Automation 360 クラウド for secure access and connectivity

You can develop and run Bots securely using the Automation 360 クラウド access security.

High-level architecture of クラウド deployment

The following architecture diagram provides a high-level workflow of the Automation 360 クラウド deployment:cloud-architecture

  1. Using a browser, you log into the Control Room and create users and roles. You perform this process on the Automation 360 クラウド.
  2. You install the ボット エージェント on your Windows device to run Bots locally. You perform this process on your infrastructure.
  3. Data flow between the Automation 360 クラウド and the ボット エージェント on your Windows device on your infrastructure is encrypted using TLS (outbound port 443 only).

Identity and Access Management (IAM) security for user system

  • When an admin user logs into the Automation 360 Control Room for the first time, the admin can configure SAML 2.0 to connect the Automation 360 クラウド Control Room to their own Identity Provider (IdP) so that their users can log in to the Control Room using MFA (multi-factor authentication).
  • The admin can then create the required users and roles or permissions to perform certain activities (such as developing and running Bots) in the Control Room.
  • The Automation 360 Control Room users can then log in through MFA and start creating and running Bots.
  • Additionally, the admin can configure an allowed IP address range to manage user logins through the Administrator settings in the Control Room.

To learn more about Automation 360 クラウド, see Automation 360 クラウドの使用を開始.

Secure connectivity to run Bots

You run Bots locally on a Windows machine on which the ボット エージェント is deployed. You can download and install the ボット エージェント on your devices or deploy to a pool of virtual machines.

Before you install the ボット エージェント, the following criteria must be met:
  • The integrity of the device on which the ボット エージェント is installed is not compromised.
  • The user organization has instituted security safeguards and controls to prevent ボット エージェント takeover and system-level user breaches.
  • The user environment is safe from network-based attacks such as Domain Name System (DNS) cache poisoning, Address Resolution Protocol (ARP) spoofing, and so on.
注: Automation 360 クラウド includes security operation controls to check for man in the middle (MITM) attacks and malicious intercepts.
ボット エージェント installation and registration
When you register your device, the ボット エージェント device is provided a JSON Web Token (JWT) to start the registration process with the Control Room. If the token provided by the ボット エージェント device does not match the token provided by the Control Room, the registration process will fail. This authenticates the client ボット エージェント device to the Control Room.
In the bulk installation and registration mode of the ボット エージェント, the ボット エージェント device comes online preregistered with the Control Room URL specified in the autoregistration.properties file. When using the bulk registration settings, one cannot enter or specify a fake Control Room URL without administrator privileges on that device. When the ボット エージェント starts for the first time, it will read the autoregistration.properties file and register itself to the Control Room URL specified in the properties file. By default, the option to switch the ボット エージェント registration from one Control Room to another is disabled. Only the Control Room administrators can enabled this option. If someone tries to register another URL when this option is disabled, the registration would fail immediately and generate an error mentioning that says Control Room is already registered and switching of the Control Room URL is not allowed.
By providing write access to a cache folder for the admin only and read permissions to all other users who can run Bots, we can assure that when a Bot is downloaded to the device cache, it cannot be manipulated to perform potentially harmful things.
Communication between ボット エージェント and Control Room
The ボット エージェント device establishes a websocket connection to the Control Room using HTTPS (outbound port 443) and no inbound connection is required.
  • Server authentication: The Transport Layer Security (TLS) handshake ensures that the Common Name (CN) in the server certificate issued by the well-known certification authority (CA) matches the legitimate hostname as included in the certificate chain of trust.
  • Client authentication: After registration, a valid token key is always required from the ボット エージェント to establish a connection to the Control Room. The token is encrypted using the ボット エージェント private key and can only be decrypted by using the ボット エージェント public key that was used when the ボット エージェント device was registered to the Control Room. The token also authenticates the ボット エージェント device every time the ボット エージェント connects to the Control Room.
Data connection between a customer's network and the クラウド service is protected with a strong TLS connection that leverages at least 2048-bit RSA server certificates, 128-bit symmetric encryption keys, and stronger TLS protocols. This secure connection makes it virtually impossible to breach the established TLS connection.
After the websocket connection is established, the communication between a customer's network and the クラウド service is secured and bidirectional. The connection between the ボット エージェント device and the Automation 360 クラウド hosted Control Room is permanent and automatically reestablished if connectivity is lost. This connection is used to download the Bots to run and send operational status information to the Control Room.
注: The connectivity is established only one time and not for each Bot.
Schedule Bots to run
Control Room users can schedule Bots to run. Compiled Bots are downloaded to run on the ボット エージェント devices and operational logs are sent from the ボット エージェント devices to the Control Room.
For the Bots to run, the ボット エージェント establishes an active Windows session by authenticating as the licensed Bot Runner user on the ボット エージェント device.
Secure credentials for Bots
Bot that run on the ボット エージェント devices need to log in to the device using credentials. You can store credentials securely in the Automation 360 クラウド Control Room credential vault. Alternatively, you can store credentials in a customer-hosted key management system (for example, CyberArk). When you store credentials in the customer-hosted key management system, you must have connectivity between the Control Room and the customer's key management system. To provide connectivity and allow access, you must configure the Automation 360 クラウド IP addresses for the specific Automation 360 クラウド region that is hosting the Control Room in their firewall. For more information, see 外部統合の Control Room IP アドレス.

Secure operations in Automation 360 クラウド

Automation 360 クラウド is run securely and meets compliance standards for: SOC 1, SOC 2, ISO 27001, and HITRUST.