Security Requirements for 

RPA Bots

1  Introduction

Robotic Process Automation (aka RPA or RPA bots) provides the capability to per-
form certain high volume, manual, and repeatable tasks that were previously per-
formed by humans in the security industry, such as call center agents or back office
personnel. Over the last 5–7 years, big industry players and startups have funneled
investment in RPA bot technology, leading to significant improvements. There are
generally two types of RPA bots prevalent in the industry at the current time  –
attended and unattended bots.
While there is no doubt on the value proposition that this technology brings to
the industry for multiple use cases (improving productivity, efficiency, agility and
customer service), a little more rigor has to be applied to analyze, identify, remedi-
ate and/or mitigate any security risks that may have also evolved with its adoption
(just like with any other disruptive and emerging technology).
This chapter provides a description of these bots along with high-level security
requirements for the two RPA bot types. It also provides a brief vision into the
future paradigm for this technology.

2  Attended RPA Bots

Attended RPA bots are generally designed for a user workstation, using the user’s
persona or identity context. When configured as an (auto) service, such as a win-
dows service or a Linux daemon, or as a startup app which is capable of starting
automatically at a system (or workstation) boot event, or start only as a background
task, or one that does not exit during a logoff system event. Attended bots generally
augment the tasks or activities performed by users and/or agents for many

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 273
R. Badhwar, The CISO’s Next Frontier,
https://doi.org/10.1007/978-3-030-75354-2_34
274 Security Requirements for RPA Bots

call-center or other front or back office use cases across many industries, such as
finance, healthcare, defense, and education.

2.1  High Level Security Requirements

Attended RPA bots can be exploited if the system they are running on is in an auto
mode and is compromised or breached by malicious entities. There is also the situ-
ation where someone else takes over the workstation while the true owner is either
away or inadvertently shares their credentials with another user (behavior some-
times observed in call centers).
(a) It is thus imperative that all the attended RPA bots be configured as an on-­
demand service started manually, or installed as an application started manually
by the user(s). In either case, separate unique credentials must be established
and used for the attended bot. The typical credential management standards
should apply. Multi-factor authentication (MFA) implementation and integra-
tion would greatly lower the risk from unauthorized usage and breaches.
(b) All attended RPA bots must undergo security (code) scanning and architecture
evaluation.
(c) All attended RPA bots must follow proper testing and change control para-
digms, including security and change advisory board (CAB) approvals.
(d) All attended RPA bots must comply with security logging and monitoring
requirements to enable incident response capabilities.
(e) Attended RPA bots must only operate while on the company (or private) net-
work (i.e., while they are domain joined). They must not connect to the internet
and capability must be implemented at the user workstation level and within the
outbound proxies to prevent such connections from occurring.
(f) All communications between the RPA bot and its primary (controller or orches-
trator) must be encrypted.
(g) The master (controller or orchestrator) must follow an implementation guided
by the principles of Zero Trust architecture and least privilege.
(h) The RPA attended bots must be hardened so that they are resistant to dynamic
(malicious) code injection into the service. Additionally, they must be subjected
to a penetration test to detect and mitigate other vulnerabilities and exploits.
(i) A kill switch capability must be established or implemented as a safeguard
measure.
3  Unattended RPA Bots 275

3  Unattended RPA Bots

Unattended RPA bots are designed to work on tasks and interact with applications
generally without any human engagement, intervention or involvement with capa-
bility to handle any runtime issues and errors.
These bots are generally architected to have one primary server and one or many
secondary clients or nodes.
These bots are generally scheduled to execute tasks or can be triggered by con-
figured events. For example, unattended RPA bots can be used to remediate file/
folder permissions users on file-shares by removing access for users that are either
no longer employees or no longer have permission to access a file/folder within a
directory structure.
Although somewhat uncommon, attended and unattended bots can work together
in certain use cases. For example, customer service reps can rely on attended bots
that enter data into a form and then submit that to an unattended bot to perform back
office data processing and verification on the input data.

3.1  High Level Security Requirements

(a) The credentials used by unattended RPA bots (clients) must be properly pro-
tected. They should not be hard-coded in some configuration file, but could
instead be fetched from a LDAP configuration repository or relational database.
If creds must be stored in a local file then they must be encrypted.
(b) All administrative and root accounts for the RPA admin servers must be vaulted
in a privileged access management (PAM) system.
(c) All unattended RPA bots (clients) must ideally have certificate-based machine
identities (preferably issued by an internal CA) established for them that they
must use to authenticate to the RPA server.
(d) Any unattended bot nodes or clients exposed to the internet must be hardened,
reside in a micro segmented network segregated from other DMZ segments,
and use a reverse proxy with MFA enabled.
(e) All communications between the primary and its secondary nodes must be
encrypted.
(f) All vulnerabilities in unattended bots must be promptly patched.
(g) All unattended bot code must be scanned for vulnerabilities and weaknesses
using static and dynamic code analysis techniques.
(h) Any access privileges or entitlements provided to unattended bots must apply
the concept of least privilege.
(i) All unattended bots must have transaction-level logging enabled for transaction
auditing purposes.
276 Security Requirements for RPA Bots

4  RPA 2.0 – Augmented by NLP and AI

The integration of Natural Language Processing (NLP) with RPA was the first step
in making the RPA bots autonomous and enabling use cases like self-service through
speech recognition of human communications and semantic analysis.
The second step came with the usage of reinforcement learning (RL)  – a
Q-learning algorithm which uses the shortest path for a given number of options to
arrive at a reward (or conclusion).
The current effort to fully automate RPA is referred to as RPAAI and utilizes
Deep learning models a combination of multi-step supervised and unsupervised ML
and AI algorithms to enable the capability of task automation without any human
intervention whatsoever.

5  The CISO Take

While RPA has helped reduced IT and operational costs by providing agility, speed,
and performance enhancements, it is brittle and still needs quite a bit of human
intervention to solve complex use cases. This has highlighted to need to adopt the
next generational AI based to improve and enhance the current state RPA paradigm.
RPA is also susceptible to vulnerabilities and various security threats and any
existing and future RPA implementations need to comply with the security require-
ments that have been detailed in this chapter.
The implementation of the security requirements becomes even more critical
with the incorporation of unsupervised machine learning paradigms.
While IT teams adopt RPA to reduce operational and labor costs, CISOs must
have their security teams properly review their company’s RPA adoption to ensure
compliance with the principle of Zero Trust with least privilege. (See chapter
“Cybersecurity Enabled by Zero Trust” for more details on Zero Trust)

6  Definitions

Bot – is a short form for robot. It has the capability to perform certain high volume,
manual, and repeatable tasks that were previously performed by humans. Bot
perform these tasks much faster than humans.
DMZ – is a “demilitarized zone”, when used in the cyber security context it denotes
a restricted subnet between the intranet and the internet, generally used to host
the external facing sites and services.
LDAP – stands for Lightweight directory access protocol. It is an open and cross
platform client/server protocol for interacting with X.500 based directory ser-
vices (e.g., Active Directory) over a TCP/IP network.
Further Reading 277

NLP – stands for natural language processing. It is the branch of artificial intelli-
gence that enables a computer to read, understand, and speak human languages.
Q-Learning – stands for quality learning (algorithm). It is a reinforcement learning
algorithm. Rather than using an existing policy, it seeks to ‘learn’ a policy that
enables it to take the best possible action or get the best reward.
Zero Trust – is a security architecture and implementation paradigm that reduces
enterprise risk by performing secure implementations in compliance with the
principal that all assets inside and outside a perimeter firewall are not to be
trusted and thus access control for users, devices, systems and services must be
provided using least privilege.

Further Reading

Blier N (2019) Text analytics & nlp in robotic process automation https://www.lexalytics.com/
lexablog/text-­analytics-­nlp-­rpa-­use-­cases Accessed 8 Dec 2020
Boulton C (2018) What is RPA? A revolution in business process automation. Available via
CIO Digital magazine. https://www.cio.com/article/3236451/what-­is-­rpa-­robotic-­process-­
automation-­explained.html. Accessed 8 Dec 2020
Brain D (2016) RPA technical insights, part 3: assisted or unassisted robotic process automation:
how to choose the right delivery model for your project. https://blog.symphonyhq.com/rpa-­
technical-­insights-­part-­3-­assisted-­or-­unassisted-­robotic-­process-­automation-­how-­to-­choose-­
the-­right-­delivery-­model-­for-­your-­project Accessed 8 Dec 2020
What is RPA. https://www.nice.com/rpa/rpa-­guide/, Accessed 8 Dec 2020