More users increase risk for Volkswagen AG

One example of Volkswagen AG's success is its ever-expanding workforce. But for Hans-Ottmar Beckmann, chief information security officer (CISO) of the auto maker, it also illustrates the company's increased risk.

There's the challenge where people have old passwords and there's a lack of segmentation on the network. Somesh Singh, vice president and general managerBMC Software Inc.

Beckmann's department now manages 1.5 million user IDs. In the coming year, that number will grow by about 200,000.

The user community is increasingly complex, with engineering partners, dealers and suppliers needing access to network data along with the internal staff. More users on the network mean more opportunity for data leakage, Beckmann said.

"Our big concern is that data might leak out to competitors," said Beckmann, who helped develop a federated identity management protocol for the European Automotive Society in addition to his work at Volkswagen. "Our information -- forecasts, market strategies, engineering details -- is very valuable."

To protect that information, Beckmann is relying more than ever on strong ID and access management techniques.

He said that starts with the basics -- making sure people who access the network have one user ID and that their level of access is nothing more than what their jobs require.

For a company the size of Volkswagen, Beckmann said it's difficult keeping track of people who enter and leave the company, or change positions. If a person changes jobs, he said, it's critical that their network access rights are adjusted so they can no longer access systems they no longer need to do their jobs.

ID and access management: Enhanced Identity and Access Management Inside the numbers: Access (out of) control? What are the criteria for a strong authentication system? How to safely issue passwords to new users Adding 'fudge' to your passwords Midmarket IT pros have NAC for identity, access management

One of Beckman's top priorities in the past couple years has been to develop a standard, consistent approach to ID and access management across Volkswagen's network.

Beckmann's work on this front has included the implementation of more advanced user administration, provisioning, password management and business process workflow controls to regulate and monitor access to critical systems and processes. The task is difficult, since Volkswagen has more than 250 companies around the world and the 1.5 million user IDs include those assigned to more than 300,000 employees, 80,000 suppliers and 200,000 dealers and repair personnel.

Meanwhile, with its cars increasingly computerized, Volkswagen has been developing the capability to conduct remote diagnostic work on its vehicles. Strong ID and access management is a critical part of that as well, Beckmann said.

"ID management based on authentication, authorization and audit is not just about the user," he said in an earlier interview with Information Security magazine. "It's about the systems -- the car." He noted that Volkswagen cars have about 50 computers inside with 100 megabytes of program code. "It has its own network, so we have to make sure the right networks are in place, and you need authentication as part of that," he said. "There must be a concept to send encrypted data to the car so it can verify that the signature is actually coming from Volkswagen."

To achieve the level of ID and access management it needed, Volkswagen purchased tools and services from Houston-based BMC Software Inc.

Somesh Singh, vice president and general manager of BMC's identity management business unit, said Beckmann's concerns are similar to those of other BMC customers.

"When we look at the top five or 10 areas where companies find themselves weaker, all have something to do with change management," he said. "There's the challenge where people have old passwords and there's a lack of segmentation on the network. Some of the companies that come to us express the concern that they don't have a good handle on adjusting who gets access to what."

Singh said ID and access management is also of great importance to companies grappling with regulatory compliance. "If you look at last two years, dozens of new regulations have come about in the U.S., Canada, Europe and other countries," he said. "Companies have treated each regulation as a product and the goal has been to get through each one quickly without stumbling. They are finding it's difficult to deal with so many at once."