Hello, everyone. Welcome to our exclusive virtual event series, ID:30. Today we have 30 minutes of blazing insights to help you successfully navigate the unique challenges of managing identities.
In this digital age, many organizations are turning to Robotic Process Automation or RPA, which uses robots, often called digital workers, to automate repetitive tasks. While this automation can bring new levels of efficiency to many aspects of business, the robots that perform those tasks also invite a certain level of risk, especially when that work involves privileged access. So the robots are coming. And let me ask you, are you secure? Are you sure?
Today's speaker, Rudy de Sousa, Director of Sales Engineering at One Identity, will talk about RPA and how to ensure the security of your RPA environment. Rudy comes to us with a background in information security, artificial intelligence, machine learning, RPA software.
Thank you, [? Lorene, ?] for that introduction. Hello, everyone, and welcome to this ID:30 event. The robots are coming. Are you secure? In the next 30 minutes, we'll be considering Robotic Process Automation, or RPA. We will look at what it is, its usage, and why organizations are piling into it. And most importantly, we will look at considerations around security and risk. We aim to leave you with food for thought. There is an opportunity at the end of the presentation to ask questions or share your opinions and experiences in this space.
I'm very happy to say that I have with me for this event Kelly Hardy, who is product marketing manager for our One Identity's privileged access management solutions. Kelly has been working in the IAM space for over 14 years and is standing by to answer and share with the group any of your questions around today's material. So type any questions you have at any time into the chat. She will answer some of those directly to you, and some of those we will pass on to the end of the session. So please at any time enter those questions into chat.
We will also give you a further chance to have your say, listen out for an interactive poll that we have during the presentations. We will ask you to participate. And we will have a fun and relevant video towards the end as we introduce our Q&A section. Altogether, we trust this will be an interesting and a great use of 30 minutes of your time.
So with that, let's consider the fast paced world that we live in today. Technology evolves at great speed. New capabilities give rise to new possibilities, to different and potentially completely new ways of working and even of living. It introduces great opportunities for those that are able to take advantage of it. It also introduces risk that must be understood, that must be mitigated, managed, and governed.
Alongside this fast paced nature of the world today, we also see great competition in nearly every sector and around the globe that's ready to take advantage, as a competitor that is looking for a fellow organization that hasn't taken advantage of the opportunity presented by all this change and goes in there. Or where a competitor was tripped up by the risks introduced by this fast pace of change and the new capabilities.
We see organizations pile into RPA as the opportunities represented is substantial, and it's unfolding at pace. We know that there are risks. There are new attack surfaces that are very attractive to those that want to gain unauthorized access or harm your organization. Yet the pressures on organizations means that we have to engage with this at speed. And there are many of these challenges. I'll highlight a couple of those.
Organizations worldwide across industries experience a constant pressure and need to realize ever increasing productivity gains. They face the same kind of pressure around cost. For further cost saving, you gather one round of cost saving, and you're onto the next one. There's a constant pressure around this. This pressure to always improve and driving towards improved accuracy, fewer errors for the user experience, for cost, for efficiency.
And organizations certainly face continuous pressure to drive more and more effective use of that organization's resources. And above all, they are continuously pushed to make more effective use of the employee's time, shining a particularly bright light, an uncomfortable spotlight, on repetitive work that must be completed by any employee.
In this fast paced, competitive world, as you can imagine, there is a big appetite for automation, which brings us very nicely to our topic of robotic process automation. So let's start the discussion around RPA by considering briefly what exactly RPA, Robotic Process Automation, is.
Now, Gartner issued their latest Magic Quadrant for RPA just last month in July 2020, and they have a pretty good definition, I think, of what RPA is. Let's say it's a licensed software tool to integrate any application via the user interface to automate routine, predictable tasks using structured digital data. So that's a pretty decent explanation and definition of RPA.
Now, most of us on this call have worked in IT and in computing for a long time, and we would rightly say automation isn't exactly new in computing. It's been around for a while. And of course, this is correct. IT automation and Business Process Automation or BPA has been around for decades. There are some very key differences between that automation and robotic process automation, however. Key differences. And I'll highlight just a couple of those differences, because this means that with RPA, organizations can automate much more of their processes, profitably increase in speed, and increase in accuracy, much more than with previous attempts at automation.
And in the traditional process automation tools, you would typically find a software developer, a tech savvy person focused on tech that produce a list of actions to automate a task, and they then interface to the back end of that application or system using an API or some dedicated scripting language to effect, to actually put that automation in place and over the long term to maintain that as well. By contrast, RPA systems, robotic process automation systems, developed that action list of what needs to be done for this process to automate the process, watching the user perform that task, that process, in the applications, graphical user interface, from the front end. Key difference there.
So when you look at RPA, it then executes, it performs the automation by repeating those tasks directly in the GUI, in the Graphical User Interface, the front door of the application. That one aspect significantly already lowers the hurdle to automation, the cost of automation in applications and products and systems that might not otherwise have a decent API, a decent interface a way of integrating to the back end of that application or that system.
And even where an application or system has an API or a decent application programming interface available, it might simply be much faster and easier to automate the process via this route rather than going by the traditional route of integrating with the back end. And also, of course, to maintain that automation over time. Another key cost to consider.
So when you think about that for a minute, doing the automation this way around enables many things. One of the things it does is it enables the business to be much more at the center, much more involved with automating of processes. That's a good thing. It's much more possible to do that today than in the past. A business team, theoretically, could buy their own RPA tool out of their own budget and program a robot. It can be done. It's not that difficult to do.
So with RPA, Robotic Process Automation, professional level experience, dedicated software development, and technical skills are not necessarily needed to get those robots up and running. So this puts the business in the position that's very empowering, makes it easier to get automation right for the business, and reduce the cost of automating that process and maintaining it.
But also, as I'm sure many other security professionals on the call had a cold shiver run down their spine, because it also opens up some potential challenges in that the shadow IT type scenario now has the potential to reach all the way into automation. Any part of the organization can theoretically deploy RPA on their own tactically fast, not involving the security team, for example. And those robots would be interacting directly with production systems and data. So a real concern there. Something to absolutely keep an eye out for.
So while the objective of automating a process is shared between robotic process automation and earlier forms of automation, with BPA, for example, Business Process Automation, generally you find it's being built and maintained by a small, technically focused, highly experienced, centralized team. Whereas RPA inversely places much of the control of automation into the hands of users, of business, and less technical people. Presents both opportunity for wide open automation as well as a potential challenge that we need to be very aware of.
So with RPA, in other words, we have this substantial increase in how many processes can be automated. The creation and maintenance of the robots and automation is easier. It is easier to include the business properly in this automation. So the question is, does that mean everybody loves RPA? Well, certainly if you look at the market, it is growing. It's already substantially sized, and it is growing at a pace.
Again, look at Gartner's Magic Quadrant report from last month if you will. Hot off the press, so to speak. But more generally, the compound annual growth rate forecast by analysts for this already sizable market is really massive. And analysts estimate approximately 30%, give or take a reduction in operational costs for organizations within a four year period of pushing out an RPA deployment, a 30% saving on operational costs in most industries is absolutely massive.
So there is widespread traction. It is accelerating as well. And I can tell you when we had One Identity speak to organizations day to day, we increasingly find that they are either using RPA or they are using it and they are pushing quite substantially to expand the use of RPA, with some exceptions here and there. So certainly wildly popular and expanding.
And this brings us to the short poll. We would like your opinion. We have only one question for you to answer, please. And this is around your organization's usage of RPA. The organization you work for or if you're a contractor, where you spend the majority of your time. You have the questions available there. Please pick one of those. It will take a couple of seconds. I'll quickly read through those for you.
Option one, my organization uses RPA today. Option two, my organization uses RPA today and plans to increase RPA usage. Option three is not using RPA today, but they plan to use RPA in the future. Probably and possibly why many of you are on this call or looking at this replay. Option four is we don't use RPA and we specifically do not plan to use RPA. Now, this doesn't happen a lot. There may be some. So an option there. Please try to choose one of those four.
We put option five there. We know most people work for large organizations. You might not be aware of the company's full plans. But if you have any idea of that, please choose accordingly. So that'll take a minute or two to go through. Greg will be tallying that up for us. I'll have a preview of the answers here. We certainly with 33%, 1/3 of people using RPA today and planning to increase that. Another 18% not using RPA today but planning to use it in the future. 6% using it. There's 43% that I'm not sure. That happens, large organizations. And 0.
Again, the same, this is the second session we're running, same as this morning. 0 people choosing number four. That is definitely accelerating. And also for the rest. So 43 is 57, 31 or 57. So more than half are using it today, planning to expand, and various situations. So pretty standard for what we see in the market when we talk to people. It is used widely, and it is accelerating. So absolutely something to keep our eyes on, especially for security.
So next I want to spend just a minute to consider RPA is gaining this widespread traction. What does it mean for risk and for opportunity? RPA is typically lumped together with machine learning and other areas under the AI, the Artificial Intelligence umbrella. Like nearly anything from finding a big stick in caveman times to understanding the use of fire to splitting the atom all the way through to advanced machine learning, artificial intelligence, RPA, new technology, new capabilities can be used for good, and it can be useful bad. And this is certainly the case for the whole of this area, including RPA.
So just to touch on two examples of that, we'll start with an example of using AI in related areas for bad. Deep fakes is ranked by many as the most serious or at least one of the most serious threats from the AI side of technology. Briefly, with deep fakes, hackers use machine learning to clone someone's voice and then combine that voice with social engineering techniques to convince people to do things like move money where it shouldn't be.
An example of that was last year, 2019, a CEO was tricked into transferring money, $240,000 in fact, by what sounded to him over the phone exactly like the CEO of the company's parent firm. So this kind of thing happens not just with audio, but video as well. It's a serious threat. With the ability now to kind of outsource some of the highly technical and more advanced hacking techniques, this is becoming a real issue. So there are some mitigation, but many other examples, unfortunately, of using AI and related technology for bad.
Happy to say, of course, it can be used for good as well. And this is a great example where a humanitarian organization used AI and its related technology to feed a lot more people with the same amount of budget. They had hundreds of thousands of refugees that are fixed by just $6.7 million. Everybody needed three meals a day. The organizers had a very difficult choice. Five foods to order out of 30 choices. How much do you order? Where do you store it? Which routes do you take?
Endless permutations. Not endless, 900 million permutations to consider. One of those would be able to feed the largest number of people. They used AI to do this and rather than 28 years, which is what it would take you to consider each option for one second, within a couple of days, they could ascertain the exact best permutation. They estimate that around about 80,000 people were fed that wouldn't otherwise have received food. So it is possible to use AI and related technologies for good certainly.
And when you consider the options to mitigate that risk of RPA being used for negative against your company or your organization and to enable your organization to take advantage of the opportunities presented by RPA, this is where we in security come in, of course. RPA introduces new aspects of risk and security that we need to consider, we need secure, manage, and govern. It introduces a new attack surface that is surely very enticing if you are a hacker. Get control of all those robots, all the access rights to production systems, and to production data. So absolutely key one to look at.
I like this quote. We don't want to make things more complex than what they are. And the temptation with RPA for someone on the technology side is to say, this new technology or somewhat new technology is [INAUDIBLE] deployed. So I need something fancy from security. But much of what is needed from security and identity for robotic process automation is not necessarily new to security. Much of it involves essentially extending existing capability and principles and measures to include an account for robotic process automation for the robots or the digital workers, as they are sometimes called.
Unfortunately, many organizations implement weaker security for robots, for digital workers, including weak identity and access controls for these robots, for the robotic process automation, than what they do for humans. It makes no sense. And to an extent, you can understand it, because people think, well, this is technology. To an extent, it does what you tell it to do. There's less variable than you have with a human.
So I can kind of get the train of thought. But if you look into this in any depth, you will quickly realize that it is extremely important to secure digital workers appropriately. That robot might not be human, but they do need an identity. They need privileges. They need access rights. They need governance.
To automate the process, as we discussed, the robots are essentially replicating what the user would have done via the user interface. Key point. So automation through the front end, through the GUI. Those robots need to really behave like a user in order for RPA to deliver what it promises.
How do you do that? Well, the robot starts by logging in through the GUI, by authenticating. So the robot, in other words, has credentials. Then they go through the application, and they start performing the actions necessary for automating their process. In order to do that, their account, of course, will have privileges. So they need access rights to applications, to production data. Some process being automated require highly privileged access as well. The robot or the digital worker driving that automation, just like a human privileged user, will need to use highly privileged account and access rights in order to do that.
So the humans of-- the robots of RPA are not human, but they need those identities. They need to be covered by your identity management system. It is critical that they are covered by a Privileged Access Management system, your PAM system. Privileged access management is a crucial part of an organization's efforts to secure its systems and data. Robust, capable integration between your RPA capability and your privileged access management is essential to mitigate risk represented.
And robots, of course, need to be governed. And things like separation of duties, it applies there as well. You still don't want a toxic combination of access right. And the other aspects of governance applies here as well. These are not unique to robots, but weak privileged access management and identity and access management controls are frequently applied to robots and will lead to increased risk in an area where there is already enough risk, I think.
So happily, there's with every disruption or a new technology, of course, opportunity too. For us as security and identity professionals, this is true with RPA. Of course, we need to think carefully about how to secure RPA, how to mitigate risk, how to enable our organizations to realize securely the opportunities represented by RPA for our organizations.
But with RPA, Robotic Process Organization is not just about the security of RPA. RPA can also help us in security, in identity and access. We can look at using RPA to automate intelligently the right processes suitable for automation in our security systems, in our identity systems. We can improve the responsiveness to our users to reduce errors, improve the user experience, in essence.
And I know no security or identity team that do not wish that they had more time for strategic work, for proactive work. Robotic process automation used against your identity systems, your security systems, can free up time for us to move from repetitive, low value processes that we have to execute as security and identity professionals and spend our time better to secure organizations. So great opportunity for us together with the responsibility of securing this.
Now, for those of you that have attended other ID:30 events previously will know that we always leave you with a ninja tip. So in essence, our ninja tip is remember to look at using RPA for our own systems, for our users, and to free up our own time. So for the ninja tip, I leave you with a couple of points to consider when you look at the process.
Like any automation, with RPA, when you look at a process, you're trying to figure out whether it is suitable for automation, using the technology RPA. You want to look at a couple of things. There's more factors, of course, that you can consider. But if you look at these factors, they are the key ones. If you look at those for a process, you will have a pretty decent idea whether this process is ripe to be automated and makes sense for you for your organization or not.
I'm not going to go through all of them. Pretty sensible if you think about the premise of RPA. You're trying to automate repetitive things. Not that much decision making. Known stable process as much as possible but frequently enough to actually be worthwhile automating.
There is one aspect I want to highlight. We haven't talked about it. And that is ideally for RPA, you're looking for a process where there isn't a lot of decision making. You don't need a human to look at and make a judgment call or even complex decision making. And that's absolutely true for robotic process automation on its own. What we see increasingly, in fact, I'll go so far as to say in the majority of instances, is that people combine this technology with machine learning algorithms with AI, essentially, to help with decision making.
So this is one of the reasons why these areas live so close together. You implement RPA, you look at a process that you desperately want to automate. It would bring a lot of benefit. It makes a lot of sense. This is one drawback. There's one or two decisions that need to be made in the run of this process.
You can deploy machine learning algorithms to use the data to train that algorithm, to develop its own rules and understanding of how to make decisions based on millions of decisions potentially before that. And then include that process in RPA. It greatly extends the reach, both the breadth and the depth of processes that can be automated. So absolutely consider that.
So next up, we get to the section where you share your opinions, your thoughts, your questions. Please type to them in. Kelly is indeed monitoring those and answering some of those already. To introduce this question section, we're going to have, shall we say, a documentary video to do so. And I'm going to ask Greg to run this video for us please.
[VIDEO PLAYBACK]
- And Diane's husband passed away.
- The insurance company said his policy didn't cover them.
- They had no money to pay for a funeral.
- It's so hard nowadays with all the gangs and rap music.
- What about robots?
- Oh, they're everywhere.
- I don't even know why the scientists make them.
- [? Baron ?] and I have a policy with a Old Glory Insurance that covers us in case we are attacked by robots.
- An insurance policy with a robot plan? Certainly I'm too old.
- Old Glory coverage anywhere over the age of 50 against robot attack, regardless of current health.
- I'm Sam Waterston of the popular TV series Law & Order. As a senior citizen, you're probably aware of the threat robots pose. Robots are everywhere, and they eat old people's medicine for fuel. Well, now there's a company that offers coverage against the unfortunate event of a robot attack. Old Glory Insurance.
Old Glory will cover you with no health checkup or age consideration. You need to feel safe, and that's harder and harder to do nowadays, because robots may strike at anytime. And when they grab you with those metal claws, you can't break free, because they're made of metal, and robots are strong. Now for only $4 a month, you can achieve peace of mind in a world full of crime and robots with Old Glory Insurance.
- Robots, they're coming. Robots.
- Oh, it's a friendly robot. This time.
[END PLAYBACK]
Thank you Greg. Well, actually as scary as that is, in real life, if RPA goes wrong, it potentially is even scarier than that. So we've got a couple of minutes for questions, about three or four minutes left. Just before we get to that, we've got a couple of questions. I want to draw your attention to a special gift we have for you for attending. It's a TP Link. It's a Kasa Smart Wi-Fi plug. I've got one of those here as well. Fantastic. All you need to do is you will receive a thank you from us for attending. Just respond to that and you will receive your thank you gift.
So with that, I'm going to go and look at the questions we've got here and see how many we can get through before our time is up. So one of the questions that we have, is it really possible to 100% secure RPA, Robotic Process Automation? Well, in as much as it is possible to secure anything 100%. There is always something that can be attacked. Only depends on how much resources, effort, time you're prepared to spend.
It certainly is possible, and it's being done today, to secure your RPA implementation to an extent that allows your company, your organization, to take advantage of robotic process automation. Apply many of the same principles. Look at the risk posed. Look at your risk posture, your risk appetite. What do you do to mitigate? Look at the controls and systems around it. Keep in mind that this needs to be treated like a user, like an individual. It happens to be a digital worker. It's still a worker with access rights. Start from that point, and you will find that many of the challenges will be addressed and many of the risks will be mitigated.
And on that topic as well, I'm going to take the next question, which is somewhat related. How easy is the integration between RPA and privileged access management? Now, this is particularly important, because if I'm securing an organization, then PAM is probably one of the first things I'm going to-- it's something I'm going to prioritize. I've worked in security from the threat side with antivirus tooling, firewalls, [? seam ?] solutions, and everything, the last 10 plus years focused very much on identity.
And if I had to start anywhere, if I had to start one place, I could think of many options, but I would certainly take a hard look at PAM. You are controlling, you're introducing controls around your highly privileged users. Those accounts that are targeted. Those accounts that have the highest access as well. And it needs to be used. Controlling that is crucial for risk mitigation. So integrating that into RPA absolutely essential.
Now, it is a tough ask. When you say how easy is integration, well, we are asking a piece of software, we're asking a solution that has been [INAUDIBLE] to be highly secure, because it's taking care of the most prized and highly privileged accounts in the organization. So it's highly secure. And we are asking this at the same time to be integrated with in a way that makes all those features available. And it needs to be easy and maintainable as well. So that's a tough ask. It can be done though.
Look at your RPA vendor. If you're in the process of choosing an RPA solution, there 16 listed in the Gartner Magic Quadrant. So these choices, even more than that that's not in the report. There's certain criteria they use. So there's a lot of choice in the RPA world. We've worked with a couple of the key top vendors, and they are always keen to understand how can we do this to help the customers, to work with security vendors like us in doing that. And look at your security vendors. Look at your PAM vendor. How open are you? How easy is your API to use? What's the integration capabilities, the systems, the standards that you support in this space?
So it can be done, absolutely. It can be relatively easy as well. We did an integration for one of our clients that was done within a week. So it can be done. It can be relatively easy. The key thing is do your homework in the space, like with any enterprise integration. Do the homework there. Make sure that you see that integration capabilities from your vendors, that you have support in that space.
So I'm being nudged here that we are exactly one minute and 50 seconds over our time. So we've got two more questions. We'll get back directly to the people that asked that question. Thank you very much for that. Thank you for attending. Respond to that note that we send you, and you will find your gift to say thank you for attending coming your way.
So with that, I hope you found it indeed very interesting. There's a lot to consider in this space, a lot of opportunity as well. Absolutely can be done to secure an RPA to mitigate the risk to the point where you can take advantage of it. The key message here is your robots need identity. Push those robots under the control of your identity management system under the privileged access management system. And remember to consider RPA to automate your own processes in security, in identity, potential great benefit.
So with that, reach out to us if you want to discuss this further. We've got a lot of experience in this space. Thank you very much for your time, and have a good day further.
[MUSIC PLAYING]
31:23