Lessons from a leading fleet management company: Custom Fleet doubles B2B users overnight while saving $300,000 annually
on-prem servers decommissioned
annual savings after moving to Okta for customer authentication
customer staff members onboarded in a single evening
See More from Custom Fleet :Oktane18
- A greenfield opportunity
- Starting with employee single sign-on
- Pressing ‘Delete’ on on-prem customer authentication
- Full-on customer identity and access management
- Up next: An open, connected ecosystem
Custom Fleet leaders look for ways to satisfy customer demand for more data-focused fleet management services. After divesting from GE, Custom Fleet IT selects Okta to help build a new, modern IT infrastructure and phase out legacy, on-prem software.
The team begins by implementing Okta Single Sign-On for employees. Soon, they’ve integrated 21 applications and 100 bookmarks. They also implement Okta Multi-Factor Authentication adding security for mobile users and administrators.
After moving to its new environment, IT rebuilds Custom Fleet’s customer-facing application, Fleet Office, to integrate with Okta and move customer profiles to Okta Universal Directory. In the process, they eliminate expensive servers and software, saving the company $300,000 annually.
After working with Okta and one of Custom Fleet’s largest customers, the team successfully federates with the customer, providing secure, automated user access, permissions, and account set-up. Overnight, Custom Fleet doubles the number of Fleet Office users.
Going forward, Custom Fleet IT plans to use Okta API Access Management to build out a connected ecosystem, automating processes end-to-end and making it easy for customers and suppliers to communicate with back-end systems.
Custom Fleet Leaves Legacy Infrastructure Behind. Okta Connects its Entire Ecosystem.
Partner for a modern IT infrastructure After GE divests its fleet management business, Custom Fleet IT has the opportunity to build a greenfield environment, modernizing its infrastructure and setting itself up to provide the data-driven solutions that today’s customers demand. Okta proves to be an important partner in that project, starting with employee SSO, multi-factor authentication, and continuing on to customer authentication and federation. Today, Custom Fleet is putting the building blocks in place for a connected ecosystem that automates customer and supplier processes end-to-end. Okta continues to play a key role.
We removed 17 on-prem servers, along with some expensive legacy software, as a result of using Okta and Universal Directory. That saves us in the vicinity of $300,000 per year.
Mark Burns, IT Security, Architecture and Infrastructure Leader, Custom Fleet
- 400 employees using Okta Single Sign-On to access their work
- 21 internal applications integrated with Okta, along with 100 bookmarked apps
- $300,000 annual savings after moving to Okta for customer authentication
- 13,000 customer staff members onboarded in a single evening
- 17 on-prem servers decommissioned, eliminating 10% of Custom Fleet’s data center
Connected vehicles and the technology to manage them
Fleet management used to be about financing vehicles and providing services such as fuel cards and accident management. Today, Australia and New Zealand-based Custom Fleet, which employs 400 people and manages 100,000 vehicles in the region, is moving heavily into data and analytics.
“Our customers want more detailed data,” says Mark Burns, IT security, architecture & infrastructure leader at Custom Fleet. “If you have a few million dollars wrapped up in vehicles, you want to make sure you’re using them properly.”
With the help of technology, the company can offer data insights that help customers optimize their fleets, as well as driver safety. Custom Fleet leaders are also looking at emerging technologies that connect vehicles to smart grids, or that use blockchain to simplify and automate back-end processes.
A greenfield opportunity
Custom Fleet was founded in 1978 and has gone through a few different corporate owners. Most recently, General Electric sold the company to Element Fleet Management in 2015. “We had our fair share of legacy infrastructure and applications” as a result of working within a company of 300,000+ employees, says Burns.
The transition from GE to Element gave Custom Fleet IT the opportunity to build a greenfield environment and simplify its IT infrastructure by phasing out CA Siteminder and LDAP. To begin with, “we wanted to look at how we could simplify the login process,” says Burns. GE had multiple single sign-on solutions of varying complexity. “We wanted to avoid that when we went to our new environment,” he says.
“From the outset security was paramount,” says Burns, “but we also recognize that forcing people to remember lots of usernames and passwords actually degrades security because they’ll use simple passwords or reuse passwords across multiple applications.”
Starting with employee single sign-on
Single sign-on and multi-factor authentication were high on the list of Custom Fleet requirements. Burns had success with Okta in a previous position, so the choice was simple. “We already had a relationship with the local team,” he says. “When we were moving across from GE into our new network, we were able to fast-track the process by selecting Okta from the start.”
The Custom Fleet team began by implementing Okta Single Sign-On for employee access to Office 365. For security reasons, the new greenfield environment had to be completely segregated from the GE network, which created its own complications.
The Okta implementation was less complicated. “Okta came into place about eight weeks prior to go-live,” Burns says. “The initial single sign-on took about four weeks, but that was only an hour here and there because we were also building our entire environment.”
After the transition from GE, the Custom Fleet team expanded their employee SSO project to include 21 applications integrated into the Okta portal and an additional 100 bookmarked applications.
“It’s all linked back to Microsoft Active Directory (AD),” says Burns. “As a person logs on, based on their AD group membership, the Okta portal is customized specifically for them. It makes it easy, even for new employees, to access all their applications.”
Frederick Lee, infrastructure and security operations lead at Custom Fleet, says the most important configuration the team implemented was enabling Okta Multi-Factor Authentication. “Every one of our users who access Okta-connected apps externally must be MFA-registered,” he says. “They can only register for MFA when they’re on our network, and as administrators we are always prompted for MFA, regardless of where we are.”
Pressing ‘Delete’ on on-prem customer authentication
By November of 2016, Custom Fleet had migrated to a new IT environment, but the company had brought plenty of legacy infrastructure with it. Fleet Office, its in-house customer application, plays a central role in the company’s value proposition by helping customers manage and gain insight into their vehicles. In the transition, Custom Fleet had retained the 17 on-prem servers required to run that core application, along with expensive legacy software that required specialized skills to manage.
Fleet Office integrates with third-party applications, so customers had been dealing with multiple login processes. “Our customers complained about how hard it was to create an account within Fleet Office,” says Burns. “We wanted to streamline the login process, but our on-premises solution didn’t allow it.”
Two months after the transition from GE, the team began redeveloping the application with the goal of embedding Okta’s customer identity and access management (CIAM) solution as the digital identity layer. This included migrating user profiles to Okta Universal Directory. “It took around eight weeks from when we started the development to when we were syncing all of our customers back up into Okta,” says Burns. “That included the design work, the development work, the testing, and the final migration.”
The result was a more flexible authorization and authentication service that the company could build on, says Burns. Right away, customer account setup and daily login became a simple, unified process. “We were able to remove things such as secret questions,” he says, “and we could also look to expand the service later on.”
Custom Fleet was able to completely decommission the on-prem infrastructure behind Fleet Office, which comprised 10% of its data center. “We saved in the vicinity of $300,000 per year transitioning to Okta for external customer authentication,” says Burns.
Automating customer lifecycle management
Custom Fleet had simplified its customer login, but it was still managing customer identities manually. “With our internal employees, we know who they are,” says Burns. “They get onboarded through the HR process and we’re able to provision them automatically in Okta.
“With external customers, we don’t know when a person joins the organization. More importantly, we don’t know when they leave. We’re generally reliant on our customers to notify us when we need to remove their Fleet Office access.”
Customers were having a hard time keeping up, says Burns. “When you have a workforce of 13,000 staff, how do you manage that manually? It’s nearly impossible.”
Custom Fleet’s third Okta project begins to solve that problem. “Early in 2018, we went live with our first federated customer,” says Burns. “That involved working with Okta on how we could take that customer and onboard them in an automated fashion—managing user access, permissions, and account set-up in an ongoing, automated way.”
To accomplish that goal, Custom Fleet set up a dedicated tenant in Okta for the customer. Custom Fleet receives weekly automated feeds from the customer and uses the Okta APIs to extract current staff profiles and compare them to what’s already in UD. “Any staff that have left are automatically removed,” says Burns. “Any staff that have joined are added.”
“As a result of that federation,” says Burns, “we were able to onboard 13,000 of the customer’s staff in one evening. To put that milestone into context—prior to that evening, we were running at around 12,500 predominantly B2B users in our system. Overnight, we went to 25,000.”
Now, employees within that customer organization can access Fleet Office simply by clicking a bookmarked icon. “They click on that link. They’re authenticated by their Azure AD and automatically logged back into Fleet Office,” says Burns. “When their account is disabled in their AD, even outside of that sync process, they lose access to Fleet Office, which is great from a security point of view.”
Rearchitecting Fleet Office has enabled Custom Fleet to change direction quickly, introduce new features at a quicker pace, and embrace modern agile and sprint methodologies to shorten the release cycle, says Burns. “Federation took some time because we had to coordinate with our external customer but still, the time to market was quite quick. And now it’s a reusable model that we will continue to use for other customers.”
Looking ahead, the Custom Fleet team hopes to expand the number of federated customers it works with and add new Sign In With Okta functionality to Fleet Office. “We don’t want to have to deal with that onboarding and offboarding process, and neither do our customers,” says Burns.
Up next: An open, connected ecosystem
The next Okta project for Custom Fleet involves a broad initiative to develop a connected ecosystem so the company can work with suppliers, as well as customers, more easily and bring advanced technologies on board.
To begin with, the team is splitting Fleet Office into modules. Using Okta API Products, they can extend it to third-party applications and externally hosted cloud applications. “We’re making it a requirement moving forward that if you want to do business with us you must support at least SAML, but ideally OAuth and OpenID Connect, as well,” he says.
“We’re using Okta to provide the authentication and authorization layer wrapped around that ecosystem,” says Burns. “We want to provide an API gateway to allow customers and suppliers to communicate with our back-end systems and automate that process end-to-end.”
To accomplish that goal, the team is using technologies such as OAuth2.0 and OpenID Connect, along with Okta API Access Management. “When we have a new supplier or a new customer who wants to connect through to our back-end system,” says Burns, “we’ll use Okta’s API Access Management product to secure the generation and management of those keys, and also the ongoing authentication and authorization process.”
The Custom Fleet-Okta partnership is solid, says Burns, because the Okta team is willing to put skin in the game. “They’re there to build the relationship,” he says. That means weekly conversations and whiteboarding sessions, and an exchange of product roadmaps.
“We discuss what new features are coming out from Okta, along with our unique challenges,” he says. “We share our strategy with them and what we’re aiming toward. Then, they’re able to bring in their expertise and help us design the solution end-to-end.”
It helps that the Custom Fleet team has clear goals: Listen to customers. Be prepared to change direction. Follow a single organizational strategy. Automate, automate, automate.
As for the underlying Custom Fleet strategy—it’s simple: “We know what it costs to run a vehicle. We know what kinds of behaviors are normal. We want to see how we can use that data and tap into our customers and suppliers to share it,” says Burns.
About Custom Fleet
For 40 years, Custom Fleet has served customers in metropolitan and regional Australia and New Zealand. Today, the company has 2,400 customers and manages 100,000 vehicles across the region, along with supply chains that operate locally, nationally, and globally. In 2015, the company became part of Element Fleet Management, expanding its reach across more than 40 countries worldwide.