Security architecture model
Automation Anywhere Cognitive security architecture is founded on Least Privilege principles and a strict Separation of Duty model with 41 technical controls implemented across seven NIST Control families.
The NIST framework was selected as a foundation for best practices as a way to enumerate the controls implemented throughout. Translations from NIST to other control frameworks are widely available, resources are provided at the end of this topic.
The product security architecture is maintained by the Automation Anywhere's Product Management team and forms part of a formal policy model as an integral part of the Automation Anywhere Development Roadmap. The following table lists the Control families and the corresponding features and security impacts. Details on each Control family and how the security architecture is implemented in Automation Anywhere products are in the corresponding topics.
|Control family||Control code||Control room feature||Security impact|
|Access controls||AC-3,6,7,9,10,12||Central policy control||Enforces access restrictions for change control and least privileges
on system components as follows:
|AC-2,3,5,6||Role-based access control||Enables user access, restricts operational privileges, and enforces least privilege principles|
|AC-17||Bot repository||Bot versioning system with access restrictions|
|AC-3,7,9,10,11||Bot and Bot Runner encryption||Encryption and obfuscation of sensitive information at bot level through Credential Vault and integration with key management systems|
|Configuration (change management)||CM-2, 5, 6, 7, 9||Centralized Bot Runner control||Restricts functionality based on roles, domains, implements deny-all and allow-by exception|
|CM-10||Centralized licensing||Centralized provisioning, tracking, and enforcement of Bot Creator and Bot Runner licensing|
|CM-2, 5, 6, 8||Bot operations room|
|CM-8||Inventory control||Maintains centralized inventory control of all bots and run times|
|Dev configuration management||SA-10||Bot Creator management, bot check-in, check-out||Control Room applies software life cycle management to bots from development, test, and production. Bot versioning enables change control of automations.|
|Audit and accountability||AU-1 through 15||Audit trail||Automated event logs captured at the following levels:
|Identification and authentication||IA-1 through 5||Active Directory integration, Bot Runner ID and Attestation||Implements Windows platform security including cryptographic bidirectional authentication, Bot Runner identification and attestation, and password management policies. Credential Vault with integration with key management systems, protects the integrity of credentials.|
|Incident response||IR-4, 6||Incident response||Bot Insight embedded analytic capabilities can monitor events and generate alerts to SIEM systems for response.|
|Controlled maintenance||MA-2||Automated maintenance||Control Room versioning system provides an automated mechanism to roll out updates to bots, historical information is maintained.|
(1) Resources: ISACA provides guides that map NIST SP800-53 to other security frameworks such as CoBIT (SOX), SANS Top20 (http://www.counciloncybersecurity.org/critical-controls/tools/) and ISO27002 (http://www.bankinfosecurity.in/mapping-nist-controls-to-iso-standards-a-7251).