General Motors uses cloud identity and open authentication standards to secure its customers at scale

Trustworthy, secure identity services are now the gold standard for customer satisfaction.

Token-based authentication and secure cloud APIs offer stronger, more simplified UX for all users: remote employees, on-site staff and customers. Streamlining processes related to identity and identity management makes things easier for everyone involved – and ultimately provides a better level of security that is more trusted by customers. 

Few companies are as familiar with these benefits as General Motors, which set its sights on building an identity platform that could marry zero-trust security with simplified user experience.

GM has been a cornerstone of the American auto-manufacturing industry since its founding in 1908. With its headquarters in Detroit, Michigan, GM’s workforce of 167,000 is responsible for manufacturing and delivering its portfolio of vehicle brands (such as Cadillac, GMC and Chevrolet) to an international customer base. Recently, GM has invested heavily in the production of electric vehicles (EVs) and aims to become completely carbon neutral in its global operations and products by 2040.

In its quest to realize an “all-electric future,” GM is revamping its digital experience to satisfy modern security requirements while providing the flexibility and convenience that customers expect from one of the world’s elite manufacturers. That’s where identity management comes in. 

Identity services for the enterprise versus the customer base

While there’s some overlap from a security perspective, it was important for GM’s identity management solution to distinguish the IAM needs of the workforce from the IAM policies of its broad customer base. Multifactor authentication, for example, needed to be enforced for GM employees and customers alike. But given that GM customers outnumber its enterprise users by tens of millions, GM deemed it unwise to apply the same blanket IAM strategy to both groups. That would not have addressed the disparity in scale. 

“In our case, we’re dealing with millions to tens of millions of users, whereas on the enterprise it’s really more tens of thousands to hundreds of thousands of users,” explained Andrew Cameron, IT Fellow of Identity and Access Management at GM, during a breakout session and one-on-one interview with SC Media at the 2023 Identiverse conference in Las Vegas. 

That difference in scale means that policies and protections on the workforce side where a company has greater control and visibility, won’t look the same for clients and populations on the customer side who are operating ‘in the wild’ by definition. 

“You need to have more awareness on the B2C side of trends and authentication activity where you could be subject to an attack if you’re not plugged into the analysis of those transactions,” says Cameron. 

Open authentication and cloud APIs

While GM wanted to make sure its customer transactions were secure and adherent to zero trust design, it also wanted to avoid corralling its customers into tedious, time-consuming verifications at every corner. 

“It is an incredible balancing act because our business is very sensitive to friction, very sensitive to being prompted many times to actually get access to a service,” says Cameron.

GM has addressed this dilemma by adopting token-based authentication and cloud identity standards for all its API services across the organization. Instead of a wholesale lift-and-shift of legacy applications into the cloud, however, GM wanted to think strategically about what to migrate and how to set the right standards. They turned to OAuth and OpenID Connect to set them on the right path. 

OAuth (short for open authentication) uses authorization tokens instead of passwords to prove an identity between consumers and service providers. With OAuth as a standard, users can effectively gain access to software of third-party applications in the cloud without needing to submit their password credentials to this third party. OAuth, for example, is what allows users to grant permission to access their Facebook profile or post updates to their timeline without actually giving ESPN their Facebook password. It’s faster because it eliminates some of the traditional hoops that APIs have called for, but it’s also more secure because now there’s less burden on third parties to manage passwords responsibly. 

“That allowed us to have a common language when we talk with our app teams, to say this is the minimum standard you have to meet in order to move your service into the cloud,” says Cameron. 

Bringing everyone along for the ride

When discussing GM’s identity journey, Cameron says that teams were encouraged to bring governance and transparency into the enterprise process. For example, they instituted a 5-star rating service so that dev teams could see for themselves what the migration priorities were. 

“Sometimes it’s the carrot, sometimes it’s the stick – where you have to bring security-based influence into the discussion to say ‘these services are really critical, and it’s important that we’re adhering to cloud authentication standards in order for you to migrate.”

The 5-star system (with backing from GM’s leadership) also means devs aren’t incentivized to migrate on short timelines or cut corners, since doing so could result in a lower rating. 

“We were fortunate that we have leadership at GM IT that is really supportive of security direction, very supportive of what our CISO was trying to implement, and so we were able to drive those standards as part of our migration in the cloud.”

The benefit of continuous telemetry

Once the identity management standards are configured properly, the work isn’t over. Ideally, those standards should be supported by IM tools that provide continuous telemetry of one’s threat environment. 

“When you see spikes in your authentication environment or spikes of failed attempts to log into your services, those are probably indicators of an attack,” says Cameron. “It’s really important to use a consistent stream of telemetry to get those insights and turn them into policies or actions you might need to take because those insights are going to let you know if you’re under some kind of attack.” 

Identity threat detection and response solutions are one way to achieve continuous telemetry. ITDR solutions focus on the identity infrastructure itself, rather than the users managed by that infrastructure, and include a range of protection capabilities such as AD environment security posture assessment, attack path management, risk scoring and prioritization, real-time monitoring of indicators of compromise (IOCs), machine learning (ML) to detect abnormal behaviors or events, as well automated remediation and incident response.

“It’s really critical to have an understanding of the end-to-end view of all the traffic that’s flowing through your architecture,” says Cameron.

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.