Author: Warren Jervis, Enterprise Architect, Kinetic IT
Automated workflows are at the heart of many of the latest cloud software services we’ve seen emerge over the past few years. Users are attracted to automation and workflow systems because they are easy to set up and take the drudgery out of repetitive tasks. However, automatons can also become a support nightmare and have been disastrous to organisations’ information security posture. Let’s look at this issue in more detail and see what enterprises can do to mitigate the risks.
The Issue with Automation
IFTTT.com is a well-known task automation platform, aimed primarily at social media users. Users quickly build automatic social media account integrations, auto-posting their Facebook posts to Instagram, then sharing them as a Tweet. There are hundreds of service connectors that can integrate a variety of actions from each individual platform together into complex workflows; and for this reason, without too much trouble, automated workflows become so complex that their effect is impossible to predict.
As platforms mature, major industry players have taken notice. The breadth of services offered has exponentially grown and the number of integrations and interactions has rocketed. Last year’s launch of Microsoft Flow saw incorporation into Office 365 and tight integration with SharePoint Online. Flow allows users to create fully automated workflows between Office 365 applications and services, with notification services and file synchronising. Flow is incredibly powerful and a wonderful tool to skill up end users and drive process efficiencies.
But with great power comes great responsibility. Now that the users can automatically intercept emails, move files to SharePoint, interface with databases and post documents on Yammer, there is a possibility that sensitive data could accidentally end up in the wrong place. Simple workflow automations provide limited functionality which restricts their use and limits the risk, but the ability to chain complicated automations together using several services needs to be considered as a potential security risk. Even simple automation processes become complicated very quickly: a flow designed to move sales contacts from a bespoke system to a SaaS marketing platform can involve four separate task automations chained through three different task platforms, using third-party mail providers and data extractors. Organisations considering workflow automation tools should heed the following:
- Identify where automations are being used. Talk to end-users and take note of what they are saying. Gain a better understanding of how users are interacting with their systems. For example, when you see a corporate communication appear as a LinkedIn post, a Tweet and a Facebook post, ask how this happened. If it’s unsanctioned and they have connected corporate accounts together using an automation tool, get your security team to check whether there are any risks.
- Don’t default to saying, “No” to automation. Automating tasks can significantly improve a user’s productivity. If the user has figured out to automate something and save time, thus removing the need for manually performing the task, surely that is a good result. Just make sure to consult the security team and address any vulnerabilities or confidentiality issues before it goes live.
- Choose an appropriate task automation platform. IFTTT.com might well be a good platform for automating your social media postings, but Office 365 contains Flow which may be a better platform for automating your business tasks. If you need to choose a platform, again, make sure your security team has assessed it.
- Data identification and classification. Understand the data being transferred through these automation services and understand the security controls you have in place to audit and monitor what’s being sent where and by whom. Your security policies should stop sensitive documents or files being sent through automated workflows as this could be higher risk.
Addressing Security Concerns
There are steps you can take to make sure you don’t lose control of your information when deploying task automation platforms for users. These may seem basic, but don’t underestimate how much control they will afford you:
- Have your security team assess new services prior to deployment. This might seem obvious, but you’d be surprised how many organisations roll out cloud platforms like Office 365 without this kind of screening.
- Provide user training for all new services you roll out to the workforce. Most security breaches can be avoided through simple user-awareness training so always build an adoption campaign into your change programmes.
- Retire old services if you no longer need them. Terminate services and close or suspend associated accounts so that legacy services or workflows outside of your direct control can no longer interact with your business services.
- Avoid using credentials. Many automation and integration services support the generation of an authorisation token or API key. This affords granular control over the service. An authorisation token or API key is a better way to integrate with an external platform, and if you can take central control over this through your administration team, even better. Always make sure these are unique, that way revocation can be targeted at just one service rather than many.
- Review access permissions in the management platform. Err on the side of caution – if it is beyond your control and you are uncomfortable in allowing its use in your business, don’t enable it.
Task automation is here to stay and your end-users are already using it. Take time to understand the who, what why and how this works in your business and make sure you keep your data safe while helping users streamline their daily activities.
For more information or to speak with a security consultant, contact us on our website here: