Enterprise 11: Security architecture model

Automation Anywhere Cognitive security architecture is founded on Least Privilege principles and a strict Separation of Duty model with 41 technical controls implemented across seven NIST Control families.

The NIST framework was selected as a foundation for best practices as a way to enumerate the controls implemented throughout. Translations from NIST to other control frameworks are widely available, resources are provided at the end of this topic.

The product security architecture is maintained by the Automation Anywhere's Product Management team and forms part of a formal policy model as an integral part of the Automation Anywhere Development Roadmap. The following table lists the Control families and the corresponding features and security impacts. Details on each Control family and how the security architecture is implemented in Automation Anywhere products are in the corresponding topics.

Control family Control code Control room feature Security impact
Access controls AC-3,6,7,9,10,12 Central policy control Enforces access restrictions for change control and least privileges on system components as follows:
  • Fine grained access to bots and Bot Runners is controlled via RBAC
  • Bot and Bot Runner domains can be assigned to roles via RBAC
  • RBAC roles are fully audited
AC-2,3,5,6 Role-based access control Enables user access, restricts operational privileges, and enforces least privilege principles
AC-17 Bot repository Bot versioning system with access restrictions
AC-3,7,9,10,11 Bot and Bot Runner encryption Encryption and obfuscation of sensitive information at bot level through Credential Vault and integration with key management systems
Configuration (change management) CM-2, 5, 6, 7, 9 Centralized Bot Runner control Restricts functionality based on roles, domains, implements deny-all and allow-by exception
CM-10 Centralized licensing Centralized provisioning, tracking, and enforcement of Bot Creator and Bot Runner licensing
CM-2, 5, 6, 8 Bot operations room
CM-8 Inventory control Maintains centralized inventory control of all bots and run times
Dev configuration management SA-10 Bot Creator management, bot check-in, check-out Control Room applies software life cycle management to bots from development, test, and production. Bot versioning enables change control of automations.
Audit and accountability AU-1 through 15 Audit trail Automated event logs captured at the following levels:
  • Control Room
  • Bot Runners
  • Bot Creators
Non-repudiation is assured through read-only logs and all user identities are bound to actions.
Identification and authentication IA-1 through 5 Active Directory integration, Bot Runner ID and Attestation Implements Windows platform security including cryptographic bidirectional authentication, Bot Runner identification and attestation, and password management policies. Credential Vault with integration with key management systems, protects the integrity of credentials.
Incident response IR-4, 6 Incident response Bot Insight embedded analytic capabilities can monitor events and generate alerts to SIEM systems for response.
Controlled maintenance MA-2 Automated maintenance Control Room versioning system provides an automated mechanism to roll out updates to bots, historical information is maintained.

(1) Resources: ISACA provides guides that map NIST SP800-53 to other security frameworks such as CoBIT (SOX), SANS Top20 (http://www.counciloncybersecurity.org/critical-controls/tools/) and ISO27002 (http://www.bankinfosecurity.in/mapping-nist-controls-to-iso-standards-a-7251).