To advance their digital transformation efforts, most enterprises are increasingly turning to robotic process automation (RPA) and software bots to automate any cumbersome and costly manual processes they may still have in place. While the benefits of RPA and software bots are high, they don’t come without potential danger. These bots, if not managed properly, can open enterprises to increased security and regulatory compliance risks.
It will be those organizations that can effectively govern software-bot security that will not only mitigate these risks, but also reap the greatest benefits from robotic process automation. Count this national bank in that group. This bank, one of the nation’s largest, recently embarked on its own efforts to increase its level of automation and robotic process automation, while also focusing on minimizing risk. This bank has more than $150 billion in assets and more than 1,100 branches and it provides a range of retail and commercial banking products and services to customers of all sizes.
As the bank’s identity team began their work toward governing software bots, they first had to get a clear understanding of the landscape.
Establishing the baseline
When enterprises begin to more formally secure and govern their automation efforts, one of the first things they realize is the complexity of their web of service accounts (those accounts dedicated to changing system settings or configurations). “When you automate, one of the first things you recognize is that you don’t have one service account per RPA, but you have many service accounts across multiple systems. You need to evaluate each of these accounts to determine the nature of its processes and the associated risks,” said this identity and access management executive at the bank.
The impact RPA and software bots have on an organization is multifaceted. While the effort requires software bots themselves to be properly secured and managed, automation can also help improve security. “The impact of RPA and software bots on identity management is truly multifaceted. One of the most important is identity governance,” he said. “We need to be able to govern nonhuman identities in a way that enables the business, but at the same time doesn’t sacrifice security.” the executive said.
Likewise, bots can be used to increase the efficiency of identity management efforts, especially when it comes to application provisioning. “We have 600 applications, only a subset of those are in some way integrated into our directory. Entitlements are used for authentication in most cases, and in some cases for both authentication and authorization. There’s a lot of room for automation and improved efficiency here,” he said.
To improve automation and reduce unnecessary manual processes, the identity team examined how they could automate provisioning throughout the bank. One of the first steps was to evaluate the nature of their applications, business risk, associated provisioning workflows, and the ease of Active Directory integration. Those applications where it made sense from both a business-risk perspective and that could be automated in a simple fashion would be automated first. “We started working with those applications that had a very straightforward implementation path, and would work down through the more challenging applications and workflows from there,” said the executive.
As it turned out, the majority of the bank’s applications did not meet the criteria where they could easily integrate and be automatically provisioned. “We were left with a considerable amount of applications that could not be auto-provisioned, and without RPA we would have to manually provision those applications,” he said.
Fortunately, automating repetitive tasks typically performed by people is what RPA and software bots are made for. But before moving forward, there were identity governance challenges ahead and the team needed to make certain that challenges could be solved.
The road to RPA governance
The identity team identified two things they’d need to do to mitigate RPA and software bot risk. The first would be to create a third type of identity account in their organization—an RPA identity—and the second would be to assign an owner to manage that identity. “These nonhuman identities will have their own set of governable processes around them and we will attach the process owner to manage these identities,” he said.
Deciding who was best to own the management of that identity would be essential. It turned out that it wasn’t as straightforward as assigning ownership to an application owner, as robotic processes typically involve multiple applications. “There would have to be a process owner who could make identity and management decisions and partner with application owners as needed,” he said.
In many ways, these software bot identities act—and need to be managed—just like human identities. And they need the same governance and controls, including credential management. “These bots are going to have passwords and their credentials need to be managed. What we’re adding into our robotic identity workflow is an authoritative source seed so that the identity is properly created, managed, and retired,” he said.
To achieve this, this bank is relying on SailPoint IdentityIQ to manage access requests for RPA identities. As he explained, the process to grant requests and manage the RPA identity will essentially be the same as human identities.
What that means for this bank is embedding the proper workflows into the software bot creation process. “For instance, the manager of the beneficiary of the bot access approves the access request, but there is also a second level of approval for the entitlement owner or application owner depending on the type of application. The key change is that at the end of the process there has to be a trigger so that someone is registered to that account, and that registration takes place in our privileged access management system,” he explained.
With IdentityIQ, the bank can streamline how it governs bot identities and their associated access to enterprise applications and data through the enforcement of processes, such as the requesting, approving, and certifying of access.
To succeed at securing software bot access and their associated RPAs, enterprises need effective governance in place. “And it’s crucial to have everything in one place,” the executive said. “IdentityIQ provides us the ability for centralized governance and provisioning. And for the identity access management organization it’s become everything,” he said.
Just like this bank, more enterprises are turning to software bots and RPAs to run their businesses more rapidly and with increased agility. “Getting identity right is essential in this process. While these are not human identities, you still have to have identity governance in place. You still need someone who owns the process. Without all of this in place you really are automating blind,” he said.