making changes in the organization in order to transform itself, to enable adoption of new methodsand technologies (e.g., RPA, IoT, blockchain). RPA implementations can become unmanageable as the demand foruse accelerates. To manage security and operational risks, itmakes sense to centralize the management of all RPA robots.Centralized management can progress into the establishment 2019 ISSA www.issa.org editor@issa.org All rights reserved.
Robotic Process Automation Meets Identity and Access Management Maria SchuettFigure 1 – Using RPA to expedite processesof RPA-as-a-service to prevent silos of RPA solutions and deployments. This results in effective identification, authentication, authorization, and governance of all software robots.Apart from centralizing RPA management is the appropriateadministration and control of privileged accounts assignedto software robots. Privileged accounts should be protectedfrom internal and external threats. One way to protect theRPA robot’s privilege account is to leverage an enterprisecredential vault (e.g., CyberArk). This creates a secure wayof handling credentials by not having to know the passwordand provides a consistent process of retrieving the credentialsonly when needed.Extending logging and monitoring capabilities to includeRPA robots is necessary. The ability to detect, track, and remediate incidents requires insight and monitoring all RPAactivities.The enterprise security policy represents the strategic philosophy of an organization. It incorporates standards, guidelines,and procedure to help organizations comply with mandatedregulations and standards. Therefore, when the organizationadopts new technologies, ensuring that information securitypolicies adapt to change is desirable. For instance, the identity, authentication, and authorization policies should be adjusted to include RPA robots. It is a way to rationalize currentpractices of securing and operationalizing RPA robots.Adaption means incorporating ways to measure the benefits of RPA to see if objectives are achieved. Figure 1 depictson-boarding consisting of automated and manual processes.RPA robots can replace manual processes by provisioning thenon-connected hardware resources. Non-connected hardware resources are not managed by the IAM system so thereis no automation. The second example shows RPA acquiringinformation from a SaaS application through an API and saving it to the database. The integration of RPA robots shouldimprove the overall service level.Devising a way to measure the benefits of RPA is a way toanalyze return on investment. On the other hand, realizingthat RPA may not be a good solution is just as important, forinstance if it causes more problems or requires a myriad ofhuman intervention.ConclusionExecuting the strategic initiatives described in this articleprepares the organization for RPA adoption. Business processevaluation promotes discovery of current business processes, as well as measures the organization’s readiness for RPA.Determining readiness takes into consideration the organization’s receptiveness to culture change due to technology,competency of management to support infrastructure changes, and lessons learned from past initiatives. Socializing the 2019 ISSA www.issa.org editor@issa.org All rights reserved.July 2019 ISSA Journal – 27
Robotic Process Automation Meets Identity and Access Management Maria Schuettpurpose and benefits of RPA long before implementation willeducate the workforce and set the stage for a successful implementation.6. Gartner, “RPA Deployment Models” – https://www.gartner.com/document/3902370?ref solrAll&refval 223710411&qid 0d3abf6fbc1a2b4c4a98b8c8a6.Enhancing current IAM practices to include software robotsis key to managing digital identities while ensuring alignment with business drivers. Identification and governanceare IAM capabilities applicable to all digital identities (e.g.,humans, IoT, and software robots). Requiring robot authentication and authorization based on operational risk is a sensible approach. Centralizing the management of robots helpsthe organization achieve RPA growth appropriately withoutcreating silos that can be a catalyst to disjointed processesand risky practices. Overall, building a secure foundation byextending the IAM program to adapt and evolve RPA is keyfor an organization willing to thrive in the benefits of RPA.7.References1. AI Multiple, “Guide to Cognitive Automation, RPA’s Future[2019 update]” – 2. CFB Bots, “The Difference between Robotic Process Automation and Artificial Intelligence,” Medium (April 20,2018) – https://medium.com/@cfb tion-and-artificial-intelligence-4a71b4834788.3. DeBrusk, C., “Five Robotic Process Automation Risksto Avoid,” MIT Sloan (October 24, 2017) – rocess-automation-risks-to-avoid/.4. IGI Global, “What is Digital Identity” – tity/7638.5. Gartner, “Manage Robotic Process Automation” – process-automation.Leibowitz, S. and Kakhandiki, A., “What’s the Differencebetween ‘attended’ and “unattended’ RPA Bots?” IBM (November 19, 2018) – 19/attended-unattended-rpa-bots/.8. Lowes, P., “An Introduction to Robotic Process Automation,” The Wall Street Journal – ction-to-robotic-process-automation/.9.Market Research Future, “Robotic Process Automation(RPA) Market Research Report – Forecast 2023” – ic-process-automation-market-2209.10. OMG, “Business Process Model and Notation (BPMN),”Object Management Group – https://www.omg.org/spec/BPMN/2.0.2/PDF.About the AuthorMaria Schuett, CRISC, GLEG, is an information security architect and advisor. Maria hasover 20 years of experience in informationtechnology and security in the identity andaccess governance space. Maria has deliveredsolutions in the education, state government,health care, and financial industries. She haswritten and presented topics regarding identity and access management, authentication and authorization, single sign-on, privileged access management, and cloudsecurity. She may be reached at mariaschuett@gmail.com.Click here for On-Demand Conferenceswww.issa.org/?OnDemandWebConfPrivacy- GDPR a Year LaterPractical Advice for the Proactive SOC: How toEscape The Vicious Cycle of ReactRecorded Live: June 25, 2019Passwordless AuthenticationRecorded Live: April 17, 2019Recorded Live: une 12, 2019Security-as-a-Service for Small andMedium-Sized BusinessesHigh Assurance Digital Identity in Zero TrustArchitectureRecorded Live: April 10, 2019Recorded Live: June 5, 2019Threat Detection - Trends and TechnologyRecorded Live: May 28, 2019Your Hygiene is Showing-Improving Risk PostureRecorded Live: May 22, 2019Zero Trust – The Evolution of Perimeter SecurityUp Up and Away: Why The Modern SOC is Rooted inthe CloudBreach Report - Review the Various Breach ReportsDevOps/AppSec the State of the WorldBreach Response – Humans in SecurityWhat is a CASB and Why Do You Need It?Recorded Live: May 15, 2019Recorded Live: April 23, 2019Recorded Live: March 26, 2019Recorded Live: March 20, 2019Recorded Live: March 13, 2019Recorded Live: February 26, 2019A WEALTH OF RESOURCES FOR THE INFORMATION SECURITY PROFESSIONAL28 – ISSA Journal July 2019 2019 ISSA www.issa.org editor@issa.org All rights reserved.
tential request for proposal (RFP) from RPA vendors. The following sections describe the groundwork for integrat-ing software robot digital identity management into the en-terprise IAM program. Establish RPA robot life cycle and governance Complementing business processes with RPA results in busi - ness process agility and efficiency.
