Skip to Main Content

The Bots Have Arrived

A quick scan of the headlines this month show lots of chatter about ‘what’s next’ for those of us in security and identity as 2019 quickly approaches. That chatter has certainly picked up the pace from the show floor and in and around various sessions this week at the Gartner IAM Summit in Las Vegas this week.

One trend we’ve explored in many of our conversations with customers recently is the impact that new technologies like Robotic Process Automation (RPA) is having on their IT ecosystem. The fact is, software bots powered by RPA can be invaluable in helping companies to drive business efficiency. But what does the introduction of bots into the broader user population mean for identity programs today? For example, given that software bots are being employed to tackle a mix of simple tasks (like booking employee travel or chatting with customers) as well as more detailed tasks that involve accessing sensitive data and applications (like automating claims processing or monitoring and reporting on operational processes in oil and gas or mining facilities), how are organizations managing that access? Or are they?

Curious about how companies are (or are not) embracing software bots in their organization, we took an informal poll at the Gartner show this week. The results make it clear that yes, the bots are not only coming, but they are already here. 70% of those we polled already use software bots to drive business efficiencies. So, while there may be a lot of chatter about the impact that software bots ‘will’ have on organizations of all sizes – what IT leaders need to realize (and quickly) is that the bots are already here. The troubling part of our poll was that only 5% are governing their access as part of their existing identity governance program today.

This presents a very clear and concerning new area of exposure for organizations. Because these software bots are accessing sensitive business data and applications as part of their workplace ‘duties,’ their user credentials are very much at risk for a hacker to compromise, just as much as their human counterparts’ user credentials already are. Clearly, the definition of a user has shifted to include both human and non-human users and identity programs need to keep pace. Fortunately for IT leaders, because software bots act like a human user in how they interact with business applications and data, they can be governed the same way. The key is having visibility into this new user type and then putting the right governance policies in place around what they can and cannot access.

As we close out 2018 and head full steam ahead into 2019, organizations of all sizes need to take a hard look at their identity programs to ensure that they are taking a comprehensive approach to governing all of their digital identities and their access. This is the only way to continue embracing new technologies (like RPA and a slew of others to come), without introducing new areas of risk to the organization.


Discussion