Good afternoon, ladies and gentlemen, welcome to our company, cold webinar, connected car, putting digital identity behind the wheel. How do you ensure security and privacy for customers and manufacturers of the connected car? This webinar is supported by frock. The speakers today are actually Stevenson who's identity technology director at fork and me market equipping around founder and principle Analyst Cola. Before we start with our topic, I wanna give a quick introduction Cola and some housekeeping information, and then we will dive into the topic Cola Analyst company.
We are international independent, provide mutual advice, expertise, and saw leadership and topics around information security, other areas concerning the digital transformation of sort of our home base around identity access management and like access governance. We do that through three pillars of services, which are our research. So for instance, our leadership documents, where we compare the vendors and the product and certain market segments or our executive view reports, we do it through our events, like the webinars, the conferences, etcetera.
And we do it through our advisory where we support organizations for finding to ride vendor and making up their strategies roadmaps at blueprints, we have a couple of upcoming conferences. So next year, may we don't have it on the slide that slide here yet is our next addition of our European identity and cloud conference, which is our lead conference mid may in Munich.
Next year, thought of that. We are approaching our next stop of the consumer identity world to Paris and the Singapore both soon. And then we have our digital finance world, which is around the changes transformation, the finance business end of February next year, to 1st of March regarding the webinar, some guidelines you are muted century, so you don't have to mute, or I meet yourself. You're controlling this features. We will record the webinar and we will make the recording available usually latest by tomorrow, as well as we will make the slide X available.
And there will be a Q and a session at the end. However, you can add the questions at any time using the questions feature to go to webinar control panel.
I said, so this let's look at the agenda, which is split into three parts as usual for our webinars. So in the first part, I'll present the security challenges for connected vehicles, have a look at a little ity and risk of various components and interactions, things like that.
So how, how does this look like? And then actually Stevens will go more in detail about the complexity of I am. I am infrastructures designed for connected vehicles and also about the challenges of consent management patch management in the context of connected vehicles. The third part, as I've said will be our Q and a session. As I've said, you can answer questions at any time. The more questions we have, the more lively the Q and a session will be.
So let's start when I look at closures of the connected weed and, you know, I'm based on so hometown of ENT, hometown of person.
So I'm thinking about automotive related topics for, for long time. It's sort of a little bit in my DNA, so to speak. And I think that there are challenges for, for each and every when, when I look at this, I think there are four main ones, safety, then there's security and safety is not security. So if you go to determine language, there's the term, which is used for safety and for security, it's easier in the English language where you have safety versus security side of that.
We have privacy and we have identity safety means we need to ensure that he's a fault or failure or attacks cause damage to the vehicles, to their drivers and the other people and the vehicle, or to other people. So revert to fail safe mode and continue working for instance, a very essential element in the safety piece. Then we have security, which means we need to ensure that no one can attack the connected vehicle. We have seen a couple of incidents over the past years, some more, some less severe, some more theoretical, some more practical it's obviously threat. We have privacy.
So we have the upcoming U GDPR becoming effective end of may next year.
Overall, it's about ensuring compliance with these regulations, avoiding the leakage of personal identifiable information. Another very important area we have to look at and there's then there's the identity thing. And when we start looking at level, touch will touch it. When we look at the vehicle, it's not that the car has one single identity.
It's, it's a set of systems which interacts with many, many different identities around it. So managing all the identities of organizations, people, device, and things, and their access to systems, components and data obviously is another highly important challenge. So when looking at at the vehicle and just try to sort of reduce the complexity to some extent, but look at the, the thoughts below that there are always more of these entities. So there are sensors. These sensors work with controllers, the controllers communicate. They might communicate with each other.
Then we have systems which we use to control various entities can access these systems and then people within these entities.
So entities would mean for instance, different organizations, such as the manufacturer, the garage, as the assurance company, as the police, and then they are, or the owner, and then they already identity. So we have a, an, an system with a lot of partisan, a lot of elements in, and also a lot of varies in there. So some of the components are not directly addressable. So sensors, in fact, usually communicate through another type of device.
The controller, this controllers might be unidirectional, bidirectional. They might interact with other controllers or not. So their system, system and system, very feral system communication.
So some entities might have access to read. Some others might only have access to rides to control. So we have another area here. So we have really a lot of different aspects to cover here. So multiple entities also might access these systems. So this is basically the bigger play here. And so just to give you short idea of what we are talking about, so these systems are complex.
And so we need to understand at the end, we need to ensure that nothing can go wrong here and that what could be, should be accessed or should be controlled, can be done, but what shouldn't be, or must not be done must not be done. So that's, that's one part. The other part of it is, but frequently sort of underestimated or ignored. We're not known to people who come from an outer world, sort of from the automotive industry.
We should not underestimate that. There's a lot of built also hardware, safety and security.
So the buildin safety, in fact, being that that many systems in the vehicle are restricted, technically restricted to operate under only under specific con conditions. So in fact, fix the non configurable settings, which prohibit malfunction attack. So to give you trust some, some samples. So the adjustment of the driver wheel not only not always works in each scenario. So sometimes I think that makes a lot of sense. You can only do it when the car, the vehicles powered off or the driver's seat might be blocked.
The adjustment of the driver's seat might be blocked above certain speed level because at some point it gets, it becomes too dangerous. What we already have for a long time is when you look at opening closing of ible folding top, this is restricted commonly to some low speed level.
So there are various samples for that. And it means it's not everything we can manage. So there's another layer of security and safety here, but we must understand this and we must understand what could be done and how we can avoid that things go wrong.
So systems must ensure secure operations are moving back to fail safe mode in a non configurable way. I think we even believe that the more we make configurable, the more important such modes will become. So what happens if some part of the electronics don't work as expected, then there must be a fail safe mode. If there's an obvious misconfiguration, if there things are going fundamentally wrong, there must be sort of a fail safe mode. They must be well understood when designing these vehicles.
And there are people who can understand far more of that than, than, than me and the other it people do.
But I think it's important when we look at it more from an identity and access and privacy perspective, that there are things in which, or that are several things, which are already solved well. So let me bring, in some thoughts regarding security, by design, for the connected we hit learn. So security by design is doing things in a way that they are designed around security. So security first and security in a standardized way and in a consistent way.
So this is basically security by design. From my perspective, it's essential, it's essential at various levels. So there's a fail safe mode, but there's also code security. So what are the ways to code and how it's, how it is tested.
And, but it starts on with testing. It starts just really saying, okay, this is the way to code restricted communication. So not only encrypt communication, but also restricted communication.
So where do you have a unit direction, communication, cetera. These are things clearly when look at thes, it's not a seal system, it's a set of different components, things, whatever you'd like to call them, which interact with each other, sometimes which external devices, et cetera, we need to understand the complexity of the system connected.
And so from at the end, so if you can use your multimedia system or hack the multimedia system to hack the brakes, then we have an issue and we need to look at us and think about how can we overcome this? How can we avoid such scenarios? Sometimes this, this means we also need potentially over the years to get rid of some of the more established concepts here, separate reading ride channels are influencing even separate controllers for reading and writing might be one of the elements and we find it in various areas.
So if you look at some of the more critical infrastructure components in other areas, then having this is already a, sometimes a common approach saying, okay, we have really hard segregation between the right channel to avoid that someone who has only access to read through some box or, or hacks can get to the right, right channel. We need to understand the critical of the components and the data and define appropriate protection level. So we need to have a required level of classification, wide level of security here. So which means who's allowed to access these red, right, etcetera.
And I think this is very, very important to understand this and to, to make the, make it work. So ensuring that we don't have too many different levels, but understand, okay, the high, highest critical system or high they interactions with the highest level of critical need to be protected differently, but there are certain predefined sort of ways at various levels, how we can do that.
We also need to think about how can active controls changes happen. Obviously the more critical, the better restricted.
So, and going for instance, through a well protected system, which is the only path to change certain settings is one of these approaches, which means that we don't allow sort of a mesh of communication where every external device can communicate potentially with every internal one. So there might be the way and had it on the previous figure a little, the one where you need to pass through certain systems. And clearly we need to understand how we protect the secret use. So for instance, the private keys for digital signatures, how do we, we update them, how do we handle all that?
And we need a patch management and we need approach that allows for secure, controlled, rapid deployment of patches to all the connected vehicles and that can't be done by trust, sending out a USB key.
On the other hand, the more we do it, can't trust be done in the garage. It's certain points in time, but on the other hand, if you do it online, we have to be very much aware that there's a higher risk. And so we need to understand how we can handle that.
So it's a, it's a big challenge. There's not a simple answer that I think for virtual, every single around security of such complex entities, such as the connected vehicle, we have complex challenges. And for complex challenges, we rarely have simple answers. So we need to understand at the end, really the complexity of the access. So we have the systems event, data recorder, motor engine control, whatever else we have certain types of data. We have organizations which are interested or for good or bad reason in that information.
So the manufacturer, retailer, garage, police, whatever we have the individuals, again, you know, you might have to driver, you have to pass.
The driver is not necessarily the owner cetera. So it's very complex framework. We have various UN, so the standards use violation of the speed limit, et cetera. For instance, if you take as an organization, the police, the, the Rios of the police access, certain data of certain systems, obviously it's restricted to certain events.
However, legal aspects in certain countries might lead to the police from country's allowed to see other data in certain cases, system police from other countries. So understanding this first who's allowed to access which data under which you end. I think this is a very important thing. On the other hand, we need also standard ways to ensure how can we manage the access and how can we control it?
It's, it's uneasy. It's a challenge and it's results in an IM challenge. So if we take this picture, I brought up before we, we are at who's allowed to access which data under which you end. We obviously have multiple IM systems already. So there's the employee of the car manufacturer there, the customers partners, there are people's people who are usually not part of these systems. So if you would have to onboard a driver first in an IM system, before he can drive the vehicle wouldn't work.
So we have various types of data exchange manufacturer to reseller, to insurance company, to governmental organizations, data across multiple control systems are already touched this point.
And so, so how, how do we really handle that? And I think this, this dark blue block of systems usually is the point where IM can really can have the touchpoint, so where you can control who is large access, what, and due to the massive segregation.
So consumer versus technical control, for instance, you might end up in a scenario where identify, okay, it's not that you can use one single IM for everything. It might be that you need, realistically, you need more than one.
So it's, it's, it's not easy. And one of the big challenges remaining is clearly, if you share, start sharing data, it's hard to enforce that the data is only used in the way it should be used. So there's a good logic saying, okay, hold data in only one system and allow access when it's required. And only them, otherwise you easily will get out of control of the data.
I already touched it at another level of complexity. So we need this consent, which can be done by our contract, but not in, not in each and every case because it's not only one person giving the consent.
So if I, by a new vehicle, I can have a contract giving consent, but starting with my wife, when she uses the vehicle, she might not have signed that contract. So how do we deal with that? Very interesting question. I think another easy to answer. So going back to what I had before safety, security, privacy identity, all these areas are closer related to each other, and there's not a simple answer saying, okay, we treat everything with one specific type of identity and we have one identity. So that will not work.
We need to, I think really start with understanding the various use cases and understanding the various types of security and safety controls, so to speak we can use.
And then we need to understand the, the level of security we need to then build our architecture around well managing systems and moving from we share data to, we provide access to data at these systems is one of the most important steps from my perspective, because it helps us getting a better control.
So moving away from data exchange to access and purpose supported by federated IM obviously one of the most important elements in such an equation. But yes, and I am admitted. There's still a lot of open questions. It's more about looking at what are the, the ideas, what are the concepts and from here right now, Ashley will go far more into detail. So I'll make him the moderator. And Ashley will, as I've said, look far more into detail right now regarding all the various aspects we have here. Okay. Ashley's
Thank you.
Thank you, Martin. And hello everyone. I wanna talk to you today a little bit more to extend what Martin was talking about, about what we at for rock are seeing as sort of the touchpoint or the intersections between the connected car ecosystem and the automotive industry at large and digital identity and what it, and what it can enable and, and what it can help from a security and, and safety and privacy perspective. So I will talk today about, of course, security and about privacy.
We'll also talk a little bit about the, the importance of connected identity information across these different boundaries and across these different areas and the importance that that has on these use cases. And then we'll also talk about personalization and how that is impacting how identity is, is going to be impacting the automotive industry from that perspective as well.
But I wanna start in the very beginning, I talk about identity almost every day to lots of different folks, but I don't wanna assume that all of you out there listening in necessarily are, are, are identity experts or speak about that every day. So in just about a minute or a minute and a half, let's cover the four basic building blocks of digital identity or identity and access management. And then we'll see how those interact with everything else that we're gonna talk about.
So first of off is digital identity itself, and that's the ability to take attributes or pieces of information that are true about some sort of entity and digitize them as you see in the middle bubble there, and then store them and manage their life cycle as some of those attributes change, not all of them, but some of them change over their life cycle.
And the important thing to note here is that managing digital identities is no longer just about doing that for, for people. It's also about organizations, various different types of devices, services, and so forth.
Now, once we've got those identities, we need to be able to use them to secure transactions. So the second piece outta the four is about credentials and credentials are a wide variety of, of things that allow us to connect to an identity record and claim it. And so that we can prove that we are the authentic entity on the other end, that's trying to do a transaction. So a credential could be anything from an ID and a password to a fingerprint, to a smart card, depending on different levels of security.
But we use that second piece, those credentials to do the third piece, which is authentication. And this is how a person or a device or a service basically lays claim to an identity record that the, the relying party understands and trusts and says, this is me.
This is my identity record so that they can be proved authentic. And then the fourth main major piece is authorization.
Of course, now that we know who the user is or the device is, or the services, what is that entity allowed to do? Are they allowed to write certain bits of data to another API? Is that person allowed to see everyone's data or to delete someone else's data? So these are, are the main factors of digital identity. There's many others that are in peripheral, but these are sort of the four cornerstones that we'll talk about today as we go through the rest of the webinar.
Now, the first thing I wanna talk to you about is personalization, but I wanna take 30 seconds here and talk about identity management at large and how it kind of covers across industries. So traditionally identity and access management was for the enterprise, as you see on the left box here.
And that was more about employees and contractors and provisioning, active directory accounts and email and, and, and reporting and compliance, right? So that's where identity really got it start.
But where identity has really been taking off is the middle box and the right box, which is of helping this thing. We call digital transformation where every interaction that a business has with this customers is meant to use identity, to understand who the customer is, give them a low friction experience while keeping security high, but sort of behind the scenes and, and not, not causing it to the transaction to be problematic for the user.
And of course, all these business processes now, including in the connected car environment, are integrating connected things and devices to either make that a better experience for the user or to implement cost savings, or what have you. So the important thing to note here is that those four things that we talked about in identity, they apply across all three of these different areas.
And there is a need to be able to bring them together to understand how it all fits together.
And we'll talk about that as we move forward, but personalization is one of those things that we'll talk about today first, and how that intersects with the automotive industry. We're very familiar with personalization in terms of providing an ID to your phone or, or logging in and having a personalized experience. And those are what we call, I would call traditional sort of systems of engagement.
So whether it's a web browser or a mobile device or chat, that's the way that we usually engage our customers today, the traditional way and where we try to implement things like security and privacy and trust, user experience and so forth. But there's a new system of engagement if you will, that are devices. And these are things that have human management, manageable interfaces or HMI.
So think of the screen inside of a car, think of the screen in a, in airplane seat, back infotainment, or an exercise bike, or a medical device.
These are new ways, ways to actually engage the customer outside of a mobile phone or a web browser. And this is exactly what the automotive industry is facing today as an opportunity, both and a challenge to be able to basically offer new services to their customers through the vehicles because let's face it. The automotive industry is facing a challenge in that it's no longer just about selling vehicles for their business model. Now it's about selling services through those vehicles as well.
And in order to sell services through the vehicle where now you're engaging with the customer through that infotainment system, you need identity inside of the vehicle so that you can provide a good personalized experience for the user, but also so that you can provide security and privacy for what's happening inside of the car.
So traditionally, we'll talk about this, this concept of new or smart mobility includes things like connectivity, sharing, autonomous driving, but in, in a large case, it's about monetizing services through the vehicle.
And often the smartphone is compared to the vehicle where the modern vehicles are a big rolling smartphone, and there's a lot of similarities there. That's true, but there's one difference in that the smartphone is a very personal device that you typically don't see folks sharing. Whereas the connected vehicles also transitioning to not only have services in the vehicle, but also to be part of the sharing economy where you've got car sharing and ride sharing and so forth. So it needs to be personalized, but it also needs to be able to be personalized for more than one person.
So a multi-user type of environment. If we do look at one parallel, though, with the smartphone industry, let's look at apple, we see that apple, for example, as recently as this past quarter is earning more revenue, more money with the services that they sell through their device than through the devices that they're selling such as the iPhones and the iPads and so forth.
And one of the things that they have done to make that an easy experience for their users is apple ID.
So being able to use an identity to sign in to your iPhone, to the iCloud, through your browser, through a smart device, through a tablet, and have that common experience across those, those different devices is exactly what the automotive industry is looking to do in terms of personalization. So we can see here whether it's payments, usage based insurance in vehicle advertising features as a service inside of the vehicle, being able to bring identity into the vehicle, there will enable all of these different types of services.
And so this is, this is why the automotive industry needs digital identity for personalization. Now let's talk about identity and security. Obviously Martin touched on, on, on many great points of these, but a security, again, as we said in the beginning is really about there's a balance identity sits right in the middle and essentially provides that balance between the user experience and the security.
And if the security's too high, the user experience can be too cumbersome and the user will, will leave or not want to adopt that service.
But of course, if it's too low, it's very easy for accounts to be hacked and for data to be stolen in privacy to be compromised. And so identity sits rate in the middle and helps provide that balance. Now for the automotive for the car specifically, each car really is a rolling IOT ecosystem.
As Martin talked about earlier, each car on its own can represent sort of a, a macro or a meta identity, if you will, where the car could be known as its, as its VIN code, what have you, but also inside of the car, there's many different systems that could be equated to IOT gateways, for example, what we would call constrained or not communicate or protect themselves on their own.
And so the identities of all of those subsystems and the macro identities of the vehicle and its, and its ECU systems, whether it's automated driving assistance or engine control or body control need to have identities and they need to be related to each other. So we understand how they fit together so that the car as a whole can then be trusted within the Greystone to authenticate itself to other devices in a smart city, to the cloud and so forth.
So when it comes to identity for devices in this case for a connected car and all its sub components and any other devices, it's really about establishing an important level of trust.
And it's not just so that the devices can be trusted when they authenticate to each other or when they authenticate to the cloud it's so that we can understand the, the provenance and, and protect the data that is coming out of all these devices and vehicles and being stored in the cloud so that we can protect the privacy of that data and also allow companies to monetize the right pieces of it that are anonymized and also protect their intellectual property.
So we need to trust where that data's coming from and be able to protect that data itself.
So with that for drop is, is expanding its software out to the edge. So our traditional platform that you see here in the middle, where it says IOT services, that's our backend services of our platform, our identity management, our runtime access management identity, gateway directory services, storing all of the identities and so forth.
But now on the left, we've developed software that can actually run on the edge in an edge device, a smart device, if you will, that can establish what we call a root of trust for that device and onboard that device to have its own unique ID in our back end and create relationships between that device and other identities, such as person, identities, organization, identities, and so forth. And then this, this edge security that we have, this identity edge controller that we call it also.
Then if it let's say it in it installs on the infotainment system of a vehicle, it can then act as a proxy to onboard smaller constrained devices. If you consider the infotainment system or other systems as an IOT gateway, it can onboard the identities of those downstream devices that, that are able to connect and already have protocols bridged through different systems in the car, let's say to the infotainment systems.
So now we've got that full scope of identities from the subsystem, the small devices in the vehicle, the vehicle itself, and they've got their identities and they have relationships between the users and the dealerships and, and the organizations that own the vehicle, if that's the case and so forth. And so now we're able to establish these identities of devices and then authenticate them and authorize them for what they're actually allowed to do. Now it's a little bit different to establish trust in people versus establishing trust in devices.
If you're a person and you wanna get a very high security credential like a passport, then you go in person and you present your birth certificate and other documents. And then you get a passport that's trusted at a broad, the broadest sort of level of trust. If you will, in the broadest context, you can move down the line in a driver's license.
You have to do similar things to get that, but not quite as secure and all the way down to let's say a conference badge or a business card, which are convenient, they're lower assurance, but they're, they're, they're much easier to get and they, they have their, they have their common use. So the way that we're approaching device security with, in, for truck with our edge security is to support these three different levels of, of security.
But to, to make sure that we support the highest level passport security, which actually means getting a secure credential and asymmetric key pair, if you will, that's generated and stored on the secure part of a chip in a device and never leaves, and is able to have that strong ATEST, that that device is who we think it is essentially like it's birth certificate, so it can have the highest level of trust.
So we actually support those different levels of trust depending on the use case and the level of security required and what needs to be onboarded.
Now, some of the other use cases for actually having that right level of deep trust, if you will, in the vehicle or in these devices, is that then with the four drug software at the edge, things that we're working on is being able to let's say, tag the data as it rolls outta the cloud and heads to the cloud so that you can implement fine grain authorization. And you can say these parts of the data are privacy sensitive, and they're not allowed to be shared.
It's been talked, you know, that's, that's been put in place by the user here's intellectual property data, and this data can be shared and monetized across organizations. So being able to do that and then be able to pre-process data at the edge, because not all data is gonna be able to be back hauled to the cloud in order to make real time decisions for autonomous driving scenarios and other things that are similar, same thing applies to patch management and secure or software over the year.
Updates for familiar with that term, the ability of a cloud API, let's say that is sending down updates to the car and the car itself. You need to be able to establish a, a mutual trust between the identity of the car and the identity of the cloud service that wants to send that update or that patch over the air. You also need a secure identity and trust in that data package, that software package itself that it's signature is valid in, that has not been tampered with or updated since the time that it was sent.
So all of these different pieces and parts require identity and, and, and trust of course, privacy is a big part of this, especially from the user perspective about who gets access to my data. And I wanna be able to opt in instead of having to opt out. I wanna delegate who I can share my information with and from an auto manufacturer, there's government legislation, as Martin mentioned, especially in Europe, the GDPR is, is, is there's strong rules and penalties around that where companies need to be able to comply.
And if we go back to our personalization, once you have a user authenticated inside of the vehicle and the vehicle itself actually knows who's in the driver's seat, or who's in the backseat, watching Netflix, then it's really becomes important to make sure that you separate that data. That's attributable to a person versus just anonymized troubleshooting data for things like predictive maintenance and so forth.
Now, one of the protocols that Sephora rock supports in our platform is user managed access. And this is a privacy enhancing specific protocol that rides on top of oof, too. If you're familiar with that, that actually allows the user to say, I want to share this bit of information with this person or this organization for a certain amount of time. I want to go to my dashboard and see everything that I've shared and be able to unshare that information or take it all back if I want to at some point.
So in the for drop platform, we provide in our access management and in our identity management suite of capabilities, the ability to share certain pieces of information and take that back and manage who you're shared with, from a privacy and consent perspective. Another very important piece of how identity intersects with everything that's happening in the connected vehicle and the automotive industry.
Now, what is something that ties all of this together?
This is where I wanna talk about identity and relationships arrangement. And so you've heard me talk about some of these different classes of identity so far. Obviously there's different people. There's the drivers of cars, owners, dealers, renters maintainers, there's the car itself, there's cloud service like patch management or, or datas like Spotify or others. There's all the different sensors in the vehicle that are connected to the, what is effectively IOT gateways inside of the vehicle.
That's ultimately connected to a cellular radio so that that data can come in and go out. Those need identities. We talked about the software and the updates itself, but also what about all of the different infrastructure that, that vehicle is going to need to connect with? What about connected smart cities and parking and traffic lights and autonomous driving and all these different pieces.
There needs to be that trust in those identities between the identity of the car and all of its sub components and trusting the identities of another car and a vehicle to vehicle of a traffic light or a traffic warning signal, or a parking meter, or a, a toll tag meter.
If you're, if you're paying for tolls driving down the road and all of these things need to be that they need to be implemented in such a way where this, this personalized piece can be changed depending on who's in the vehicle because of the sharing economy and because not everyone is owning vehicles anymore.
So the vehicle needs to be a shared platform where someone's identity can come in and go out, and then someone else's identity can come in. But the way that these things all relate together is not an LDAP directory necessarily. It's not a sequel database, the ability and how the connections look between these things looks more like this, this major graph diagram here, we've got a web of continuous connections between these different people in cars and software and locations and organizations and all these different things.
So we need to be able to represent these things in a relationship sort of management engine that is able to understand how they fit together and answer questions about how these things fit together and sort of instantaneously to manage fine grain authorization, and to provide insights and to determine from a privacy perspective, what's allowed to be shared and what's not allowed to be shared.
So in our platform, in the, in our CTO team and four drop labs, we're building on graph databases to put together scenarios and, and demonstrations and, and, and tools of how graph relationships can tie together scenarios.
So when you have one driver with access to many cars, or if you have one car that has many different drivers, depending on your scenario, you've got all these lines of relationships that you can follow almost instantaneously to understand things about what entitlement someone has in that vehicle when they authenticate to it from, from the, from the OEM or what subscriptions that they have, have made connections to with their identity in the backend, so that when they log into the vehicle they're in Spotify account, or other accounts automatically light up and it's effectively single sign on inside of the vehicle, we don't want users to have to try to type in usernames and passwords into the infotainment system.
Right? So one of the things that we have built in for Dr is a demonstration around this, and we have been working with automotive grade Linux and automotive grade Linux is an organization under the Linux foundation, which is building sort of a, it's a code first organization building an infotainment system, grade Linux software that other auto manufacturers can take as a secure baseline and then build their custom apps and their custom look and feel on top of that.
And that's where we've been learning and developing our own identity layer for AGL that actually allows the user to authenticate themselves to the vehicle. And also, as you see here in the lower, right, our identity edge controller, where we can secure the identity of the vehicle itself and connect those things up to our, for drop backend, here's just some, some pictures of the AGL home screen, which is sort of a generic Tesla sized screen with our identity personalization.
So on the left, you can see that there's no authenticated user things.
Our, our generic, if you will, in the middle pain, Barbara has authenticated to the vehicle. You can see in the upper right, that her payment information is now in the vehicle. She can see that she's the owner so that she has the ability to not only open the trunk remotely, but also install applications and update software and so forth. We see on the right for Sam, that he, Barbara has actually shared the car with Sam in this case. And he has selected his language of French. So you see that that's been implemented, she's also imposed a 90 kilometer speed limit for him.
And that shows up and he is just a driver. So old down in the left here, he's only able to open the trunk and view online. He's not able to install new software or new applications.
So you get the idea at least here of the in vehicle personalization, storing that user's profile and settings in the cloud, managing the identity life cycle and being able to actually authenticate to the vehicle itself.
So in closing in the last couple minutes here, I just wanna bring it all together and kind of show how those intersections of identity will, will change the automotives business across many different verticals. And, and one of the key points here is, is that every organization, whether it's an automotive manufacturer or an online retailer or an insurance company has many different silos of, of, of information and systems. And most of those either consume or produce bits and pieces of identity information.
The key here is to be able to have a platform that can connect across all those, and sort of be the, the system of record for identity in an organization and build relationships between all of them to be able to get the most value and provide the best user experience and the best security context in this landscape.
So remember we talked about this in the beginning. What we're really gonna show here is how we cover all three, whether it's enterprise identity, customer identity and the identity of things.
So if we start with an auto manufacturer in this case, we're using GM, just as an example, they need to have their, their enterprise management, right? Enterprise identity management, things for Lisa as an employee of GM, whether it's provisioning her active directory account. As I said earlier, workflow, single sign on Federation and so forth. So that's of course, something that the, for direct platform is able to do, but it gets more interesting once we get into customers and devices.
So when Lisa is a customer of general motors, how do we give her the best experience from a customer identity management perspective of being able to look on the website, maybe start building a car ahead of time, maybe use a social authentication to an initially get her identity built up so that by the time she goes into the dealership for the first time, she has a great experience and she's already partially known, right?
So getting, getting that started off on the right foot from the very beginning, again, part of what for drug thrives at today with our platform, what about managing her profile and rough show? I see us in, so every company wants to offer different services or as a service and be able to get subscription dollars. So in GM's case, they have Maven, which is a car sharing service they're investors in Lyft, as an example for ride sharing.
And so providing Lisa a single user experience so that she doesn't have to remember a separate ID and password, her preferences that she managed back here at the dealer experience could flow all the way into her, her preferences, her address, her payment information, her log on into how she consumes these services that GM is wanting to offer.
And then finally, once she's actually in the vehicle, whether it's the vehicle that she owns and drives every day, the Cadillac shown there, whether it's the Corvette that she drives on the weekend or the suburban that she uses for Maven to go on a camping trip, each of those vehicles can take all of the data and the knowledge for all the way from this part and drive that into the best user experience inside of the vehicle from predictive maintenance to destinations, to calendar, to her Spotify, to payment information, you name it, all of those things can come forward.
She can have an experience inside of the vehicle and the things that she does inside of the vehicle. Let's say like changing a privacy setting can flow back into the cloud profile and can flow back all the way to the dealer, for example. So connecting all of these things together into an identity platform, that's able to build relationships between all these different parts of identity that exists now across all different areas and lines of business is very important. And that's the pieces that we have built and are continuing to build and work on inside of for drop.
So that concludes my part of the presentation today. I, I believe that that leaves us time for questions. So I'll turn it back over to the moderator and thank you very much for your time folks.
Thank you very much, Ashley. So let's continue with the key part of Q and a. So I should be able to see my screen again, and we already have a couple of questions, and if you have more questions, please enter these questions now so that we can go through this.
So, so one of the interesting questions, obviously, how can I keep my personal information private in the car sharing in environment?
Absolutely. And so that's one of the things that we, we kind of touched on, you know, car sharing and all the different things as a service where ownership is, is going down, you know, or is lessening. That means that different identities are flowing through a single device, many, many different times potentially throughout the day.
So being able to have an identity layer, if you will, or an identity agent, you know, the edge software that I talked about inside of the vehicle, so that it can manage your authentication to that vehicle while you're in it and to then log you out, if you will, when, when you leave and to ensure that that information is encrypted while, while, and if it's stored in the vehicle, and that there's a secure connection to the cloud when you authenticate. And of course, when you authenticate your privacy settings for your account should be able to follow you around from vehicle to vehicle.
So the, the trick there is to being able to tell the car who you are and its ability to in a federated way, access your profile, which will include your privacy preferences and your consents. So that while you're in the vehicle, any association between where the vehicle's taking you and what you're doing still complies with what your, what your privacy preferences are, regardless of the car that you're in.
So, so you already trust touched the secure communication. Maybe you could dive a little deeper into, so we have a question here around how do you secure the, the connections between the vehicle and other connected infrastructure?
Yes. So that goes a little bit deeper into what we're doing with, for drop edge security.
And so that is a, it is a cryptographic, you know, I say asymmetric key pair, that's, you know, a higher level description would be PKI, although we're not using just traditional PKI out the box, we have some, some, some special sauce, if you will, that we've developed around that to make it more secure and we believe more scalable.
But the idea is when we develop that cryptographic route of trust at the chip level, in the vehicle, we can then use those keys and that information to not only have encryption at the transport layer, but we can also encrypt the data as it comes off of the vehicle and sign the data so that it actually lives encrypted in the cloud as it goes there. And you would actually have to have the, the user's key in some cases to, to be able to decrypt that data.
So, you know, having, having a cryptographic route of trust, if you will, at the, at the very source allows you to extend that into using that same crypto, to be able to secure data both through both through encryption and signature.
Okay.
Here, here's another question. So having O OS and, and open ID connect in mind, the car system is like a resource owner, whereas the car entertainment system would be a user agent. So could you comment on this view, dust reflect four trucks in car software?
Yes. So what we are, what we're currently working on is the ability to actually implement, you know, OAuth two open ID connect inside of the vehicle.
So that when in difference here is, is that the, the user is actually authenticating themselves in our vision to the vehicle and the, and, and some of those authentication pieces and the flows that take place traditionally between a user and a browser and a back end would actually be, could be handled by the software in the vehicle.
So that even if the car is offline for a few minutes on the parking garage or in the middle of the desert or something, whatever is at least cashed and secured within the vehicle after the first authentication, of course, just like many other things, the very first time you would need to be connected to, you know, exchange tokens and to get your initial profile down.
But after that, the ability to actually cash and do authentication with, for software locally in the car, and then have that be sort of delegated or trusted by the backend, so that there's, there's parity there between what's happening in between the user and the car and the car and the cloud.
Okay. So we're looking at this and all these different drivers and different vehicles and so on. So what do you know of, or can you say about the automotive industry sort of standardizing on, on user identity protocols, so different vendors and their suppliers.
So we all know that the vehicle is not built by one company, but in fact, consists of a lot of OEM components, which are in that vehicle. So, so is there there any trend to observe any concrete action you see in the automotive industry adopting these protocols?
Yeah. I think it's early stages in some, and there's so many different protocols that we could discuss.
So, you know, from a peer identity perspective, I think there's definitely interest in, in, in caring forward. Things like, you know, not, not necessarily PKI, but the X 5 0 9 and asymmetric key pair as one, you know, OAuth to open tokenization as another. And then you see different types of protocols that may use some of those to ride on top of like DSRC for vehicle to vehicle communication. Then you see some emerging standards. Like I believe the, the VWE standard that Volkswagen is working on for actually the standard of how the vehicles would communicate and structure the data.
So there's many different layers of protocols and standardization. Some of them not specific to identity some of them.
Yes, but the, the, the trick will be, you know, as, as how early we are in some of these stages is seeing what will bring different automotive manufacturers together from around the world to have sort of a federated way to exchange this information at, at various different levels, including if you think about it, the user identity.
So most companies find it beneficial and have a desire to sort of own a user's identity record and their preferences within their brand. And to use that as a way to differentiate their brand experience.
But if you're a user and you want to be able to have a profile that will work in a BMW or a Toyota or a Ford or Lexus, you know, that's, now you're talking about Federation and going across different automotive OEM. So it's, I think it's also interesting to see, will we see some sort of cooperation at that level with some sort of, you know, neutral group that would ride above most of those that would allow for user's data to be exchanged between auto manufacturers, at least some of it for the sake of the user's experience in this new shared economy. Yeah.
Which, which also then raises the question of how will the automotive industry react on the data portability requirement of GDPR.
Absolutely.
And then there's so much data that comes off of a car, the bulk of data that I think that you'll see a trend towards some of the data that keeping it completely separated from any attribution to a user so that it doesn't have, you know, it doesn't have the same privacy implications, but again, as I said earlier, once we do have attribution to a user for the sake of the other side of the, the equation, which is convenience and personalization in the vehicle.
Now there's gonna have to be the standards and controls put into place to ensure that any of that data, that, that can be associated to the user of how they're driving and where they're driving and when they're driving and even with the new cameras, what kind of mood they're in when they're driving right. Needs to be able to be protected and, and, and maintained in compliance with GDPR.
Okay. I think we had a couple of very interesting questions, so very lively conversation here. So I think we are through all the questions. Thank you very much, Ashley.
And thank you very much to all the attendees of this cold webinar. I hope to have you soon at one of our other upcoming webinars. Thank you and have a nice day.
Thank you so much.
