Read and Review Automation Anywhere Documentation

Automation 360

Close Contents

Contents

Open Contents

Security architecture model

  • Updated: 8/27/2021
    • Automation 360 v.x
    • Explore
    • RPA Workspace
    • Overviews

Security architecture model

Automation Anywhere Cognitive security architecture is founded on Least Privilege principles and a strict Separation of Duty model with 41 technical controls implemented across seven NIST Control families.

The NIST framework was selected as a foundation for best practices as a way to enumerate the controls implemented throughout. Translations from NIST to other control frameworks are widely available, resources are provided at the end of this topic.

The product security architecture is maintained by the Automation Anywhere Product Management team and forms part of a formal policy model as an integral part of the Automation Anywhere Development Roadmap. The following table lists the Control families and the corresponding features and security impacts. Details on each Control family and how the security architecture is implemented in Automation Anywhere products are in the corresponding topics.

Control Family Control Code Control Room Feature Security Impact
Access controls AC-3, 6, 7, 9, 10, 12 Central policy control Enforce access restrictions for change control and least privileges on system components:
  • Fine grained access to bots and Bot Runners is controlled via RBAC,
  • Bot and Bot Runner domains can be assigned to roles via RBAC
  • RBAC roles are fully audited
AC-2, 3, 5, 6 Role-based access control (RBAC) Enable user access, restricts operational privileges, enforces least privilege principles
AC-17 Bot repository Bot versioning system with access restrictions
AC-3, 7, 9, 10, 11 Bot and Bot Runner encryption Encryption and obfuscation of sensitive information at bot level through credential vault and integration with key management systems
Configuration (change) management CM-2, 5, 6, 7, 9 Centralized Bot Runner control Restrict functionality based on roles, domains, implement deny-all and allow-by exception
CM-10 Centralized licensing Centralized provisioning, tracking and enforcement of Bot Creator and Bot Runner licensing
CM-2, 5, 6, 8 Bot operations room
CM-8 Inventory control Maintains centralized inventory control of all bots and runtimes
Bot Creator configuration management SA-10 Bot Creator management, bot check-in, check-out Control Room applies software life cycle management to bots from development, test, and production. Bot versioning enables change control of automations.
Audit and accountability AU-1 through 15 Audit trail Automated event logs captured on three levels: Control Room, Bot Runners, and Bot Creators. Non-repudiation is assured through read-only logs, all user identities are bound to actions.
Identification and authentication IA-1 through 5 Active Directory integration, Bot Runner ID and Attestation Implements Windows platform security including cryptographic bidirectional authentication, Bot Runner identification and attestation, and password management policies. Credential vault with integration with key management systems, protects the integrity of credentials.
Incident response IR-4, 6 Incident response Bot Insight embedded analytics capabilities can monitor events and generate alerts to SIEM systems for response.
Controlled maintenance MA-2 Automated maintenance Control Room versioning system provides an automated mechanism to roll out updates to bots, historical information is maintained.

(1) Resources: ISACA provides guides that map NIST SP800-53 to other security frameworks such as CoBIT (SOX), SANS Top20.

Send Feedback