Peter Greenwood, Practice Team Lead, SecureITsource, Inc.
This blog will be discussing Robotic Process Automation (RPA) and how SecureITsourcehelped a healthcare technology enterprise secure their UiPath RPA infrastructure using CyberArk’s Application Identity Manager (AIM). The goals of RPA in the enterprise are to streamline operations, reduce staffing costs, eliminate human error, and free up employees to focus on higher value work instead of repeatable tasks that RPA aims to automate.
What is RPA anyway? In the idyllic sense, think of an RPA bot as a corporate employee in the form of an application that works 24x7x365, never makes a mistake, and is happy tackling all of the tasks that nobody else in the office enjoys doing.
RPA is being adopted in regulated industries such as banking, healthcare, energy/utilities, and insurance. In order for RPA bots to deliver maximum value for an organization, they need to manipulate data and be connected to many different systems. Most of these systems require some form of authentication to gain access, and these identities can often be privileged. This puts RPA infrastructure at risk of being used as an attack vector.
Most RPA vendors have a mechanism for storing credentials within the application but this option carries risk, is expensive to manage, and not scalable.
It is best practice to use a centralized password vault and avoid storing credentials on disk, in code, or within an applications data store whenever possible.
The integration between UiPath and CyberArk’s AIM solution provides a mechanism to pull credentials as needed during a bot’s workflow execution without sacrificing the velocity and efficiency gains promised by RPA.
This HIPPA compliant company is partnered with thousands of healthcare providers, hundreds of insurance companies, and processes tens of millions of requests for protected health information annually. With their RPA installation poised to tackle these requests in the future, we needed to make sure that the system met business needs, was scalable, and most important, secure.
Let’s take a look at three key RPA use-cases that we helped secure while embarking on this RPA security journey with our client.
The UiPath architecture is controlled by an orchestrator and up to 250 unattended “bots” that communicate with the orchestrator. The orchestrator, its backend SQL Server, and bots, all run on Windows Server and require an individual local logon account or a domain service account. In this case, the orchestrator and its bots use domain service accounts. The orchestrator needs access to the bot service account to maintain connectivity. By default, these credentials can be stored in the application’s SQL database, loaded manually during bot creation, and remain static. This makes password changes difficult to manage, especially in a large-scale deployment.
Using CyberArk’s AIM solution, we were able to store these accounts in a dedicated safe within the CyberArk secure digital vault. The AIM local Credential Provider is installed on the UiPath orchestrator acting as an agent to allow access to credentials stored in the safe. The Credential Provider caches these credentials encrypted on disk and within RAM which makes this solution highly performant. This integration provides the following benefits;
The above solution focuses on the UiPath Orchestrator’s ability to pull passwords from CyberArk but what about all of the bots? Each bot is an autonomous application that performs completely separate tasks. A bot asset is defined by UiPath as “a shared variable or credential” and these are stored locally on the bot so they can be easily accessed. The mutually supported CyberArk/UiPath integration does not facilitate individual bot access to the CyberArk digital vault but we were able to design a custom solution using another component of CyberArk’s AIM solution, the Central Credential Provider (CCP).
The CCP shares the same principles as the local Credential Provider but is accessed by the bot via a web service call and is also agentless. The CCP web service is installed on a Windows server running IIS and uses the local Credential Provider to access the vault. Web service calls are authenticated by the bots application identity via enforced client certificates, source IP/DNS, and domain user.
We worked closely with the client and were able to design a solution that met the needs of the business, did not slow down the bot workflows, and is secure. We utilized CyberArk safes and the bot’s application identity for access control and authentication. Each bot was issued its own identity and a dedicated safe. The RPA architecture was designed by the business to have bots dedicated to a specific partner so the credentials stored are specific to the healthcare partner as well. This design enforces the HIPPA data privacy standards and protects its business partners from potential credential theft. Benefits to this approach are;
Attended bots act as an automated helper to an employee or employees if shared, effectively acting on their behalf while performing various tasks that would normally be done manually. The authentication issue with attended bots is that instead of the bot task being triggered by a transaction or specific workflow, they are triggered by a human worker who often needs to inject his or her credentials into the workflow. Once those credentials are injected into a bot workflow, they are stored locally to make a workflow repeatable. Attended bots are routinely shared between shift workers as well which can increase the risk for credential theft exponentially with each additional user of the attended bot.
We took the same approach as above and used the CCP to retrieve credentials as needed via web service calls. The difference being that instead of only the bot needing programmatic access to a safe, the safe is also shared with an employee that will use CyberArk’s Password Vault Web Access (PVWA) to add/update his or her credentials needed by the bot. Benefits to this approach are;
In closing, RPA is an exciting new technology with tremendous upside but storing all credentials within the software creates a risk that companies may find unreasonable. It is also easy to overlook credential management in the beginning of an RPA program rollout but for regulated industries and enterprises with high value data on the line, taking the extra steps to integrate with an enterprise grade Privilege Access Management solution will pay dividends in the long run.