Automation 360 Cloud for secure access and connectivity

You can develop and run bots securely using the Automation 360 Cloud access security.

High-level architecture of Cloud deployment

The following architecture diagram provides a high-level workflow of the Automation 360 Cloud deployment:cloud-architecture

  1. Using a browser, you log into the Control Room and create users and roles. You perform this process on the Automation 360 Cloud.
  2. You install the Bot Agent on your Windows device to run bots locally. You perform this process on your infrastructure.
  3. Data flow between the Automation 360 Cloud and the Bot Agent on your Windows device on your infrastructure is encrypted using TLS (outbound port 443 only).

Identity and Access Management (IAM) security for user system

  • When an admin user logs into the Automation 360 Control Room for the first time, the admin can configure SAML 2.0 to connect the Automation 360 Cloud Control Room to their own Identity Provider (IdP) so that their users can log in to the Control Room using MFA (multi-factor authentication).
  • The admin can then create the required users and roles or permissions to perform certain activities (such as developing and running bots) in the Control Room.
  • The Automation 360 Control Room users can then log in through MFA and start creating and running bots.
  • Additionally, the admin can configure an allowed IP address range to manage user logins through the Administrator settings in the Control Room.

To learn more about Automation 360 Cloud, see Get started with Automation 360 Cloud.

Secure connectivity to run bots

You run bots locally on a Windows machine on which the Bot Agent is deployed. You can download and install the Bot Agent on your devices or deploy to a pool of virtual machines.

Before you install the Bot Agent, the following criteria must be met:
  • The integrity of the device on which the Bot Agent is installed is not compromised.
  • The user organization has instituted security safeguards and controls to prevent Bot Agent takeover and system-level user breaches.
  • The user environment is safe from network-based attacks such as Domain Name System (DNS) cache poisoning, Address Resolution Protocol (ARP) spoofing, and so on.
Note: Automation 360 Cloud includes security operation controls to check for man in the middle (MITM) attacks and malicious intercepts.
Bot Agent installation and registration
When you register your device, the Bot Agent device is provided a JSON Web Token (JWT) to start the registration process with the Control Room. If the token provided by the Bot Agent device does not match the token provided by the Control Room, the registration process will fail. This authenticates the client Bot Agent device to the Control Room.
In the bulk installation and registration mode of the Bot Agent, the Bot Agent device comes online preregistered with the Control Room URL specified in the autoregistration.properties file. When using the bulk registration settings, one cannot enter or specify a fake Control Room URL without administrator privileges on that device. When the Bot Agent starts for the first time, it will read the autoregistration.properties file and register itself to the Control Room URL specified in the properties file. By default, the option to switch the Bot Agent registration from one Control Room to another is disabled. Only the Control Room administrators can enabled this option. If someone tries to register another URL when this option is disabled, the registration would fail immediately and generate an error mentioning that says Control Room is already registered and switching of the Control Room URL is not allowed.
By providing write access to a cache folder for the admin only and read permissions to all other users who can run bots, we can assure that when a bot is downloaded to the device cache, it cannot be manipulated to perform potentially harmful things.
Communication between Bot Agent and Control Room
The Bot Agent device establishes a websocket connection to the Control Room using HTTPS (outbound port 443) and no inbound connection is required.
  • Server authentication: The Transport Layer Security (TLS) handshake ensures that the Common Name (CN) in the server certificate issued by the well-known certification authority (CA) matches the legitimate hostname as included in the certificate chain of trust.
  • Client authentication: After registration, a valid JSON Web Token (JWT) is required from the Bot Agent to establish a connection to the Control Room. This token generated by the Bot Agent and signed using the Bot Agent private key, is used to verify the identity of the Bot Agent and to ensure the token is authenticated. The token can be verified using the Bot Agent public key sent during the registration process to the Control Room. The same process is used to authenticate the Bot Agent device every time it connects to the Control Room. After the token is verified, a new JSON Web Token (JWT) is generated by the Control Room and sent to the Bot Agent to convert the existing HTTP connection into a WebSocket connection.
Data connection between a customer's network and the Cloud service is protected with a strong TLS connection that leverages at least 2048-bit RSA server certificates, 128-bit symmetric encryption keys, and stronger TLS protocols. This secure connection makes it virtually impossible to breach the established TLS connection.
After the websocket connection is established, the communication between a customer's network and the Cloud service is secured and bidirectional. The connection between the Bot Agent device and the Automation 360 Cloud hosted Control Room is permanent and automatically reestablished if connectivity is lost. This connection is used to download the bots to run and send operational status information to the Control Room.
Note: The connectivity is established only one time and not for each bot.
Schedule bots to run
Control Room users can schedule bots to run. Compiled bots are downloaded to run on the Bot Agent devices and operational logs are sent from the Bot Agent devices to the Control Room.
For the bots to run, the Bot Agent establishes an active Windows session by authenticating as the licensed Bot Runner user on the Bot Agent device.
Secure credentials for bots
Bots that run on the Bot Agent devices need to log in to the device using credentials. You can store credentials securely in the Automation 360 Cloud Control Room credential vault. Alternatively, you can store credentials in a customer-hosted key management system (for example, CyberArk). When you store credentials in the customer-hosted key management system, you must have connectivity between the Control Room and the customer's key management system. To provide connectivity and allow access, you must configure the Automation 360 Cloud IP addresses for the specific Automation 360 Cloud region that is hosting the Control Room in their firewall. For more information, see Control Room IP addresses for external integrations.

Secure operations in Automation 360 Cloud

Automation 360 Cloud is secure and meets compliance standards for: SOC 1, SOC 2, ISO 27001:2022: Information Security Management Systems (ISMS), ISO 27017:2015: Information Security Controls for Cloud Services, ISO 27018:2019: Protection of Personally Identifiable Information (PII) in Cloud environments and HITRUST.