Information Security FAQs
InfoSec is essential to get right in any new platform deployment. Here we answer some of the most commonly asked questions.
Blue Prism has a full Logical Access Model which allows the configuration of granular levels of access to user roles.
Not natively. This is possible with 3rd party tools\firewalls.
An administrative account is created by default upon install. It is recommended that this account is deleted once the Logical Access Model has been configured to the customers requirements.
The digital worker runs in the user context of the Windows User that is logged on. This is typically a digital worker AD account which has the required levels of access to do the necessary application automation. This may need to be administrative in some cases, but is not a requirement, or strictly necessary.
It is possible to use Multi Factor Authentication (MFA) within Blue Prism Processes if configured appropriately.
Check out the knowledgebase article on 2FA/MFA here.
Session logs, which are configurable in detail and content are produced by each Runtime Resource when a Process is run. Confidential data can be excluded or obfuscated. Session logs are transmitted securely to the database, and never held on the Runtime Resource themselves, even transiently
Communication between components is most commonly configured to use secure, encrypted WCF communications. Everything happens within memory and no files are copied between components.
Yes, we encourage customers to perform their own 3rd-party Penetration Testing. Our Professional Services team can also work with customers who's penetration tests may have identified potential vulnerabilities in how they have set up their environment.
All data is stored within the Blue Prism database. With appropriate configuration the data can be encrypted at rest and communication to the Application Server can be encrypted.
Blue Prism can be configured to store any data in the Session Logs. Potentially sensitive data, can be encrypted, and/or obfuscated if required.
Version 6 uses TLS 1.2, but it can be customised to use 1.0 if required. There are numerous encryption options in Blue Prism and full end-to-end encryption is possible.
Blue Prism Credentials have to be encrypted using either Triple DES or (the recommended) AES encryption. Credentials can also be limited to only be available to certain user 'roles' (logical groups of users), Processes and\or Runtime Resources.
Find out more about Access Controls
Some data in the database is encrypted where appropriately configured. Transparent Data Encryption can also be implement to encrypt all data at rest in the Database. Communication between the SQL Server and the Application Server(s) can be secured using certificates (SSL). Certificates can also be used to encrypt the Instructional Communication between Application Server(s) and Runtime Resources. The application front end is a GUI, and does not require SSL/TLS.
The encryption key is held on the Application Server and therefore should be secured by Windows\Domain permissions. Blue Prism advises that encryption key should be held within a separate file, and in a secure location.
Logs will remain in the Blue Prism database until deleted or archived into another location. It is recommended only to keep logs as long as your data retention policies require.
Logs can be reviewed at any time from the Blue Prism GUI. They can also be restored after being archived and viewed.
Session Logs are transmitted from the Runtime Resource securely to the Blue Prism Database. Database access is required to view the unformatted view of the logs. Transparent Data Encryption can be used to encrypt the data at rest.
All audit events are logged within the Blue Prism Database. These can be viewed from the GUI with the appropriate level of access. They will stay in the database until house kept.
If using SSO passwords are managed through the AD domain.
If using Blue Prism Native authentication, users are prompted to reset their passwords at configurable intervals when logging on.
The password is secured with Blue Prism "Safestring". It ensures that when sensitive information is being processed in memory (e.g. passwords) it is held in a secure container that can’t be compromised if an attacker was able to inspect a memory snapshot of the application at that time.
The password is kept in the database, and is encrypted. The password is sent to the Application Server. The database connection to the Application Server can also be configured to be encrypted. The Application Server has the encryption key to decrypt the password. From there the password is sent through secure communication, when appropriately configured, to the Runtime Resource
Single Sign On is a commonly used option with Blue Prism. Alternatively Blue Prism has a native authentication system which can use "implement strong password" policy
Using Blue Prism Native authentication the user is authenticated against the (encrypted) credentials held in the Blue Prism database.
Using SSO the user is authenticated against the domain, checking for domain and group membership.
Accounts can be deleted through the Blue Prism GUI by a user with the appropriate level of access.
Blue Prism has audit logging which logs numerous aspects including user logons, Process and Object changes, session invocation, and other similar user activity.
Blue Prism source code is Veracode Verified Continuous. Blue Prism itself is formally a registered business against the ISO standard for Information Security (commonly referred to as ISO27k)
Find out about Blue Prism Architecture by visiting our Technology section.
Blue Prism uses ‘git’, the industry-standard source code repository. Individual development team members are provided access to development/test systems according to their role. Role based access control is realised with a combination of systems, including ‘GitLab’ HTTPS and SSH authentication. Specific access to Blue Prism source code is further secured through 2048-bit RSA-based SSH key pairs.
Blue Prism’s Success Accelerator program combines various levels of mentorship and access to our Expert Services, Technology Ecosystem and Certified Partners based on the size and maturity of your digital workforce operations.