Increasingly, bots collect and interact with confidential, sensitive, and even regulated data, so it’s crucial they be governed appropriately. In the years ahead, it’s likely that the access given to RPA bots will be exploited. And it’ll be those organizations that manage to securely leverage their bots that will succeed. Of course, this is easier said than done.
In my discussions with CISOs and identity teams, one of the most common areas of concern is their service accounts (these are accounts used only for system configuration management, and they are often the first to be automated through software bots).
This isn’t something that can be set once and forgotten; the access needs to be evaluated and managed periodically, just like access levels are certified quarterly or annually at many enterprises.
For example, an identity manager at a national bank I recently interviewed is making certain that all of their bots — typically used as service accounts or to help schedule internal IT service requests — are assigned a human manager. This way, the access rights to these software bots become the responsibility of the bot owner. This is typically the same management process you see with access for staff, as business managers help decide what apps and services staff and other insiders need to do their jobs.
All of this is necessary because, in many ways, software bots are just like staff users – they can access data, applications, and other resources and act upon them. It’s that power that makes them useful, but it’s also what makes them targets. And as enterprises continue to accelerate their digital transformation efforts with software bots, they’d better put the same controls around their software bots as they do their human users, or they’re going to find their risk of data breaches increase substantially.