Have you ever asked your home smart device what the weather will be like today or the score of last night’s football game? You’re not alone. The explosion in virtual assistants in the home environments underscores the reality that software and interactive self-service autonomous consumer applications are now an intricate and interwoven part of our lives.
This explosion in the consumer space is being mirrored in enterprise computing too. Virtual assistants and other autonomous software “bots” are nearing the zenith of their hype-cycle. From customer service chat bots to travel booking assistants, organizations are using bot technology to speed internal processes and enhance the user’s experience.
For any organization focused on identity and access management controls, this explosion in the use of bots presents both a potential security challenge and a powerful new controls and management opportunity.
Security Challenges
With the huge increase in the usage of bots, comes new security and business risks. It is critically important that any organization adopting bots for automation consider the implications for security and governance. As these bot-based initiatives gain in deployment numbers, businesses can pave the way to success by employing existing proven models for identity, privilege, and access governance. In practice this means treating bots in the same way that we treat any identity of account that requires access. This often requires building out an inventory and catalog of their presence, purpose, and access requirements. This catalog of bots can then be integrated with the discovery and management capabilities of your identity and access management solution.
Addressing the security challenges introduced by bots also requires the careful and diligent management of their entitlement needs and assignment lifecycle. Any access to privileged information by a bot must be controlled and audited in the same way that we manage any other access. This management must include full visibility, policy management, and lifecycle controls. Bots must be evaluated against the same governance and privileged accounts access controls as any other account.
Management Opportunities
The wave of bot adoption also provides an opportunity for identity to become more intuitive and pervasive within the business. Not only can bots provide efficiency gains and enhance customer service but they can also be used by the IAM infrastructure itself to facilitate enhanced interaction with the business. This can take the form of chat bots and other forms of more human-like interactions allowing the business users better access to reporting and analytics data.
Users may also become more involved with the actual process of Identity Governance itself. An example of this might be using a bot-facilitated process for access request. This would allow for the process to be further customized to the needs of the end business user. A bot could direct the user to the correct request choice through context and other information at its disposal and thus guide the user to a better result for them and the business.
Governing Bots
The rapid rise in the use of bots throughout most organizations means we all need to take action to prevent this new “aid” requiring a retrospective “Band-Aid.” Governing bots from an identity and access management perspective is simple – when the bot is persistent (i.e., a per intent part of the infrastructure), treat it like an identity; when the bot has systems access via accounts and entitlements, manage it just like any other account or entitlement. Cataloging them, understand their context and most importantly control their lifecycle is now a critical part of the overall Identity Governance process.
Most organizations are only now taking their first steps into the world of bots. This affords the identity program staff and planning a chance to get things right from the start. By being proactive, asking the right questions, and using proven governance best practices, we can retain governance and oversight while still allowing for the rapid adoption of this new and interesting technology.