Three years into its work with robotic process automation, the NASA Shared Services Center scored some “quick wins” fielding bots to streamline tasks for the agency’s chief information officer and chief financial officer.
Pam Wolfe, the chief of NASA’s Enterprise Services Division, said automation has played a key role in an agency-wide mission realignment to rethink all of its major lines of business.
Now the agency’s shared service center has taken the next step, working through extra layers of security and credentialing to field unattended bots.
So far, NASA has six unattended bots in production and another six going through testing and development.
But to build momentum on this effort, Wolfe said the agency is working on an agency-wide RPA security plan. That plan, she said, will give internal systems administrators all the details they need on an unattended bot’s security vetting, how the bot will access certain systems and what the bot will do with the information it gathers.
Wolfe said last Thursday in a webinar hosted by UiPath that the strategy looks to streamline many of the conversations her office has had with systems administrators when fielding bots.
“There are many systems used across the agency, and when you began an automation using a system for the first time, there’s a lot of a lot of information and dialogue with that system owner to get them confident in the technology, and what the technology will be doing when it accesses their system,” Wolfe said. “It’s been a lot of convincing to let system owners realize that these bots are only doing a user interface just like a human, that you’re not changing the system, they’re not doing anything to the code in the system. And yet, every time we introduce a new system into an automation, we’ve had to go through this again.”
Unattended bots only make up a small portion of NASA’s bot portfolio. Wolfe said her office has 55 total automations in production, 16 in development and another 47 in its pipeline.
The RPA security strategy will also reflect some of the back-and-forth between the officials who field bots, the financial auditors who rely on the bots and security personnel who need insight into what the bots are accessing.
“Auditors really like the thought of unattended bots because they can see that there’s a bot in the environment that’s performing that function. An attended bot uses the credentials of the individual, and therefore you don’t really necessarily realize that there is an automation being performed as those transactions are occurring,” Wolfe said.
However, she said security personnel prefer attended bots because of some of the security issues around unattended bots. And from this back-and-forth with personnel working with the bots, Wolfe said her team has gained new insights.
Auditors, she said, had asked some “valid questions” about how they can validate whether someone has the right credentials to send an email that triggers a bot to begin work. As a result, Wolfe said the bots’ control logs now capture who initiated a process and validates whether that individual had the credential to perform that function.
“A lot of times when we get into it, the system owners like to be part of that testing as well. They can look on their side of the system [and see] any performance issues as we run the bot, and that kind of gives them further assurance that the bot isn’t really doing anything more than what a human’s doing in there, and there really isn’t that much additional system strain on their platform,” Cavallo said.