Security architecture model
Automation Anywhere Cognitive security architecture is founded on Least Privilege principles and a strict Separation of Duty model with 41 technical controls implemented across seven NIST Control families.
The NIST framework was selected as a foundation for best practices as a way to enumerate the controls implemented throughout. Translations from NIST to other control frameworks are widely available, resources are provided at the end of this topic.
The product security architecture is maintained by the Automation Anywhere Product Management team and forms part of a formal policy model as an integral part of the Automation Anywhere Development Roadmap. The following table lists the Control families and the corresponding features and security impacts. Details on each Control family and how the security architecture is implemented in Automation Anywhere products are in the corresponding topics.
|Control Family||Control Code||Control Room Feature||Security Impact|
|Access controls||AC-3, 6, 7, 9, 10, 12||Central policy control||Enforce access restrictions for change control and least
privileges on system components:
|AC-2, 3, 5, 6||Role-based access control (RBAC)||Enable user access, restricts operational privileges, enforces least privilege principles|
|AC-17||Bot repository||Bot versioning system with access restrictions|
|AC-3, 7, 9, 10, 11||Bot and Bot Runner encryption||Encryption and obfuscation of sensitive information at bot level through credential vault and integration with key management systems|
|Configuration (change) management||CM-2, 5, 6, 7, 9||Centralized Bot Runner control||Restrict functionality based on roles, domains, implement deny-all and allow-by exception|
|CM-10||Centralized licensing||Centralized provisioning, tracking and enforcement of Bot Creator and Bot Runner licensing|
|CM-2, 5, 6, 8||Bot operations room|
|CM-8||Inventory control||Maintains centralized inventory control of all bots and runtimes|
|Bot Creator configuration management||SA-10||Bot Creator management, bot check-in, check-out||Control Room applies software life cycle management to bots from development, test, and production. Bot versioning enables change control of automations.|
|Audit and accountability||AU-1 through 15||Audit trail||Automated event logs captured on three levels: Control Room, Bot Runners, and Bot Creators. Non-repudiation is assured through read-only logs, all user identities are bound to actions.|
|Identification and authentication||IA-1 through 5||Active Directory integration, Bot Runner ID and Attestation||Implements Windows platform security including cryptographic bidirectional authentication, Bot Runner identification and attestation, and password management policies. Credential vault with integration with key management systems, protects the integrity of credentials.|
|Incident response||IR-4, 6||Incident response||Bot Insight embedded analytics capabilities can monitor events and generate alerts to SIEM systems for response.|
|Controlled maintenance||MA-2||Automated maintenance||Control Room versioning system provides an automated mechanism to roll out updates to bots, historical information is maintained.|
(1) Resources: ISACA provides guides that map NIST SP800-53 to other security frameworks such as CoBIT (SOX), SANS Top20.