Upload
cynthia-boone
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Biometric Security for Any Transaction or Function within SAP for Clear Accountability
Cyndi Wolf, Polk County Public Schools
Thomas Neudenberger, realtime North America Inc.
As a result of this workshop, you will be able to understand:
• Why the largest threats to your SAP security are passwords• That the resulting damages go in the millions and billions• Why you should protect data and not SAP users• That you don’t have accountability in your system• Why the Polk County School District is moving forward with
innovative technology to “show passwords the finger”*
*using biometrics of course
Expert Statements – SAP Movie
http://realtimenorthamerica.com/download/Expert_statements.wmv
5 Facts about IT Security
1. Data theft and espionage is a rapidly growing crime*
2. Intruders target user profiles with extended authorizations
3. Profiles are protected with passwords that offer very limited protection
4. Long-term damages include financial damages, image lossdeclined stock, law suits and compliance violations
5. Without biometrics deterring, prevention and conviction is impossible
*$ 400 Mio in damages at Dupont Espionage Case
Statistics: Threat in Numbers…
82% of all passwords are written down (SAP-
Info Online)
40% say they share passwords frequently
(Source: Rainbow)
71% would give up password for a candy
bar (Infosecurity conference study in
Europe)
95% result in significant financial losses (Source
Gartner)
92% of corporations and government agencies
detected computer security breaches in the last 12
months
Last year 26.5 million records were stolen at the Department for Veterans
Affairs – a $26.5 billion lawsuit followed!
Customers Demand Biometric Devices
23% of all laptops shipped in 2007 have a build in fingerprint sensor!
Laptops with finger print sensors Over 100 different laptop models have build in fingerprint sensors
Many USB devices like mice, keyboards or other are being sold under $50
One of the leading sensor manufacturers, Authentec, sold 10 million sensors from 1999 to 2006
Authentec sold an additional 10 million sensors from July 2006 to July 2007
Actually Financial Losses in 2006
The so called “occupational fraud” (also known as internal theft) and abuse imposes enormous costs on organizations. The median loss caused by the occupational frauds in this 2006 ACFE study was $159,000. Nearly one-quarter of the cases caused at least $1 million in losses and nine cases caused losses of $1billion or more. Participants in the study estimate U.S. organizations lose 5% of their annual revenues to fraud.
Read the full study at: http://www.acfe.com/documents/2006-rttn.pdf(Source: 2006 Study - Association of Certified Fraud Examiners – www.acfe.com)
Average single loss was $159,000
25% caused $1 million in losses
9 cases of a $1 billion in losses and more
It takes 15 Month+ to detect fraud
• SAP Logon: Unauthorized users use or share SAP User ID’s even at different locations at the same time
• HR: Protecting and securing HR information including heath insurance info, salaries and social security numbers
• Finance: Prevent tempering with payment release, salaries wire transfers, requesting or changing budgets
• Balance Sheets: Access to critical company information• Research Data: Research data is stolen or changed• Purchasing: Unauthorized users purchase unauthorized items • Workflow Approval: People use supervisors passwords• Fast User Switching: Users are supposed to log in and out for minimum
tasks but never do (bank, hospital, warehouse etc.)• Remember multiple passwords that could require up to 15 characters • True Identity Management / Compliance (Sarbanes-Oxley, Section 404,
Internal Controls)
Customer Pain Points
There are 3 ways to protect physical or data access:
1. What you know…
2. What you have…
3. Who you are…
The 3 Ways to Protect -- The 3 Ways to Protect -- II
What you know…
Passwords / PIN / Codes
What you have…
Smart Cards / Tokens / Keys
Who you are…
Biometrics – Fingerprint etc.
The 3 Ways to Protect -- IIThe 3 Ways to Protect -- II
The 3 Ways to Protect IIIBiometrics is the only true protection since the
user will be UNIQUELY identified!!!
Smart Cards and Tokens can still be lost, stolen or passed on – and the user can not
be identified or held responsible…
Passwords are historically accepted to attempt protecting computer systems…
They offer limited protection and no Accountability at all !!!
Lawyers
love these 2 ways and call
it:
SODDISOME OTHER DUDE DID IT – not my client of course…*
*Like in the multi million dollar case of UBS Paine Webber
• Look in drawers or on the “yellow sticky note”
• Look over shoulders of co-workers (shoulder Surfing)
• Ask colleagues – 40% admit to sharing passwords
• Get emergency password (at security guard)
• Call hotline to get password reset for any user
• Check unencrypted .ini files
• Try SAP default password for SAP* - 06071992
• Key Catcher, Password Cracker – Now: Recovery Tools
• Monitoring / Sniffers (transfer from GUI not encrypted)
• Videotape it - watch for people with a cell phone around you
• Or simply associate with owner (pet, family, hometown)
20 Ways to get anybody's Password:
Download the “Fishing for Passwords” document at www.showpasswordsthefinger.com
Old Verification:
SAP User/
Password
Smart card or Logon /
Biometrics
Advanced Identification:
Searches Database of 100’s or 1000’s of biometric templates
Uniquely identifies Thomas and launches Thomas System
Might identify and reject Thomas based on authorization
Thomas Tasks or Attempts will be logged in an auditing log file
Verification versus IdentificationVerification versus Identification
bioLock “sits” on top of SAP Security
Existing SAP Security
Additional bioLock Security
bioLock will not “touch” or change your existing security roles or profiles!
Independent Additional ProtectionIndependent Additional Protection
Until now you had to worry about protecting access for ALL SAP Users…
• bioLock will protect individual functions in the system
• You only need to protect the users that have access to those functions
• ALL OTHERS will not be able to access them anyway – even SAP ALL
• Functions can either be protected Globally or on Individual Basis
• You only have to worry about a few hundred Users
Protected:
NO NEED
to protect!
Protect selected – NOT all – UsersProtect selected – NOT all – Users
Level ILevel ISECURITYSECURITY
Level IILevel II
Level IIILevel III
Security Level - OverviewSecurity Level - Overview
Protect The King*Quote Keynote Speech RSA 2007 with Bill Gates
- Not The Castle!*
• Prevent critical lawsuits, image loss and bad press
• Protect themselves from monetary damages and espionage
• Comply with mandatory regulations such as:
Biometric technology will prevent most attacks,
log uniquely identified users and their activities,
and ‘scare off’ potential attackers !!!
HIPAA
The California Act
Data Protection Act
FDA (Part 11-Electronic Records)
Sarbanes-Oxley Act – Section 404
Why should any company invest in biometrics?
• Even your company is compliant it is still exposed to fraud
• DuPont was 100% compliant and all auditors signed off
• They had a $400 Million internal fraud case
• Companies blame and “sue” external auditors
• Insurances reject policies and payments
• More than the minimum requirements by mandatory regulations have to be done to protect assets and investors
• Without biometrics there is no true compliance
Download the complete research paper at: http://business.fullerton.edu/resources/biometrics/
A study from the California State University uncovers…
Introduction: Polk County Public Schools
The eighth-largest school districtin Florida and among the largest 40 nationally
Nearly 95,000 students at almost 160 school sites
Largest employer in Polk Countywith more than 15,000 employees, more than half of whom are teachers
Bartow High School is ranked 167th in Newsweek magazine’s 2007 list of the nation's top 1,257 high schools
Abdu Taguri, CIO
The School District’s Security Challenges
• User ID’s and passwords are written down and posted on or near workstations at an alarming rate
• SAP is used for most of the district’s business processes: HR, Payroll, Finance, Asset Management, Purchasing, Warehousing, Work Orders, Project Systems
• Security is role-based and assigned via position on the org chart; User IDs are maintained on HR Infotype 0105
• Concern for “Accountability” of the principal as the CEO of the individual school
• Delegation of responsibility to school secretary via User ID and password sharing
True Stories at the Polk School District
Years ago a school secretary paid many of her personal bills from the school district’s accounts. She would create fake requisitions and invoices for non-existing vendors using PO Box addresses she rented, and then forwarded the district’s checks to her debtors. Her setup was so perfect that she got away with it for several years.
Recently an school secretary used her legally provided access to approve herself overtime that resulted in significant overpayment to herself and financial loss to the school district.
.
Biometric Approach: Polk County School District
• Logon to the principal’s SAP User ID is protected to prevent:• unauthorized access• well-intentioned “delegation”
• Transactions protected:• Requisition release• Payroll (time entry) approval
• Biometric segregation of duty• Electronic signature in workflow (future)
How Is the Additional “lock” Implemented at Polk County?
1. SAP Logon - for individual users like the principal
2. Transactions
a) via Z_Transactions – like requisition release
b) via realtime’s automated security menu
3. Fields, Info Types, Values, Buttons, Mask Fields and more
a) via user exit
b) via field exit
c) via modification
bioLock can protect basically every mouse click in the SAP system!
Principal Log On – before and after bioLock
Before: Secretary has the password
and therefore authorization to use principal’s SAP User ID
In the event of an incident they can blame each other
It could be a 3rd party as well There is no proof of which
person did what and when Only a User ID is recognized
not the actual person on the system
There is absolutely NO accountability
After: Secretary’s biometric template
is assigned to principal’s SAP User ID
Both have to put the finger on the sensor to log in SAP using the principal’s User ID
Only these two can log in In addition to the log on, critical
tasks are protected A log file shows which person –
uniquely identified with biometrics - logged on or executed a task
CLEAR accountability
The proof Is always in Writing
The log file proves: Who did log on Who executed the task Who confirmed a task Who was rejected TRYING
to execute a task that they were not allow to execute
bioLockbioLock
Logon authorized
Logon blocked
Logon bioLock checks authentication rules
bioLockuser/
function
bioLock prompts you for fingerprint
Fingerprint comparison with table
bioLocktemplates
bioLock technology identifies unique points on your finger and creates an encrypted, digital template – it never takes an actual image of the finger!!!
Please Note:
The logon at the School District
Summary
• SAP Security and ALL compliance efforts (SoD’s) are solely based on password protected USER Profiles
• Passwords are not secure and offer very limited protection and no accountability at all
• Damages include severe financial losses, espionage, bad press, image loss, lawsuits, compliance violations, etc.
• Experts agree… Biometrics is only solution approach to increase security, convenience and establish clear accountability
• bioLock is the only certified biometric technology available for SAP
Do you need this “High Level Security”?
This is your “Security” now…
This is Security at the Polk County School District…
Contact realtime at [email protected] or 1877-bioLock to schedule a personalized online education for your team!
Questions before the demo?
0108Session Code:
Email: [email protected]