If you had the choice, what superpower would you have? It’s a fun question, always good to get the conversation flowing at a party. Perhaps, going forward, the answer will be less about being able to fly or seeing through walls to being able to securely automate IT or business processes (I know, that’s a bit of a stretch, but bear with me).
Privileged Process Automation (PPA) is an emerging category of automation for IT and business processes that interact with multiple systems using privileged accounts. It’s the key to reducing risk and costs within IT and across the business. There are important differences to “Robotic Process Automation (RPA)” which is designed to emulate or replicate human interactions in a process. While that may be very valuable in some scenarios, it’s not fit for purpose in high-value, security-conscious environments that need more flexibility and some human interaction. In PPA, there are two important aspects to consider: “privileged accounts” and “automation.”
Privileged Accounts are those that have some special abilities compared to regular users. They may be called “administrator” or “supervisor” accounts. Just about every application, service, cloud app or physical device, will have one or more administrator accounts. These accounts are extremely important as they have the power to create or delete other user accounts, to change critical configuration settings, such as IP addresses, bank account interest rates or update personal data. I recently wrote about “tiers of privilege” that considers the different levels of privilege and the relative “blast radius” of damage that could be caused by each.
It’s no wonder these accounts are valuable and need to be carefully managed and controlled. Or that they are the targets of those trying to breach an organisation’s cyber defences. It now looks like the infamous customer data breach at Marriott hotels involved compromised administrator credentials.
It’s worth noting that PAM is not “Identity Access and Management (IAM)”. IAM focusses on proving “who” the user is, PAM then controls what they can do, to which systems, and when. A modern PAM solution like Osirium’s PXM Platform goes further and adds analytics and advanced auditing tools, including session recording.
Many discussions of Automation start with references to car production lines. Although the origins are murky, it’s widely accepted that one of the earliest successful production line operations was by the Ford Motor Company. By standardising on parts and processes, car assembly was transformed from a bespoke business to mass production of identical products. As technology advanced, in many cases, it was relatively easy (from an operational point of view) to replace the human operatives with robots that replicated their movements. Car production is now a mostly automated process from steel sheets to leaving the factory. Interestingly, most production lines still involve a number of human beings for highly specialised operations or where decisions and judgements have to be made. I’ll come back to that later.
IT Administrators have always been very creative in avoiding repetitive, manual tasks and built powerful automation systems using a variety of scripting tools like bash, python etc. The downside is that visibility into what scripts are available is near impossible. And, as it’s each expert building scripts for their domain, you can’t build automation that spans multiple systems. The worst aspect though is that those scripts may end up with embedded credentials. A major security risk.
In the last five years or so, a transformation similar to that of the car production line, has begun in many businesses with the introduction of “Robotic Process Automation (RPA).” These systems have impressive abilities to replicate humans, including reading documents (optical character recognition “OCR”) and simulating human inputs to applications. When processes are highly repetitive and standardised, such as processing invoices or payments, then there are huge potentials for cost-saving.
But these automation tools are limited in their flexibility to deal with processes that need human interaction to validate results or make choices. They’re also limited in their ability to protect those valuable administrator credentials.
Privileged Process Automation solves those problems and goes further. Osirium’s PPA solution builds on the company’s extensive history and experience in managing privileged accounts. Importantly, substantial benefits come from its lightweight and scalable automation framework. Osirium CTO, Andy Harris, discusses some of the advanced topics regarding privilege management in an automation framework in this video.
The isolation of credentials along with a flexible interface architecture makes it ideal for IT processes like server health checks, resetting Active Directory accounts, driving Ansible tasks or thousand-and-one other IT tasks.
Finally, the big difference with Osirium’s PPA is the interactivity with a user. The framework can be used to create beautiful user experiences around command-line tools. It also presents a conversational interface to collect inputs or offer choices rather than highly-complex administrator consoles.
For business users, complex processes that normally need multiple administrators to be available can now be automated and delegated to more junior staff or line of business teams. For example, a new joiner process that would need multiple administrators to create accounts in each of their systems can be run by HR, or the Finance team can pull usage reports from AWS without needing administrator credentials or certificates.
Once these tasks take minutes rather than hours, use fewer or more junior staff, delegate powers to line-of-business teams, then IT can focus on high-value business initiatives, security improves while costs are lowered, and end-users can be empowered and more productive.
Privileged Process Automation is something you’re going to hear a lot more about in the coming months and years. It’s the missing link in automating complex tasks that need tight control but with a friendly interface. It could be the secret to accelerating your digital transformation projects.
It may not turn up as an answer to the superpowers question at many parties, though, unfortunately.
If you’d like to know more, please get in touch.