The Growing Bot Army Creates Identity Management Challenges


If you think about it, humans spend a lot of time each day proving they’re not bots. We have to decipher the letters and numbers in a Captcha, choose the pictures that contain a bicycle, or simply check a box that says, “I am not a robot.”

How did we get to this point? According to Oracle Dyn, bot activity now makes up more than half of all Internet traffic and continues to grow. As bots become more sophisticated, it’s getting increasingly difficult to distinguish between them and humans, as well as between the beneficial and malicious activities they perform.

Many bots execute malicious activities that range from annoying to fraudulent to damaging. Oracle Dyn sorts them into five broad categories:

  • Impersonator bots mimic humans to get past security measures, then spread misinformation or attack e-commerce sites by jamming shopping carts.
  • Scraper bots steal text, images, email addresses, and other information from websites, then sell the content or use it without permission.
  • Click / ad fraud bots locate paid ads and click on them millions of times, running up huge charges for advertisers and skewing ad engagement data.
  • Spam / email bots engage with blogs and social media to spread malware and trick users into disclosing sensitive information. They can also execute phishing attacks.
  • Botnets are large numbers of compromised devices used to launch digital denial of service (DDoS) attacks and send spam.

Good bots also exist, however, and perform beneficial services. For example, search engines use spider bots to crawl websites and gather data on content, images, and hyperlinks for indexing and search ranking. Media and data bots deliver news, weather, and other real-time updates. Copyright bots search the web for plagiarism and other copyright violations. In addition, organizations are increasingly using robotic process automation (RPA) bots to perform business tasks by interacting directly with business applications.

Growing numbers of RPA bots create identity management challenges and security risks. Bots may be assigned generic IDs, making it difficult to track bot activity. Simpler passwords and authentication requirements can lead to unauthorized use of bot credentials, while weak access controls increase the risk of hackers using or changing bot processes.

The same kinds of identity and access management controls are required for bots as for other users and applications, including the following:

  • One unique identity per bot, with business roles for managing access privileges.
  • The ability to secure bot passwords in a vault.
  • Robust monitoring of bot activity with a complete audit trail.
  • Access policies based on least-privilege access and separation-of-duties principles.
  • Periodic risk assessment and regulatory reporting.
  • Full life cycle management of bot accounts, particularly those requiring privileged access.

CyberArk has partnered with leading RPA platform providers to create a simple, cost-effective solution to the bot identity challenge. This solution creates a unique account for each system a bot must access, eliminating the need to give bots domain-level credentials. If an account is compromised, it will only impact one system. In addition, bot credentials are stored in CyberArk’s Enterprise Password Vault, where they are protected by strong encryption and checked out when needed instead of being stored in the application.

If humans constantly have to prove they’re not bots, bots must be able to prove they have legitimate access to applications and services. Clango’s team of CyberArk Certified Delivery Engineers can help you leverage the CyberArk platform to protect bot credentials and control access.


For more information about eliminating bot identity threats, please send us an email at (

Comments Closed.