cancel
Showing results for 
Search instead for 
Did you mean: 

Security Risk with Blue Prism Credential Manager

GopalBhaire
Level 10
Hi, With a work around all the passwords in Credential Manger can be viewed putting the account to risk. I know that 'Roles' provide a medium to avoid this risk. But what in case if I don't want anyone (no matter the role) to use this work around to view the password stored in CM. Regards, Gopal
7 REPLIES 7

TetsujiJunicho
Level 9
I think passwords stored in credential manager are editable, but their values are masked.

GopalBhaire
Level 10
Yes but they can be figured out with a simple work around. This is a risk when developers use their own credentials to test logins to application or Login Agent.

Denis__Dennehy
Level 15
There will always be security risks if a proper access model has not been put in place for your Blue Prism environment. If anyone can access anywhere than password security is the least of the problems (as anyone could access a running resource that is already logged into everything - there is no need to have the system passwords). In a Production environment no-one should have access to the production database, also database encryption can be turned on in the BP database to provide a second layer of encryption. No-one except IT dept should have access to the Application Server, even then access should be audited via VM tools. A logical access model should be put in place to ensure no developers have access to the production Blue Prism environment, so no-one is accessing Studio in production. Processes can be created so that the robots change/reset their own system passwords periodically (this could even be daily etc). For Dev/UAT environments there is nothing stopping developers who are using their own passwords from removing their passwords when they have finished what they were doing, so it is only used temporarily.

TetsujiJunicho
Level 9
At lease you can audit WHEN/By Whom the credentials are modified by using Audit logs.

GopalBhaire
Level 10
I totally accept there should be a proper access model in place and is in place in most of the projects. But, my only concern is why does Blue Prism allows conversion of Password to Text. You can't expect Dev/Tester to go and setup credential manager every time they want to perform a activity.

Denis__Dennehy
Level 15
Password data items are just there to mask sensitive data and to ensure it is not logged. The data that stored in a password data item might not even be a password, it might be a senstive customer data field that, as part of a business process, needs to be manipulated in some way in a calculation stage to be used. Also I once came accross an applcaiton where the new password had to contain certain characters from the old password - so the new password needed to be calculated based upon the old. For these reasons, and others, the ability to manipulate data stored in password data items in calculation stages is a requirement of the product that will not be removed. The expectation is that no one will have access to Studio in production so casting passwords into text will not be something anyone can do in that environment. In a development environment where develoeprs are using their own production credentials - because platform security is not in place in development to protect their passwords then a process (such as removing credentials each day) is the only option open to them. Entering a few credenals in Credential Manager would take a couple of minutes so I do not see that as being a developerment overhead.

GopalBhaire
Level 10
OK, I get your points. In that case don't you think that Blue Prism should make developers aware of this? If already documented please provide me link so I can at least make my colleagues aware:)