Robotic Process Automation

How to securely manage sensitive credentials in a multi-developer RPA environment?

RI Asked by Richard Thompson · 22-05-2024
0 upvotes 11,110 views 0 comments
The question

Our team is growing, and I’m worried about developers having access to production passwords for our banking portals. We are currently using a shared Excel sheet for config, which is a security nightmare. What is the standard for credential management? Is an external vault like CyberArk necessary, or is the built-in Orchestrator asset enough? 

3 answers

0
BA
Answered on 24-05-2024

Stop using Excel immediately! The minimum standard should be using "Credential Assets" within your RPA Orchestrator. These are encrypted (AES-256) and can only be accessed by the robot during runtime. For developers, you should use "Folder-based Permissions." Give developers access to a "Dev" folder where they can use dummy credentials, and restrict the "Production" folder to the Robot accounts only. If your organization already uses an Enterprise Vault like CyberArk or Azure Key Vault, most major RPA platforms (UiPath, Blue Prism, Automation Anywhere) have native integrations. This allows the bot to fetch the password at the exact moment of login without any human ever seeing the plain text.

0
MI
Answered on 26-05-2024

Are you concerned about the "Hardcoded" credentials inside the XAML files during the development phase? 

WI 27-05-2024

Michael, yes, that’s exactly the worry. How do we stop that? Use a "Code Review" process and run "Static Code Analysis" with specific rules to flag any hardcoded strings. Additionally, the developers should only be using Get Secure Credential activities that point to an Asset Name. If the Asset Name exists in Dev but not in Prod, the code won't run, forcing them to use the proper credential management system you've set up in Orchestrator. Posted by: William Young Date: 27-05-2024

0
SU
Answered on 28-05-2024

We use CyberArk integration. It’s a bit of work to set up, but for a banking environment, it’s basically mandatory for compliance audits.

RI 29-05-2024

I agree with Susan. Our auditors wouldn't even sign off on our RPA program until we moved our credentials into a dedicated security vault.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session