Robot typing on laptop keyboard

Perspectives

Strategies for digital labor identity management

Implementation considerations for RPA credentialing

After spending almost 15 years implementing Homeland Security Presidential Directive 12 (HSPD-12) solutions to identify and provision human users in Federal information systems, how do organizations design secure identity solutions for the emerging Digital Labor? Given the on-going adoption of robotic process automation (RPA), securing bots and paying close attention to how they are accessing data is critical. What identity considerations need to be in place as part of a digital implementation strategy?

Digital labor identity management

Both industry and government organizations are realizing the potential for increased productivity gained through the adoption of RPA. RPA uses software robots—also known as bots—which are software applications designed to automate transactional, rule-based tasks by mimicking user interactions. While many out-of-the-box RPA solutions may have organic credential managers allowing bots to log in to applications, these credentials generally include a standard ‘knowledge-based’ replay feature that leverage user names and passwords. These credentials may not be strong enough to access federal applications or information that require higher authentication assurance and contain sensitive data.

Defining a BOT credentialing strategy

When the use of a higher assurance credential is necessary, due to the National Institute of Standards and Technology (NIST) Federal Information Processing Standards 199 (FIPS 199) system categorization or associated data sensitivity rating, existing Public Key Infrastructure (PKI)-based mechanisms can enable bot credentialing, authentication, and access. PKI-based solutions such as smartcards or software-based certificates and keys are acceptable for facilitating bot authentication. Most federal organizations either manage or have acquired PKI services, and can be well-positioned to begin issuing and using certificates aimed at identifying bots within their information systems.

Robot

Three BOT-credentialing strategic considerations

  • Governance considerations: While changes may be required to facilitate the registration, issuance, and use of bot certificates, other significant high-level decisions are also needed to drive custom oversight and guidance for bot workers. Establishing a governing body that oversees identity and access policy during the nascent stage of bot usage can provide many benefits that translate to potential cost savings.
  • Technical considerations: There are high-level policies developed and maintained by the Federal PKI Policy Authority (FPKIPA) that precipitate technical considerations to assist in driving compliance. Digital workforce strategies need to identify custom technical changes that need to be addressed to facilitate proper authentication and access to data and servers.
  • Procedural considerations: Organizations need to identify procedural planning factors to address registration of bots, so certs are validated when issued and used in a compliant manner that supports organizational security goals.
Robot sphere

Next steps in identity management

Although PKI is a well-established mechanism for identity in the federal space, new use cases such as RPA will precipitate additional planning factors for issuance and management of resulting credentials. Addressing governance, technical, and procedural considerations early in the strategy can help enhance existing IT investments and reduce significant process redesign which could impact an organization’s ability to leverage RPA’s productivity benefits while still supporting security requirements.

Robot using touchpad
Did you find this useful?