Peter Greenwood, Practice Team Lead, SecureITsource, Inc.
This blog will be discussing Robotic Process Automation (RPA) and how secureITsourcehelped a healthcare technology enterprise secure their UiPath RPA infrastructure using CyberArk’s Application Identity Manager (AIM). The goals of RPA in the enterprise are to streamline operations, reduce staffing costs, eliminate human error, and free up employees to focus on higher value work instead of repeatable tasks that RPA aims to automate.
What is RPA anyway? In the idyllic sense, think of an RPA bot as a corporate employee in the form of an application that works 24x7x365, never makes a mistake, and is happy tackling all of the tasks that nobody else in the office enjoys doing.
RPA is being adopted in regulated industries such as banking, healthcare, energy/utilities, and insurance. In order for RPA bots to deliver maximum value for an organization, they need to manipulate data and be connected to many different systems. Most of these systems require some form of authentication to gain access, and these identities can often be privileged. This puts RPA infrastructure at risk of being used as an attack vector.
Most RPA vendors have a mechanism for storing credentials within the application but this option carries risk, is expensive to manage, and not scalable.
It is best practice to use a centralized password vault and avoid storing credentials on disk, in code, or within an applications data store whenever possible.
The integration between UiPath and CyberArk’s AIM solution provides a mechanism to pull credentials as needed during a bot’s workflow execution without sacrificing the velocity and efficiency gains promised by RPA.
This HIPPA compliant company is partnered with thousands of healthcare providers, hundreds of insurance companies, and processes tens of millions of requests for protected health information annually. With their RPA installation poised to tackle these requests in the future, we needed to make sure that the system met business needs, was scalable, and most important, secure.
Let’s take a look at three key RPA use-cases that we helped secure while embarking on this RPA security journey with our client.
RPA Service Accounts
The UiPath architecture is controlled by an orchestrator and up to 250 unattended “bots” that communicate with the orchestrator. The orchestrator, its backend SQL Server, and bots, all run on Windows Server and require an individual local logon account or a domain service account. In this case, the orchestrator and its bots use domain service accounts. The orchestrator needs access to the bot service account to maintain connectivity. By default, these credentials can be stored in the application’s SQL database, loaded manually during bot creation, and remain static. This makes password changes difficult to manage, especially in a large-scale deployment.
Using CyberArk’s AIM solution, we were able to store these accounts in a dedicated safe within the CyberArk secure digital vault. The AIM local Credential Provider is installed on the UiPath orchestrator acting as an agent to allow access to credentials stored in the safe. The Credential Provider caches these credentials encrypted on disk and within RAM which makes this solution highly performant. This integration provides the following benefits;
- Credential Rotation: CyberArk’s Central Policy Manager (CPM) will reach out to Active Directory, replace the current password with a new strong unique password, and update the value in the vault. The Credential Provider on the Orchestrator machine is in regular contact with the vault, knows if a password change is forthcoming, and updates the secure cache with the current password immediately following the change. This allows the Orchestrator to always pull the correct password with no human intervention needed.
- Application Runtime Authentication: Each Orchestrator is given a unique application identity which is used to authenticate the application against various runtime characteristics stored in the vault and verified by the Credential Provider. Every request for a credential is evaluated at runtime ensuring that unauthorized requests are promptly denied.
- Strong Access Control: The application identity of the Orchestrator and the Credential Provider are given explicit access to the safe storing the bot service accounts. Accounts that are not needed by the orchestrator are stored elsewhere following least privilege.
- Tamper-proof Audit Trail: All password requests by the Orchestrator are logged locally, within the vault, and forwarded to a SIEM solution where activity can be scanned for anomalous behavior.
RPA “Bot Assets”
The above solution focuses on the UiPath Orchestrator’s ability to pull passwords from CyberArk but what about all of the bots? Each bot is an autonomous application that performs completely separate tasks. A bot asset is defined by UiPath as “a shared variable or credential” and these are stored locally on the bot so they can be easily accessed. The mutually supported CyberArk/UiPath integration does not facilitate individual bot access to the CyberArk digital vault but we were able to design a custom solution using another component of CyberArk’s AIM solution, the Central Credential Provider (CCP).
The CCP shares the same principles as the local Credential Provider but is accessed by the bot via a web service call and is also agentless. The CCP web service is installed on a Windows server running IIS and uses the local Credential Provider to access the vault. Web service calls are authenticated by the bots application identity via enforced client certificates, source IP/DNS, and domain user.
We worked closely with the client and were able to design a solution that met the needs of the business, did not slow down the bot workflows, and is secure. We utilized CyberArk safes and the bot’s application identity for access control and authentication. Each bot was issued its own identity and a dedicated safe. The RPA architecture was designed by the business to have bots dedicated to a specific partner so the credentials stored are specific to the healthcare partner as well. This design enforces the HIPPA data privacy standards and protects its business partners from potential credential theft. Benefits to this approach are;
- Maintain HIPPA Compliance: One of the constraints we faced was making sure healthcare partner data was not mixed. This was accomplished using separate safes, each with its own access control.
- Strong Access Control: The bots’s identity is given explicit access to the single safe. Accounts that are not needed by a bot are stored elsewhere following least privilege
- Runtime Authentication: Each Bot is given a unique application identity secured by several application characteristics. This ensures that unauthorized password requests are denied.
- Tamper-proof Audit Trail: All password requests are logged on the CCP, within the vault, and forwarded to a SIEM solution where activity can be scanned for anomalous behavior.
Attended RPA Bots
Attended bots act as an automated helper to an employee or employees if shared, effectively acting on their behalf while performing various tasks that would normally be done manually. The authentication issue with attended bots is that instead of the bot task being triggered by a transaction or specific workflow, they are triggered by a human worker who often needs to inject his or her credentials into the workflow. Once those credentials are injected into a bot workflow, they are stored locally to make a workflow repeatable. Attended bots are routinely shared between shift workers as well which can increase the risk for credential theft exponentially with each additional user of the attended bot.
We took the same approach as above and used the CCP to retrieve credentials as needed via web service calls. The difference being that instead of only the bot needing programmatic access to a safe, the safe is also shared with an employee that will use CyberArk’s Password Vault Web Access (PVWA) to add/update his or her credentials needed by the bot. Benefits to this approach are;
- Credential Rotation: Internal business credentials can be automatically rotated by CyberArk according to company policy. Furthermore, the user is notified via email that they can retrieve the new password from the PVWA.
- Additional Audit Benefits: The use of attended bots can make it difficult to tell whether the employee or the attended bots are performing actions on any particular system at a given time. Because the Bot queries the CCP at runtime and those queries are being logged and sent to SIEM, there is a clear audit trail that differentiates what is being done by the human or the bot on a machine.
- Employee credentials are secured
In closing, RPA is an exciting new technology with tremendous upside but storing all credentials within the software creates a risk that companies may find unreasonable. It is also easy to overlook credential management in the beginning of an RPA program rollout but for regulated industries and enterprises with high value data on the line, taking the extra steps to integrate with an enterprise grade Privilege Access Management solution will pay dividends in the long run.