Our team is growing, and I’m worried about developers having access to production passwords for our banking portals. We are currently using a shared Excel sheet for config, which is a security nightmare. What is the standard for credential management? Is an external vault like CyberArk necessary, or is the built-in Orchestrator asset enough?
3 answers
Stop using Excel immediately! The minimum standard should be using "Credential Assets" within your RPA Orchestrator. These are encrypted (AES-256) and can only be accessed by the robot during runtime. For developers, you should use "Folder-based Permissions." Give developers access to a "Dev" folder where they can use dummy credentials, and restrict the "Production" folder to the Robot accounts only. If your organization already uses an Enterprise Vault like CyberArk or Azure Key Vault, most major RPA platforms (UiPath, Blue Prism, Automation Anywhere) have native integrations. This allows the bot to fetch the password at the exact moment of login without any human ever seeing the plain text.
Are you concerned about the "Hardcoded" credentials inside the XAML files during the development phase?
We use CyberArk integration. It’s a bit of work to set up, but for a banking environment, it’s basically mandatory for compliance audits.
I agree with Susan. Our auditors wouldn't even sign off on our RPA program until we moved our credentials into a dedicated security vault.
Michael, yes, that’s exactly the worry. How do we stop that? Use a "Code Review" process and run "Static Code Analysis" with specific rules to flag any hardcoded strings. Additionally, the developers should only be using Get Secure Credential activities that point to an Asset Name. If the Asset Name exists in Dev but not in Prod, the code won't run, forcing them to use the proper credential management system you've set up in Orchestrator. Posted by: William Young Date: 27-05-2024