Good managers are always striving to improve business processes. Optimizing processes can cut down manual steps, increase efficiency, reduce expenses, and even create new revenue opportunities. But identifying roadblocks in a process, let alone introducing new processes entirely, can be cumbersome without the benefits of automation.
Sometimes, it’s beneficial to do a process review: analyze what’s already working to gather insights on what could be replicated across an organization. However, traditional process reviews typically rely on word of mouth, incomplete documentation, and tribal knowledge, making it challenging to quantify benefits.
Enter process mining, which is designed for the analysis of business functions within complex enterprise software ecosystems. By analyzing data and interactions between systems such as Oracle, SAP, Salesforce, and ServiceNow, process mining produces insights into how processes are actually functioning. By plugging into these and other vendor systems, process mining can track complex processes and identify areas where they are breaking down or where unnecessary manual interventions are occurring outside the system. It can also recommend corrective actions.
Process mining improves upon process refinement techniques including the Lean Six Sigma method by leveraging data to deliver insights that reflect how the processes behind those systems are functioning.
Some widely used process mining providers, according to the Everest Group Peak Matrix Process Mining ranking for 2022, include Celonis, UiPath, Software AG, and Minit. Celonis and UiPath are both on the Acceleration Economy AI/Hyperautomation Top 10 shortlist.
In this analysis, I’ll identify critical security factors to consider so that process mining apps are properly governed and create business opportunities while avoiding gaps that would allow for the misuse of data. A proactive security approach will position your company to derive the most benefits from process mining without risk of data loss or breaches.
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner analysts.
Security Considerations
In order to understand the importance of process mining governance, consider the need to protect data as it flows between systems via software integrations. This is becoming a high priority as API attacks are increasing across the board. In fact, 95% of companies have had an API security incident in the past 12 months, causing APIs to be regarded as a top threat factor. Since process mining applications integrate with APIs to access data across multiple software systems, enterprises must proactively ensure they’re protecting against unauthorized access to sensitive data. Any public exposure of data, of course, presents privacy, security, or compliance risks.
Furthermore, a common issue surrounding web-based integrations is broken object-level authorization. Ensuring application users don’t have access to more fields than they require is consistent with the rule of least privilege. Also, having administrative transparency into who can access what data and who can manipulate such data will be necessary to track roles and thwart any access control threats.
Other potential risks might arise from poorly configuring underlying platforms such as cloud services. For example, if cloud-based technologies aren’t secure by default, users might have to manually raise data protection controls. Similarly, if data isn’t automatically encrypted in transit, it may be prone to man-in-the-middle attacks which could attempt to divulge trade secrets. Outside of misconfigurations and insecure settings, other cloud-native security risks could present themselves in process mining use cases, including leaked secrets and software supply chain threats.
Security Measures for Process Mining
As with any new technology, IT professionals should ensure their process mining software has the proper degree of security. One fundamental method to ensure maximum governance with process mining is to enable multi-factor authentication (MFA). Passwordless technology including biometrics, keyfob, or one-time-password (OTP) can harden the security of any environment. Implementing MFA should ensure, right off the bat, that only authorized personnel with a proven identity can access the platform.
In Celonis’ case, the company enables customers to apply their existing single sign-on systems for authentication and offers its own identity management service for any customers that need it. “Customers usually run an identity solution for their employees and then we integrate with that,” says Stephan Micklitz, senior vice president of engineering at Celonis. “So there’s no separate login for people. We integrate with all the major services.”
Customers also have the option to use Celonis’ own identity service, Micklitz said, which includes multi-factor authentication. “Multifactor authentication is certainly something I’d encourage everybody to use, especially in an enterprise context.”
Celonis supports key standards for user provisioning and de-provisioning including Security Assertion Markup Language (SAML), Open ID Connect, and System for Cross-domain Identity Management (SCIM).
After addressing authentication requirements, another key process mining security consideration is to establish more hardened data governance. Process mining solutions should delineate secure data access and manipulation, defining who can access what type of data and who has access to event logs. Establishing these privileges upfront will go a long way toward ensuring unauthorized access is not possible. Secondly, deploying additional security over data transmission protocols will help ensure the connections themselves cannot be tampered with.
API security requires a holistic set of strategies that go beyond the traditional firewall. An organization opening access to its databases, event-driven architectures, or internal microservices should approach these connections from a zero-trust mindset, even when transmitting data to an internal tool or system.
In Celonis’ case, the company’s approach is to secure data in transit (between systems) and at rest. Data at rest is protected by the underlying encryption services of the cloud providers, such as AWS and Microsoft Azure. When it’s moving between systems or services, data is encrypted using Mutual Transport Layer Security (MTLS), a method for mutual authentication that verifies both “parties” have the correct encryption key to access data, Micklitz explained.
“Multi-factor authentication is certainly something that I’d encourage everyone to use, especially in an enterprise context” with process mining apps.
Stephan Micklitz, senior vice president of engineering, Celonis.
Lastly, it’s a good idea to develop data protection policies and establish healthy data hygiene practices. For example, backup and data recovery techniques can distribute copies of your records to protect against data loss. Furthermore, continually monitoring access to sensitive data is important, as is encrypting data at rest. But, since process mining solutions are intended to highlight areas to improve, they needn’t create persistent data records for long periods. Therefore, consider establishing a data lifecycle and deletion process upfront. Maintaining data hygiene will not only aid security but decrease storage costs over time.
Process mining is data-intensive work and “it’s clear that you would like to have as much data as possible on the one hand and, on the other hand, it’s always important to think about ‘What is the subset of data that is actually required? And how long do we need to keep that?'” Micklitz says.
Benefits of Tight Governance
Process mining presents robust functionality that can turn otherwise opaque data into actionable insights that can inform and optimize enterprise processes. Discovering bottlenecks and automating away manual toil is becoming essential to truly reap the benefits of digital transformation — doing so could reduce operational costs and create new efficiencies. Ultimately, this could free workers to focus on delivering new features and enhancing user experience.
Of course, any new technology — especially one that utilizes connections to multiple software ecosystems — poses some degree of risk. To ensure these systems are kept safe from malicious actors, organizations should apply a governance model that considers and deploys as appropriate, MFA, access control, and encryption. Enhancing data security and maintaining proper data hygiene will increase user trust and ensure these new platforms don’t infringe on any compliance requirements.
Editor’s note: Tom Smith contributed to this analysis.
Want more cybersecurity insights? Visit the Cybersecurity channel:
