Dynamic access token authentication of Bot Runners

The Control Room implements and enforces a Trusted Path for registration and authentication of Bot Creators and Bot Runners in accordance with NIST SC-11.

The Automation 360 platform protects the automation data against any attempt to subvert the path. The Control Room issues new client access tokens, or identifiers, after a predefined time period. These tokens are protected to conform to NIST IA-5 by being signed by theControl Room and sent to Bot Creators and Bot Runners over HTTPS. Every subsequent communication between the Control Room and Bot Creator/Bot Runner is serviced by the Control Room only after validation of the signature of the latest access token sent by the Bot Creator/Runner.

The access token is unique to every Bot Creator/Bot Runner. This protects the system from an unauthorized attempt to bypass security and execute an unauthorized bot, and is consistent with the best practices to conform to NIST IA-9 Service Identification and Authorization. These controls implement IA-3 for cryptographically based bidirectional authentication and attestation of Bot Runners and Bot Creators before establishing connections. This also addresses requirements around unique, automated, identifier management IA-4 for multiple forms of authorization and identification. Identifiers are dynamically managed for audit and control purposes. Identifiers are used as authenticators and managed for verification on initial deployment, revoke, and prevent reuse. There are no static, unencrypted, identifiers in use by Bot Creators or Bot Runners and cached tokens are cleared periodically.

Dynamic access token process flow