Oracle IAM in Telematics: A case study in the Automotive Sector (Deloitte)
By Greg Jensen on Aug 07, 2013
In this edition of the Oracle Identity Management (IDM) blog, we’ll look at a case study of IDM/IAM in the Automobile Industry and where it plays a significant role in enabling security to support the telematics initiative. In a broad sense, telematics is the integrated use of telecommunications with information and communications technology. This technology involves sending, receiving and storing information relating to remote objects, such as vehicles, via telecommunication devices.
Using telematics, organizations can monitor the location, movements, status and behavior of a vehicle or fleet. This is achieved through a combination of a Global Positioning System (GPS) receiver and an electronic Global System for Mobile Communications (GSM) device installed in each vehicle, which then communicates with the user and web-based software. In addition to location data, a telematics system can provide a list of your vehicles with the status of each. You can see when a vehicle is started up and shut down, as well as its idling status, location and speed. This information gives organizations a complete, up-to-the-minute knowledge of vehicle activities in one centralized, web-based interface. All of this information can help:
• Increase productivity
• Improve communications
• Reduce labor costs
• Control fuel costs
• Improve customer service
• Increase fleet safety and security
• Reduce operating expenses
• Reduce environmental impact
• Reduce unauthorized vehicle use
In addition to these benefits, various legislative resolutions and mandates, such as the resolution passed by the European parliament stipulating that all new cars must be fitted with a GPS system and GSM communication links, are driving the implementation of telematics to a large scale.
While telematics gives organizations all the above mentioned flexibility and benefits, it is prone to the same security challenges as usage of services on the web. Think about a situation where someone gets hold of a mobile device that is connected to several vehicles. A nefarious user can wreak havoc with a vehicle’s systems as well as the personal data which the vehicle has access to.
Some of the notable challenges around telematics security include:
• Password and user management – Management of multiple passwords and user identities for each vehicle.
• Device management – Management of authentication and authorization of devices allowing users to access the vehicle. High mobile device turnover by the user populations calls for new devices to be re-registered and at the same time blacklisting/wiping-out of the personal and vehicle information must be done on the older devices.
• Service management – Management of various telematics and key-off functionalities on a vehicle in a secure environment.
• Data and privacy concerns- As part of telematics services automobile manufacturers need to access personal data to customize the user experience thereby bringing in the challenge of data privacy both in-transit and when it is being processed.
The following section describes how the above-mentioned aspects are managed and how challenges and issues related to managing your telematics services are addressed by using Oracle Access Manager Mobile and Social (OAMMS) and Oracle API Gateway (OAG).
Fig 1: Oracle IAM integration with Mobile Device
User and device registration: Typically telematics applications send service registration requests through mobile applications which would validate pre-requisites (like validating vehicle identification – Vehicle Identification Number (VIN), payment information, etc.) with the telematics service provider. Once validation is complete against the telematics service provider, identification of the customer identity along with a vehicle and device identity will be created by calling the Mobile and Social Representational state transfer (REST) interface for registration. During this registration process OAG can be made to act as the front end to the OAMMS REST interface to confirm that requests come from legitimate sources and to protect the infrastructure against any intrusion.
Authentication and telematics operations: The above diagram explains how a user request gets authenticated and passed over to a telematics service provider to perform the requested activity. Before accessing the telematics service, the user provides his credentials in the form of a user id and password, which is used to authenticate the user against the enterprise identity store and also create an Oracle Access Manager token (or JSON Web Token – JWT) on the user’s device. The token is then passed to the telematics service provider with the vehicle information (i.e., VIN) available on the mobile device and the command (requested operation).
Once the token is available to the telematics service provider, it passes the same token over to the OAMMS to validate the authenticity of the request. Once the token is validated, the user’s credentials are authenticated and the requested command is executed on the vehicle.
The token information can be saved for a longer duration in the user’s mobile device for improved user experience and reduced operational time and effort. For example, a user sends a request to find a vehicle from his mobile device. The assumption is that the user is already authenticated against the enterprise identity store and the token exists on the mobile device. As soon as the user submits the request, a request object is sent to the telematics service provider along with the identity token. The telematics service provider passes the token to OAMMS to validate the account status. OAMMS in conjunction with OAG validates the received token for the user’s account status, session timeout, etc. Once authenticated a command is sent to the telematics service provider to perform a wakeup call to find the vehicle. The response returned from the vehicle back to the telematics service provider is passed over to the mobile device to locate the vehicle.
The built-in reporting and auditing capability of OAMMS captures each of the transactions. This can be leveraged to define controls for the telematics service. Apart from OAMMS and OAG, Oracle Access Manager and Oracle Adaptive Access Manager can also be deployed to provide a robust solution hence including device marking, wiping out the contents in the device in case the device is lost and also providing two-factor authentication upon accessing a sensitive operation on the vehicle.
In all, telematics services have evolved to better suit the needs of consumers but at the same time have a tradeoff on security to confirm end user usability. These trade-offs increasingly contribute to security risks for the user, organization and their vehicles including theft of vehicle, loss of personal data, malfunction with the vehicle, etc… Security should be addressed in an effective manner with increasingly strict regulations to protect against these risks. The Mobile Access management solution using Oracle API Gateway technology unifies telematics requests across network boundaries to mobile devices. It can provide enhanced security, regulatory compliance and increased usability.
About the Author
Debi Mohanty is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with a focus on Identity and Access management and Information Security. He advises several Fortune 100 clients globally on cloud and mobile security, privacy and identity & access management across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.