Security architecture
- Updated: 2022/03/09
Security architecture
Many of the largest financial organizations in the world rely on the Automation 360 secure digital workforce platform to automate security-sensitive operations.
The platform's security architecture is founded on Least Privilege principles and a strict Separation of Duty model with 41 technical controls implemented across seven NIST 800-53r4 Control Families. Controls are applied across three components: the Control Room, Bot Creators (development systems), and Bot Runners (bot execution run times) through the bot life cycle from creation through decommissioning. This security architecture and the underlying controls are mapped to industry best practices as defined by NIST and can be readily mapped to other frameworks, for example, CoBIT (SOX) and ISO 27002.
Access controls
Automation 360 limits and controls human and bot access to logical resources across components.
- Two independent control planes enforce least privilege. Only developers are enabled to read or write, only authorized Control Room users to execute automations, (Control Room authorizes and executes) subject to fine-grained Role Based Access Controls (RBAC) down to individual automations (bot), Bot Runners and domains.
- Bot- level Separation of Duty is enforced. Each bot is obfuscated and executed by its corresponding authorized Bot Runners.
- Bot execution is controlled via RBAC. Domain privileges are defined across groups of bot and Bot Runners.
- Security at-rest and in-transit: All access credentials are secured at-rest via a central Credential Vault with support for third-party credential stores. All communications are secured in-transit via SSL and TLS.
Configuration management
Configuration management is controlled at both bots and Bot Runner levels.
- The Control Room authorizes, enforces, and logs changes to all Bot Creators and Bot Runners.
- Bots are controlled via a robust version control system, for rollback and full event logging.
- Bot change control on execution is enforced through encryption and authentication.
Identification and authentication
Identification and authentication is controlled through Microsoft Windows authentication services.
- Bot Creators use Active Directory for authentication
- Bot Runners have two levels of authentication, one for autologin authentication of the runner and the other for execution of bots.
- Credentials are secured at-rest and in-motion through the Credential Vault or integration with third-party products.
Risk assessment
Risk assessment is undertaken on Static, Dynamic, and Network-based Vulnerability Assessments. Audit and accountability are established through event capture, logging and auditing on all three components with granular event capture at the bot level and nonrepudiation. Bot Insight embedded analytics provides near-real-time Incident Response and integration with Security Event and Information Management systems.