Rise of the Machines: A New World of Identity Governance

Nov 28, 2018 | by Tim Norris

Back in 1984, when The Terminator and its iconic indestructible android were unleashed on the sci-fi movie landscape, it seemed like pure fantasy to think our lives and our businesses could one day be run by machines.

Fast-forward to the present, and the explosion of the internet of things (IoT) has revolutionized our daily lives, from morning conversations with Alexa about the weather and sports scores to smart-everything connected to your mobile device: lights, door locks, refrigerators, toothbrushes and so much more. The rise of the ”machines” in the form of robots, Robotic Process Automation (RPA) and IoT devices also extends to the corporate infrastructure, impacting day-to-day operations, processes and controls in our connected work environments. And as artificial intelligence (AI) continues to evolve, machines, processes and ”things” are getting smarter with each and every interaction, learning behaviors, identifying anomalies and adjusting to evolving norms for improved efficiency.

Now, don’t get me wrong; we don’t need to lose sleep worrying about the future robots coming back to wreak havoc on our networks and loved ones. We do need to figure out how to protect today’s robots from cyber attacks. While not quite the sentient beings of sci-fi, they are still at risk for cyber attacks, making governing access—both to them and by them—critical to securing our data, processes and applications today. Here are three areas of focus to consider when thinking of how to manage access associated with these non-humans:

1. Governing Access to the Machines
Knowing who has access to today’s bots and processes is critical to ensure only appropriate users are executing rules and policies and setting tasks for them. Otherwise, security vulnerabilities, such as insufficient security controls on data processing and access management, could be easily exploited by bad actors (internal or external). Not applying appropriate access governance to the humans that can manipulate the machines can lead to compromise, inappropriate access and unwarranted lateral movement on a network.

2. Governing and Managing Machines’ Access Lifecycle
Knowing what the machines can do and what they can access, at a fine-grained level, provides control, visibility and additional business context to governance practices. A bot that can do a simple single task, such as pass order information to another system, may seem harmless—and may in fact be harmless, at least in a standalone scenario. But when combined with a user’s access entitlements it can create a toxic combination of access in which the user violates company policy or regulatory statutes. Fine-grained visibility into entitlements of what the machines can do further enriches the context and visibility for the humans in the organization while enabling secure access and continuous compliance.

3. Governing Access to the Users that Teach the Machines
Inappropriate or compromised access to the accounts and users that influence AI and machine learning can lead to corrupted AI and may impact performance or open security gaps in processes. Knowing and governing access at a fine-grained level for the users that are influencing the machine can, over time, help ensure only appropriate users are completing those tasks, as well as detect any anomalous access activity to spot potential bad actors and mitigate a potential risk.

Robots and robotic processes provide immense value to business and process automation, but they also represent new digital risk challenges to consider. Ensuring proper access governance for these machines is one way to begin to ensure we don’t see them turned on us through cyber attack.

# # #

Learn how RSA® Identity Governance and Lifecycle can provide visibility and control over all identities—human and machine.

Author: Tim Norris

Category: RSA Fundamentals, Blog Post

Keywords: Identity Governance and Access, Identity Lifecycle Management, IGA, IGL, IMG, Robotic Process Automation, RPA