Unattended RPA Security Considerations

Security Controls for Unattended RPA

To safeguard unattended RPA flows, the infrastructure they operate on, and NHS as an organisation, it is necessary for robust security measures to be put in place. This is the responsibility of the local organisation who is setting up the automation flow.

Microsoft Native Controls

Unattended RPA is run using Power Automate Desktop which is a native Microsoft product. Therefore, there are standard security features which come as part of the offering from Microsoft and includes encryption of data at rest and in transit as well as Azure Distributed Denial of Service (DDoS) attack prevention controls. For further details on Power Platform security and governance, refer to the official Microsoft documentation and FAQs.

Minimum Required Controls

Whilst Microsoft provide the above security controls as standard, it is imperative that in order to protect unattended RPA there is a focus on bolstering the security with additional controls which are detailed below.

These recommendations represent the minimum level of security that should be implemented alongside RPA.

Managing Roles and Permissions

• Governance Process: There must be an established governance and approval process to enable end-users to request and obtain the correct authorisation for building flows and infrastructure. Access can then be granted and the correct level of control provided. Within the Power Automate platform access has two layers of control:

• • Environment Access – Allows controls over an environment within the tenant allowing or denying users from an entire environment.
  • Flow Access – Controls direct access to a specific desktop flow that has been created. Roles that are available are owner and runner. The runner role only allows the ability to trigger the flow.

For more information, please refer to Power Platform governance overview and strategy – Power Platform | Microsoft Learn.

• User Power Platform Permissions: For the developers or administrators who create the flows, their data permissions in Power Platform should be managed through security roles. Custom roles that meet the specific needs should be created by organisations and assigned to the users/teams/groups within the environments. For more information, please refer to security roles and privileges.
• Application Accounts: Every process must be owned by a dedicated application account. This is to support traceability and auditability of the unattended processes as well as ensure continuity if a developer moves or leaves their role.
• Securing Flow Credentials: As every new flow requires its own set of credentials, these need to be managed and created securely. Implementation of a secure credential management solution, such as Azure Key Vault or similar that is approved in your organisation such as CyberArk, is required to protect sensitive data effectively and minimise the risk of unauthorised access. For Azure Key Vault you can find more information here Create an Azure Key Vault credential – Power Automate | Microsoft Learn.
• Principle of Least Privilege: For both the application account which will run the flow, as well as the developer’s user account who will create it, the rule of least privilege must be applied. This ensures that the minimum level of access required to carry out the task is given (e.g. access to specific Teams Sites / SharePoint sites), reducing the risk of misuse or exploitation.
• Security Rules: Security rules should be enforced to manage users access to Cloud PCs, virtual machines or machine groups within your organisation. This should be based on conditions such as user identity, device compliance, location and risk level.
• Access Reviews: The application account’s access should be periodically reviewed and updated in line with its associated processes’ requirements.

Infrastructure Security

Security considerations for Unattended RPA infrastructure vary depending on whether organisations use the “Bring your own VM” or “W365 Cloud PC” option.

For organisations using W365 Cloud PC’s the support site provides more information on compliance and security, including responsibilities for Local Administrators.

For organisations who “Bring your Own VM” please review the NHS Cloud Security Good Practice Guide which outlines the recommended approach for managing security. Whilst this guidance is focused on Cloud Security, these principles should also be considered for on-premise infrastructure.