Security architecture model

Automation Anywhere Cognitive security architecture is founded on Least Privilege principles and a strict Separation of Duty model with 41 technical controls implemented across seven NIST Control families.

The NIST framework was selected as a foundation for best practices as a way to enumerate the controls implemented throughout. Translations from NIST to other control frameworks are widely available, resources are provided at the end of this topic.

The product security architecture is maintained by the Automation Anywhere Product Management team and forms part of a formal policy model as an integral part of the Automation Anywhere Development Roadmap. The following table lists the Control families and the corresponding features and security impacts. Details on each Control family and how the security architecture is implemented in Automation Anywhere products are in the corresponding topics.


Control Family	Control Code	Control Room Feature	Security Impact
Access controls	AC-3, 6, 7, 9, 10, 12	Central policy control	Enforce access restrictions for change control and least privileges on system components: Fine grained access to bots and Bot Runners is controlled via RBAC, Bot and Bot Runner domains can be assigned to roles via RBAC RBAC roles are fully audited
	AC-2, 3, 5, 6	Role-based access control (RBAC)	Enable user access, restricts operational privileges, enforces least privilege principles
	AC-17	Bot repository	Bot versioning system with access restrictions
	AC-3, 7, 9, 10, 11	Bot and Bot Runner encryption	Encryption and obfuscation of sensitive information at bot level through credential vault and integration with key management systems
Configuration (change) management	CM-2, 5, 6, 7, 9	Centralized Bot Runner control	Restrict functionality based on roles, domains, implement deny-all and allow-by exception
	CM-10	Centralized licensing	Centralized provisioning, tracking and enforcement of Bot Creator and Bot Runner licensing
	CM-2, 5, 6, 8	Bot operations room
	CM-8	Inventory control	Maintains centralized inventory control of all bots and runtimes
Bot Creator configuration management	SA-10	Bot Creator management, bot check-in, check-out	Control Room applies software life cycle management to bots from development, test, and production. Bot versioning enables change control of automations.
Audit and accountability	AU-1 through 15	Audit trail	Automated event logs captured on three levels: Control Room, Bot Runners, and Bot Creators. Non-repudiation is assured through read-only logs, all user identities are bound to actions.
Identification and authentication	IA-1 through 5	Active Directory integration, Bot Runner ID and Attestation	Implements Windows platform security including cryptographic bidirectional authentication, Bot Runner identification and attestation, and password management policies. Credential vault with integration with key management systems, protects the integrity of credentials.
Incident response	IR-4, 6	Incident response	Bot Insight embedded analytics capabilities can monitor events and generate alerts to SIEM systems for response.
Controlled maintenance	MA-2	Automated maintenance	Control Room versioning system provides an automated mechanism to roll out updates to bots, historical information is maintained.

(1) Resources: ISACA provides guides that map NIST SP800-53 to other security frameworks such as CoBIT (SOX), SANS Top20.

Automation 360