Trust your bots: a "context-based" security approach
In my last post "Segregation of duties in RPA: Yes, but focus on the real risks", I emphasised the need to focus on the real big security/ access risks that exist within your RPA processes and supporting technology. By implementing appropriate access controls at that level, you could naturally mitigate most of the security/ access risks in your back-end transactional systems/ applications.
I depicted the following model to highlight 3 key controls that must be implemented in order to secure the RPA framework.
But is this enough?
Being a security person, I would be tempted to say no for 2 main reasons:
- Front-door Security failure. There is a risk that controls governing your RPA processes and platform(s) are not (or stop) operating effectively. Scaling RPA will drastically increase the speed and volume of changes. This will certainly put pressure on your security and compliance oversight functions to deliver at pace leading to an increased risk of omissions or errors.
- Back-door Security failure. There is a risk that access management is compromised in your back-end transactional systems (i.e. password-based attacks and exploits, misuse of bot accounts to run batch operations, etc.). An attacker could then use high privileged bot accounts to perpetrate fraudulent activities.
So what can be done to increase even more the level of assurance and trust? And the answer is...
Dynamic and context-aware bot access control
You must be saying that this is quite a long and over-engineered title ! But please bear with me. I have decided to add a 3rd access control to my model, as shown below.
According to National Institute of Standards and Technology, Attribute-Based Access Control (moreover, ABAC), also known as Context or Policy Based Access control, is defined as “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions".
This security model generally supports Boolean logic, in which rules contain "IF, THEN" statements about who is making the request, the resource, and the action. A very simple illustrative example: IF the user is a Bot, THEN do not allow read access to Sensitive Personal Information.
Although the concept itself existed for many years, ABAC is considered a "next generation" authorisation model because it provides dynamic and context-aware access control to resources, as opposed to the traditional Role-Based Access Control (RBAC).
- Why dynamic? Because it allows to quickly recalibrate the level of access based on the level of trust.
- Why context-aware? Because based on circumstances, the level of access will be automatically adjusted.
No need to create a high volume of system-specific roles/ permissions but just modify the overarching policies.
In the context of RPA, bots are granted:
- An identity made of a wide range of attributes such as ID, Owner, Business Unit, etc.
- A set of roles/ permissions allowing them to transact with back-end transactional systems and applications. As mentioned in my previous post, roles assigned to bots should have wide-access in order to avoid the creation of a high volume of tailored roles that will ultimately increase maintenance costs.
Ok, so that is a great way of securing bot access. But as I mentioned previously, what happens if your front-door and/or back-door security mechanisms fail? ABAC can save the day by enforcing additional policies based on the context of bot interaction (such as time, location, device, etc.) in addition to action and content.
The picture below provides an overall overview.
Enabling ABAC requires dedicated data-centric and policy-driven security solutions in order to enable connectivity/ integration with transactional back-end systems and define/schedule preventative rules. As you can imagine, this
Below 3 illustrative examples of policies/ rules that can be applied to your bot accounts (just to show the art of possible). You and your imagination here !
Without any doubt, applying ABAC model in a targeted way and in combination with RBAC can definitely increase the level of trust of your bot workforce.
I hope you enjoyed the reading and I would be very interested in hearing your thoughts. If you want to read more about RPA, please check my previous posts or just follow me.
Opinions expressed are solely my own and do not necessarily express the views or opinions of my employer.
CEO, Board Member, Serial Entrepreneur, Innovator, Application Server and Information Security Pioneer
5yI agree with you 100%, access control needs to be more intelligent and dynamic (ie attribute-based access control #ABAC) to keep up with the increased complexity and ever changing requirement to protect data and safeguard information sharing.