Security Best Practices for Your RPA Bots
Data security is essential when it comes to automating business processes in large enterprises. Companies that come from industries, such as finance or banking, which traditionally handle a lot of confidential customer information, are rightfully worried about the security of private data used by RPA bots.
RPA bot credentials
In many automated business processes, an RPA bot would need to log into one or several applications and move data between them. There are several data security best practices when it comes to handling the credentials used to access such applications.
Create special service accounts for the bot
It is a good practice to never use existing users’ credentials but to create separate accounts for the bot with the same access level in all applications it will need to log into and use only these accounts in the automated business processes. One reason is protecting employees’ credentials. Another is separating the activities of the user from the activities of the bot for better auditing and visibility.
Keep all credentials in the Secrets Vault
WorkFusion comes with a built-in password vault designed to store credentials in a secure way. It is available for both development and testing purposes (Secrets Vault in WorkFusion Studio) and in production
(Secrets Vault in Control Tower).
The data stored in the Vault is encrypted and not visible to anyone. It is also not recorded in any logs or execution results, which eliminates the possibility of it being exposed to the outside world. Storing credentials right in the script or storing them in a text or an Excel file the bot would read is unacceptable, as that can lead to losing important credentials to the company’s applications.
In case of web basic authentication, when an RPA bot needs to pass credentials with the web application’s URL, you should use one of these security best practices:
- Store the whole target URL containing the credentials in the Secrets Vault
- Store the username and password in the Secrets Vault and create the URL dynamically at runtime
Following these basic data access security practices will ensure that critical passwords will not be accessed by unauthorized people.
Using confidential data
As mentioned above, very often, the bot needs to move data between different systems in the organization. Sometimes, it can be confidential data. If you want to limit displaying this data anywhere, make sure to follow these data protection and security best practices.
Clear the clipboard at the end of each bot task
If you use the clipboard to copy-paste data, make sure to clear it at the end of each bot task, so no data is left there after the RPA bot has executed all actions. If you use loops in your script, is also a good practice to clear the clipboard at the end of each loop.
Note that in this case, data saved in variables is still recorded in the execution log and the Results of the business process. Sometimes, it is important to see for auditing purposes. However, if the corporate data security practices in your organization prohibit recording and displaying certain types of data even in such cases, you can either not store the data in the variables at all and only copy-paste it using the clipboard, or you need to purge the data in the variables.
Rewrite the data in the variables at the end of each bot task
If you rewrite the confidential data in the variables with blank values or other default values, it will be stored there only transitively (temporarily) and cleared at the end of the session, so it will not be recorded in the results.
Other RPA security best practices
Log important RPA bot activity
Intelligent Automation Cloud Enterprise automatically provides a complete audit trail for bot activities. In the Express edition, bot actions are recorded in various log files, and you can write custom logs to add extra traceability to the bot’s actions. Custom logging also can help you create better readable log files for business users to see:
- completion of some important steps in the script
- if the bot encounters a problem (exception handling)
- temporary values of certain variables for auditing purposes
Configure the Group Policy Settings
This piece of advice is for administrators rather than RPA developers, but configuring the Group Policy Settings correctly will help you make sure that the bot will have the required access to the resources it needs to use in the business processes. Another way to ensure it is by creating special users for the bots in the Active Directory and adjusting the bot configuration to give the bots the same access rights as domain users.
Following these best practices will help you provide the required level of data security in your company and even enhance it.