VIEW POINT

SECURITY CONSIDERATIONS IN
ROBOTIC PROCESS AUTOMATION

Abstract
Robotic process automation (RPA) is delivering greater process
efficiency, accuracy and integrity, helping organizations slash cost
and effort while boosting productivity. However, in its current
state, there are limitations to how much RPA software can mimic
human actions, particularly when it comes to security and handling
sensitive data. This paper examines how RPA may increase the risk
exposure for organizations. It also discusses some key considerations
to ensure enterprise and data security when adopting RPA.
 The value of RPA
Over the past few years, robotic process actions such as logging into various RPA is versatile and flexible, allowing it to
automation (RPA) has become a popular applications/systems and navigating integrate easily with existing processes.
technology due to its ability to automate through user interfaces to perform tasks It helps reduce cost, maintain consistent
repetitive and high-volume tasks in order such as creating tickets and downloading quality, improve delivery timelines, and
to reduce manual effort, eliminate error data. Bots can also provision and enhance the customer experience.
and improve process productivity. With deprovision user access and respond to
RPA, software bots can mimic human customer queries.

Higher operational Improved Lower risk

efficiency compliance

• Error reduction • Audit logs • Reduction in

• Uniform behavior • Transaction trails administrative effort
• Effort savings • Status tracking • User ID details not
• Balanced variance • Single service account visible to front end
rather than multiple • Lower access level to
accounts administration

Security challenges with RPA

Organizations looking to implement RPA are confidential and can be reset This will result in issues and errors
should be aware of the security-related regularly to prevent unauthorized during go-live
challenges. These include: access. However, this cannot be
Data misuse – For some processes
• 
implemented for bots due to the lack of
Need to maintain audit logs – Audit
•  like payroll management and file
proper tools
logs capture bot activity. These are transfer, bots require access to private
important to track bot health and Need for constant supervision – Bots
•  information such as passwords,
effectiveness. For instance, if a bot need to be periodically monitored at addresses, credit card numbers, etc.,
stops working, the audit log helps various levels to ensure they do not of employees, clients and vendors.
identify the underlying reason, whether misbehave, which can lead to high error The challenge here is ensuring that
it is improper use by an employee or rates and potential damage corporate as well as personal data
malicious code remains confidential and is not misused
• Ineffective bots – In some cases, bots
Lack of bot password management –
•  may not perform as intended due to
In the case of human users, passwords erroneous coding or inadequate testing.

External Document © 2020 Infosys Limited

Security risks with RPA

Business and
Higher operational technical Identity and Logging and
efficiency exceptions privileges monitoring

• Bot audits • Runtime inspection/tracing • Generic IDs • Full audit trails

• Lines of defense • System exceptions and • Privilege escalation • Human controls
• Risk controls data validation • Unauthorized access • Operational state
• Internal audits • Data security and encryption • Self-healing
• Password vault • Incident management

Security risks with RPA

RPA creates a dangerous new attack surface that has multiple layers including robust web, API and
New attack surface data exchange layers

RPA can be very effective for complex SAP ERP systems. However, it increases the business risks,
SAP automation which can result in penalties from regulatory authorities

Frameworks that are compromised by attackers can be used for malicious purposes like in the case
Automation/
of Kubernetes, the world’s most popular cloud container orchestration system, that recently
orchestration hijacking experienced its first major security vulnerability

Higher risk exposure – The automation

•  business risk, leading to steep fines authentic results on a search engine’s
involved in RPA creates several layers imposed by regulatory bodies for non- pages. For organizations that have invested
such as the web, APIs and data exchange compliance or security breaches significantly in developing original content
that are vulnerable to attacks for their websites, such attacks can devalue
In the hands of malicious users, RPA
their web presence and even lead to
Unsecure frameworks – The use of RPA
•  bots can be developed to breach
revenue loss. Bots can also be used to
frameworks can expose organizations to an organization’s defenses and steal
spam community forums with invasive
new types of cyber-threats confidential data. Bots can be used to
advertisements and create wrongful
track the product listings of competitors,
Costs of non-compliance –
•  impressions on mobile applications
which constitutes data theft. They can be
Implementing RPA may increase through fake advertisements.
programmed to steal content to outrank

Mitigating security risk in RPA

Conduct regular audits and periodic
•  whether controls have lapsed and be used in RPA; instead it is preferable to
risk assessments – Implement proper determine whether any robot should be use generic IDs
controls to monitor RPA activities and retired
Follow strict governance – Rules and
• 
ensure that all bots are operating within
Control access to the RPA
•  controls must be defined clearly to
the defined set of rules. This RPA log
environment – Organizations should be ensure RPA security. The governance
should be reviewed regularly. Periodic
careful about how they grant access to framework should include detailed
risk assessment is also needed to track
analysts that work in RPA environments. standards, business justification and
the emergence of new risks, check
For instance, personal IDs should never development standards

External Document © 2020 Infosys Limited

 Use a password vault – Password
•  accountability and auditing of RPA each process/activity will be resumed in
vaults allow RPA teams to store all the implementation. This should define who case of failure.
passwords in a single repository without is responsible for executing changes,
Apart from the above steps, organizations
compromising security assessing risk, reviewing performance,
should ensure that bots comply with the
providing approvals, running back-
Choose the right RPA candidates –
•  organization’s standards and security
ups of prior versions, and sending
Organizations should leverage a best controls. To this end, bot monitoring and
notifications to the user community
practice based assessment approach error handling should be automated
to identify the right candidates for RPA. • E
 nsure process continuity – A clear steps so that malware is identified and
For instance, the assessment approach business continuity plan must be remediated early on. The code created
should delineate the current risks and created that outlines the back-up by RPA developers should be reviewed
complexity within the existing processes procedures and information sources thoroughly to prevent breaches or errors.
needed to perform each task. An Finally, all bot activities and changes
Implement robust change
• 
internal audit team should check should be versioned and validated to
management – A structured change
whether the business continuity plan provide an audit trail for compliance.
management process is crucial to ensure
documents have the details such as how

Conclusion
Organizations adopting RPA to improve productivity
should plan their implementations carefully to protect
themselves from security breaches. RPA creates new
application layers that are vulnerable to risk. Moreover,
without constant supervision, bots may fail to work
effectively, causing issues, errors and potential damage.
Since bots may need access to private information, it is
imperative for organizations to institute the right security
measures. Some of these measures include creating
governance frameworks, audit logs, password vaults, and
version controls. Establishing these processes will allow
RPA to handle security risks by itself, thereby ensuring
optimal bot performance and reduced business risk.

About the Author

Kanchana comes with over 10 years of IT experience in the IDAM, Auditing and Automation domain. In addition to these, Kanchana
has been a subject matter expert in the UAM projects. She has also been involved in project recovery, transition and few of the presales
activities, and internal audits. In the current role, Kanchana is responsible for automation rollouts in projects across cybersecurity towers and
standardization initiatives.

For more information, contact askus@[Link]

© 2020 Infosys Limited, Bengaluru, India. All Rights Reserved. Infosys believes the information in this document is accurate as of its publication date; such information is subject to change without notice. Infosys
acknowledges the proprietary rights of other companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this
documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, printing, photocopying, recording or otherwise, without the
prior permission of Infosys Limited and/ or any named intellectual property rights holders under this document.

[Link] | NYSE: INFY Stay Connected