Application Relationship Management and the “Shadow” Risks of RPA

“Shadow IT” is the response to businesses’ need to innovate and transform ahead of central IT’s ability or willingness to adopt new technologies. The first example of ‘Shadow IT’ occurred over a decade ago as business teams and developers adopted cloud services ahead of the IT team’s ability to create an enterprise-ready framework and crucially, ahead of the Information Security team’s ability to ensure the cloud environments were adequately secured. Today we are seeing a similar challenge occurring as business teams are adopting Robotic Process Automation (RPA) to automate and transform formerly manual, error prone business processes using software. Security teams urgently need an equally automated set of capabilities to recognize where RPA is being adopted and to ensure that this does not lead to unnecessary exposure of confidential information and risk to business critical systems. In the longer term, sustainable architectures and SDLCs will be required to power secure RPA-based innovation.

Because it recognizes changes to application dependency and deviations from the baseline, Application Relationship Management (ARM), pioneered by vArmour, is being used as a powerful tool to detect the presence of RPA processes and to implement policies preventing inappropriate direct access of data from inappropriate systems (for example, client endpoints or VDIs). Application Relationship Management enables the security organization to deliver safe and secure adoption of RPA while ensuring that unsafe practices are not adopted, potentially placing an organization’s critical data and business functions at risk.

What is RPA? 

Robotic Process Automation, or RPA, is a term used to describe relatively simple programs developed by ‘citizen developers” used to automate the daily tasks which they previously conducted manually and to enable new methods of working. RPA is commonly used to reduce costs, increase productivity, and remove errors associated with repetitive manual tasks. Used correctly, RPA democratizes the power of software and places tremendous amounts of power in the hands of businesspeople to innovate. RPA includes software agents and widgets that can be used to automate customer communications, but it is also frequently used to process data from disparate sources in order to provide immediate business insights and answer everyday questions with a high degree of accuracy. It is this access and handling of data in new and novel ways that can lead to significant operational and security risk. 

What are specific risks associated with RPA? 

Many organizations are most concerned about RPA’s effect on governance, control and security. Without the oversight and control normally associated with traditional application architectures, RPA can result in an uncontrolled increase in data access and attack surface. In addition, understanding how private and confidential information is accessed and processed is a core requirement of any data protection and privacy program. It is hard to achieve the data protection by design principles required by frameworks such as GDPR when you have no means to audit and control access and usage of data. For example, data consumed by RPA automatons executing on desktop systems are more directly exposed to outside attack from techniques such as phishing. Compared to typical enterprise architectures where endpoint systems sit several layers from structured datastores, RPA potentially introduces an increased attack surface around datastores and other systems where important data is processed or stored.

How does Application Relationship Management enable organizations to mitigate the immediate security challenges of “shadow” RPA?

Application Relationship Management (ARM) maps application and account identifier dependencies and relationships which allows organizations to assess their risks and assert security controls effectively. The ARM techniques commonly used to secure traditional application architectures are easily applied to software automatons developed by citizen-developers and provide the ability to recognize RPA access behaviours and prevent access that violates enterprise security policies.

vArmour customers have found that ARM can be used in the following ways to allow them to ‘get ahead’ of the spiralling adoption of RPA to include:

  1. Identifying anomalous access. Our customers regularly baseline their critical applications. This involves utilising vArmour’s Application Controller—which resides at the core of the ARM solution—and its knowledge of an application’s activity in order to establish a model of “normal” automatically. It can also involve the development of a set of baseline rules to identify relationships that should not normally occur, for example direct database client access from user endpoints (where RPA automatons frequently execute) to database management systems. Where RPA scripts access systems defined within these baselines, the Application Controller will produce an alert which highlights anomalous behaviour for investigation and review.
  2. Identifying access (or access attempts) that breach corporate guidelines. Establishing baseline rules can also be used to identify relationships that should not normally occur, e.g., direct database client access from user endpoints (where RPA automatons frequently execute) to database management systems.  Where RPA scripts access systems violating corporate guidelines, the Application Controller will produce an alert which highlights anomalous behaviour for investigation and review.
  3. Identifying inappropriate use of personal identifiers and accounts. Another major risk associated with RPA is the use of inappropriate accounts, for example user accounts (which might be highly privileged) rather than service accounts which should be used as a best practice within enterprise software architectures. The vArmour Application Controller enables organizations to understand behaviour of user accounts within an OU or other group whereby obvious anomalies and exceptions associated with RPA automatons can be easily identified. Moreover, baselining of account behaviour can enable an immediate identification of anomalies as they happen.
  4. Preventing RPA data access that breaches corporate security standards. ARM enables organizations to reduce access to their critical systems and functions (for example systems storing PII) using a Zero Trust methodology. RPA scripts attempting access outside of the Zero Trust access policies defined will be prevented from gaining access with the appropriate notifications sent via SIEM or other alerting mechanisms.

Figure 1: Application Controller identifying direct SQL server access from user account indicative of inappropriate Robotic Process Automation.

What are the longer term building blocks of an agile, secure RPA framework? 

Many of the lessons learned from modern SDLCs will need to be adapted to empower the “citizen developer” delivering innovation and business process transformation as part of their normal role, with IT delivering tooling and a runtime environment which provides the resources and controls required. In many organizations this maturation is currently underway as requirements and risks are becoming better understood. 

As part of this workflow, a standardized and automated process for the deployment of credentials based upon unique identifiers and an assessment of access requirements will be required. In today’s established application SDLCs, Application Relationship Management techniques are utilised to baseline application access behaviours, map them into production controls, continue to measure their effectiveness over the life of the release, and then repeat. The same approach will broadly apply to RPA SDLCs where ARM will establish baselines, apply policies and report upon continued compliance to established policies. 

Conclusion

In many ways RPA amplifies existing application security risks by increasing complexity, rate of change and the diversity of application use cases. Application Relationship Management enables organizations to mitigate the current risk associated with these shadow approaches. More importantly, Application Relationship Management fits into automated SDLCs that will be developed to support future RPA frameworks.

Related

Read More
September 21, 2022
CAASM Blog Series: Why Business Context is Critical to Understanding and Securing the Attack Surface
READ MORE
Read More
September 12, 2022
Why Traditional Security Approaches are Inadequate In The Age of Digital Transformation
READ MORE
Read More
February 15, 2022
2022’s Tsunami of Unauthenticated Software Vulnerabilities
READ MORE
close

Timothy Eades

Chief Executive Officer