Enterprises have for long been worried about establishing identities of people who access their critical resources, and never has there been more emphasis on managing this access than now. Another truism here is that some enterprises are more worried about who or what is touching their assets, mostly because of what they stand to lose if something is to go awry. Government, BFSI and healthcare are the obvious guesses here. However, there is another vertical that might not immediately come to mind in this regard: automobiles. Though it may not be investing as much as the others are in Identity and Access Management (IAM) technologies, transportation in general and automobiles in particular has been silently going about managing access for quite some time now.
The reasons behind automobile manufacturers’ IAM drive are multiple. The first factor is that unlike some traditional verticals, automobile firms have several networks of people to manage.
Then there are things like compliance, efficiency and system integration that makes identity management in automobiles a complex equation to crack. That is why Express Computer decided to talk to the IT heads of leading automobile companies and the vendors provisioning their systems to see how they are solving the identity management matrix.
Too many cooks
A factor that sets the automotive vertical apart is that not only are there multiple groups to manage but also the needs of all these groups are different. For employees, the drivers are related to efficiency and compliance needs. A new trend here is BYOD which is freeing managers from their fixed machines and giving them access to the shop floor. “Security threats also arise from open source operating systems such as Android or Linux systems that can be exploited by a hacker. BYOD compounds the problem as devices often can have inherent security implementation challenges,” explains Rahul Kamboj, IAM Architect, Infosys Engineering Services
On the supply chain front an automobile firm certainly wants to manage identities because of the mixture of vendors involved. However, identity federation in such a scenario becomes important for systems as well, because ERPs and other systems are also interacting with each other within this ecosystem.
Dealership identities is also a big concern precisely because they are outside the company’s network but must be connected to it. We are seeing some very sophisticated IDM management happening for this aspect because of the vast geographical spread of dealers that most automobile manufacturers face in India. Mobile apps are also very critical in this area.
The final part is customers. Here automobile firms are looking for easy solutions like self-registration and enrollments and databases which enable the company to see their customer’s history and details etc.
International automobile companies usually opt to have a single system to manage all these aspects, “However, in India, historically the demand has been stronger for employees and dealership identity management. Of late, though, the customer front is catching up. As a result, a lot of automobiles are also doing social media implementation and it gives them the ability to go beyond existing customers,” opines Goiporia.
Identity management applications
As we have seen above, there are several sets of people automobile manufacturers need to manage identities of. And we haven’t even begun talking about unique identities of vehicles. So, what are the common areas where automobile firms are applying IAM technologies? According to Kamboj, dealerships and online transactions and the whole dealer network in particular is a common focus area across the vertical when it comes to identity management. “Sales and dealer network should be securely integrated and also provided seamless and secure access to manufacturer’s internal assets. Most automobile manufacturers have dedicated IAM systems for managing dealer network across various geographies.”
Also, since dealerships is what connects any automobile company with their consumers, identity management gains paramount importance.”Car owners generally register on the manufacturer’s site and use services offered through websites or mobile applications. Identity access management plays a crucial role in all these scenarios. It is essential to maintain the data integrity and access control,” says Kamboj.
Other areas that are seeing IAM action within automobiles, according to Kamboj include advanced telematics and financing services that many automobile manufactures either provide themselves or through third party tie-ups. Telematics involves sending, receiving and storing information via telecommunication devices affecting remote vehicle control. All these transactions need to be secured and controlled. In most scenarios, multiple vendors being involved in providing a single telematics feature, moving between different partner systems is a common access management challenge. Such features also present the need for a powerful back-end IAM system.
Bumpy road for IAM
Although the potential of IAM in the automobile vertical may be great, the journey is not without potholes. And with macro technologies like mobility and cloud impacting every business, the challenges have only magnified. Cloud services, which a number of firms are now adopting, involve multiple content providers and aggregators to deliver a personalized experience. It is a huge IAM challenge to integrate services from multiple third party vendors while adhering to standards such as SAML, OAUTH and provide seamless access between cloud based hosting and enterprise hosting. Such hybrid hosting requires strong access and data integrity management policies across multiple vehicle environments and geographies- all from single, consolidated umbrella.
Kamboj believes that enhanced security will be required for features such as vehicle subscription for 4G connection, customized in-vehicle advertising, on-demand entertainment and secure communications between the vehicle and the service center or a dealership. “These services open up new challenges for IAM solutions in the form of consumer identity protection, single-sign-on between different services and ensuring secure and seamless data exchange across diverse systems from multiple service providers,” he says.
Goiporia of Oracle however, holds the view that the technical challenges of IAM are not as complicated because one platform can address all the needs of automobile firms. It is the business priorities that are a bigger hindrance. “The challenge is to build a system that prioritizes enterprises’ focus area and also brings stuff like compliance in its fold. Companies have to decide whether to focus on one or two key areas of IAM or to do a little work in all aspects. Another challenge for IAM vendors is in being able to integrate their solutions well with rapidly changing technologies and platforms like mobile and cloud.”
As Nambiar sums up, “The challenge in a developing market like India is twofold: one of the issues is evangelizing and promoting technology solutions in nascent marketplaces with channels which aren’t very well-developed. Secondly, there are no standards which govern security. This challenges the deployment of appropriate and relevant technology into the market place.”
The road ahead
Many believe that with cloud models gaining momentum, managed security will be the future of identity management solutions. Some action is already visible on this front. Automobile companies have already begun outsourcing their traditional badging projects to cloud-based service providers that have the scale and resources to handle large-volume orders with tight deadlines.
Also, the move toward managing identities of automobiles, though it is hardly happening as of now, is certain to gather momentum. As machine-to-machine communications catch up and percolate further in the vertical, identity and access management solutions for vehicles are expected to follow.
According to Nambiar, identity management is already one of the fastest growing industries in India today. “HID’s business in India has grown at a faster rate than the typical growth of the industry which is a CAGR of approximately 25% in the last 5 years.” Some new emerging segments for identity management include the government, defense, infrastructure, transport, and power and energy.
Market studies predict that every new car in the developed economies will be connected by 2025. With such a wide-spread exposure and increasing stringency in compliance standards, managing identities and related security challenges will take center-stage, propelling revenues for the whole ecosystem. There seems to be immense potential for IAM in the areas of driver identity, provisioning/de-provisioning driver entitlements and preferences, secure remote vehicle management and online auto insurance within the automobile industry.
Express Computer spoke to the IT heads of four leading Indian automobile manufactures to establish how they are managing their identity and access controls.
VP and CIO, Hero MotoCorp
According to Sethi, identity management in any firm has to start with an analysis of needs. “For us at Hero, information security was a key focus area. We covered three critical areas in our identity management solution- governance, compliance of processes and information security related to oncoming and offloading of employees and their access.”
IAM as a big thing started a couple of years back for Hero Motorcycles. There are three key things the company is managing through this system. The first is registration of employees as soon as they come on board. The HR first creates an employee record on ERP which is fully integrated with company’s identity system and helps them define access, archives and incidents as soon as an employee is registered.
“We are also doing segregation of duties (SoD) on this system. Since in an automobile organization, there are often conflicts about role definitions, it becomes very difficult to do this manually. So we have automated the process,” elaborates Sethi. The third aspect is offloading of employees in an automated manner. When an employee leaves, the company can block access in a holistic manner rather than deleting access from individual applications.
The company is also doing Enterprise Single-Sign-On (ESSO), which basically means there are no multiple user IDs and passwords for each application. “If there are several passwords to manage per user, the chances of breach are higher,” feels Sethi.
According to Sethi, most challenges in the IAM process were tech challenges since not many companies have done identity management in India. “There were also challenges related to integration of our IAM system with other systems like email, BI and PLM.” The biggest benefit of IAM for Hero is that the compliance factor has gone up significantly. “We can now see automated reports and graphics,” says Sethi.
Hero MotoCorp is also beginning to embark on identity management for vehicles though their Vehicle Identification Number (VIN) project. “VIN is a unique number assigned to each vehicle and through this we can access records, manufacturing details, make, customer details, dispatch dates etc. This is something that is definitely going to get further automated in the automobile segment,”says Sethi.
All dealers of the company in India are connected through a cloud system which is integrated with their ERP and other systems. The company is using Oracle ESSO and another software from a US based company- Alert Enterprise.
CIO, Tata Motors
Tata Motors is also using identity and access management solutions that are helping them to manage a single identity of employees and partners across multiple systems. The company is using separate systems for its internal employees and external partners like vendors and dealers. “We at Tata Motors use Microsoft solutions for employees and we have deployed Oracle solutions to manage our external users like dealer employees and customers,” details Belwal.
Though the implementation came with no major technological challenges, Belwal says that offloading employees from the company applications, when they leave the firm, still remains a major challenge. “Each system carries its own user credentials. When an employee joins or leaves, it is a cumbersome task to switch on, switch off and provision their individual accesses in each system, thus requiring significant administrative overheads.” Belwal believes that some of these challenges can be solved using technologies like single-sign-on and the company is working with Indian vendors like TCS and Sena Systems to solve some of these challenges and bring about more automation in their identity management solution.
Belwal also says that the company is gearing up to face the increased threat scenario and they do have a roadmap for managing identity and access within as well as beyond the company network. “We do have several advancements in mind that we intend to make to our IAM systems. The technology architecture is being conceptualized at present,” he says.
Group CIO, TVS Motor Company
According to Dhandapani, in the automobile industry, IT applications are implemented in vast areas from new product development, entire supply chain including shop floor, finance, HR and customer relations. “Hence, securing confidential data and processes is very important and identity and access management is one of the key factors in ensuring information security and thereby protecting organization’s IP,” he says.
In TVS Motor, IAM cuts across people, processes and products to manage identities and access to enterprise resources. IAM components are classified into four major categories: authentication, authorization, user management and repository (Enterprise KM). “The ultimate goal of IAM framework in TVS Motor is to provide the right people with the right access at the right time,” emphasizes Dhandapani.
Apart from employees, TVS’s IAM system encompasses contract workmen, suppliers and dealers. “We also manage identity of vehicles and major assembles going into the vehicles. IAM is also extended to some devices, equipment and machines,” details Dhandapani.
According to Dhandapani, enabling the IAM is not as big a hurdle as administering it is. “Frequent changes in business process, intra and inter-company employee transfers, philosophy of IT as enabler or driver rather than controller, enthusiastic HoDs looking to empower their staff with all rights, unable to simulate possible outcomes at the time of giving authorizations, are some examples of glitches we face.”
Despite the challenges Dhandapani believes that IAM solutions are indispensable for any automobile firm today. At present, IAM is managed across the TVS Group on a shared services model. “We also build IAM in IT products that are developed in-house by us like ERPs etc,” he concludes.
Parna Ghosh
Operating Head – Strategic Information System, Honda Motorcycle and Scooter India
Honda Motorcycle and Scooter India is in the process of getting a SOX certification and are implementing a sophisticated IAM system as a part of the qualifying process. According to Ghosh, there are three key aspects in phase I of the identity management system they deploying. The first is defining and mapping roles of employees and then analyzing what are they accessing. The second part is monitoring this access for inconsistencies and other instances. The third aspect involves privileged ID management and revolves around managing access of top-of-the-rung employees who often have defined privileges.
In phase II, the company is looking to go beyond the employees and extend IAM to their dealers and suppliers. “We are looking to complete phase I in three months. It is a time consuming process because it involves departments like HR, finance etc working together. The systems too need to be integrated,” explains Ghosh.
Ghosh feels that in India, IAM is still not very mature and that it why it is cumbersome to execute projects which are often high investment and low return. “However, identity management is maturing and will reach is a point where it prevents breaches without restricting the employees with respect to their devices and access.”
Honda Two Wheelers is working with CA Technologies for their IAM needs. “We have a QCDMS (Quality, cost, delivery, management, security) parameter on the basis of which we choose the vendor. CA Technologies fared well on all these parameters. HCLI is implementing the project for us,” explains Ghosh. As a part of the project, the company is defining access to over 20 crucial applications. “The profiles will be pre-defined, so all we will have to do is to assign profiles to employees.”
As a prelim to identity management, the company undertook a Segregation of Duties (SoD) project with Ernst & Young. “In an automobile firm it is difficult to define roles. However, this project laid the foundation for our IAM deployment.” A key challenge that company is facing with respect to IAM is provisioning enough resources to manage the system. Also, the lack of standardization in data formats of different systems and applications often poses integration challenges, adds Ghosh.
If you have an interesting article / experience / case study to share, please get in touch with us at editors@expresscomputeronline.com