External key vaults for Automation 360

Key vaults provide a secure, encrypted storage space for sensitive data used by automation. Customers' sensitive data can be accessed and used by their automation platform by storing the data in corporate-approved key vaults such as CyberArk Password Vault, AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault.

Automation Anywhere provides a secure key vault called Credential Vault. Requirements for external key vault usage are generally related to certain compliance standards and corporate security policies implemented by your IT and IT security groups. As part of their data security policies, these groups select and maintain corporate key vault services, and define the standards for the protection of sensitive data. Integrating Automation 360 Control Room with external key vaults enables you to store credentials for security and compliance.

Note: External key vault integration is not supported on Oracle Database.

Users and roles

The following users typically configure and work with external key vaults:

Automation Administrators: Automation Administrators who have AAE_Admin and AAE_Locker_Admin roles with permissions to administer Automation 360 Control Room and Credential Vault instances. The Automation Admin works with the customer External Key Vault Admin.
Customer External Key Vault Administrators: Customer External Key Vault Administrators who are responsible for the administration and management of the external key vault tasks (for example, setting up, managing, and creating access policies).

Benefits

The Automation Anywhere Credential Vault is secure and provides deep integration with the automation platform. However, because corporate IT must provide secure data services as part of their IT security policies, the automation platform might be required to use external key vault technology to comply with corporate standards.

External key vaults enable the automation platform to fully comply with corporate requirements and can provide these additional benefits:

Deep integration with the Identity Provider (IdP) and corporate authentication platforms such as single sign-on (SSO) and Directory Services (such as Microsoft Active Directory).
Support of password rotation and synchronization with the systems used with the automation platform.
Administration of the key vault and security best practices are performed by the IT group who manages the external key vault instead of the automation administrators. As a result, the automation platform becomes a consumer of the credential service.

Guidelines

External key vault integration guidelines support the operation of the automation platform relating to the coordination, configuration, and consumption of credentials and sensitive data from the external key vault technology.

Coordination: Establish designated contacts for the key vault and automation platform technologies and identify the individuals responsible for communicating operational guidelines, security policy, and compliance requirements for credential management.
Configuration: Designated contacts collaborate on the use case implementation and configuration requirements of the automation platform and the external key vault.
Consumption: Based on which use cases are implemented, designated contacts monitor the integration of the automation platform and the external key vault and coordinate credential rotation and naming requirements.