Biometric Security for Any Transaction or Function within SAP for Clear Accountability

Cyndi Wolf, Polk County Public Schools 

Thomas Neudenberger, realtime North America Inc.

As a result of this workshop, you will be able to understand:

• Why the largest threats to your SAP security are passwords• That the resulting damages go in the millions and billions• Why you should protect data and not SAP users• That you don’t have accountability in your system• Why the Polk County School District is moving forward with

innovative technology to “show passwords the finger”*

*using biometrics of course

Expert Statements – SAP Movie

http://realtimenorthamerica.com/download/Expert_statements.wmv

5 Facts about IT Security

1. Data theft and espionage is a rapidly growing crime*

2. Intruders target user profiles with extended authorizations

3. Profiles are protected with passwords that offer very limited protection

4. Long-term damages include financial damages, image lossdeclined stock, law suits and compliance violations

5. Without biometrics deterring, prevention and conviction is impossible

*$ 400 Mio in damages at Dupont Espionage Case

Statistics: Threat in Numbers…

82% of all passwords are written down (SAP-

Info Online)

40% say they share passwords frequently

(Source: Rainbow)

71% would give up password for a candy

bar (Infosecurity conference study in

Europe)

95% result in significant financial losses (Source

Gartner)

92% of corporations and government agencies

detected computer security breaches in the last 12

months

Last year 26.5 million records were stolen at the Department for Veterans

Affairs – a $26.5 billion lawsuit followed!

Customers Demand Biometric Devices

23% of all laptops shipped in 2007 have a build in fingerprint sensor!

Laptops with finger print sensors Over 100 different laptop models have build in fingerprint sensors

Many USB devices like mice, keyboards or other are being sold under $50

One of the leading sensor manufacturers, Authentec, sold 10 million sensors from 1999 to 2006

Authentec sold an additional 10 million sensors from July 2006 to July 2007

Actually Financial Losses in 2006

 The so called “occupational fraud” (also known as internal theft) and abuse imposes enormous costs on organizations. The median loss caused by the occupational frauds in this 2006 ACFE study was $159,000. Nearly one-quarter of the cases caused at least $1 million in losses and nine cases caused losses of $1billion or more. Participants in the study estimate U.S. organizations lose 5% of their annual revenues to fraud.

Read the full study at: http://www.acfe.com/documents/2006-rttn.pdf(Source: 2006 Study - Association of Certified Fraud Examiners – www.acfe.com)

Average single loss was $159,000

25% caused $1 million in losses

9 cases of a $1 billion in losses and more

It takes 15 Month+ to detect fraud

• SAP Logon: Unauthorized users use or share SAP User ID’s even at different locations at the same time

• HR: Protecting and securing HR information including heath insurance info, salaries and social security numbers

• Finance: Prevent tempering with payment release, salaries wire transfers, requesting or changing budgets

• Balance Sheets: Access to critical company information• Research Data: Research data is stolen or changed• Purchasing: Unauthorized users purchase unauthorized items • Workflow Approval: People use supervisors passwords• Fast User Switching: Users are supposed to log in and out for minimum

tasks but never do (bank, hospital, warehouse etc.)• Remember multiple passwords that could require up to 15 characters • True Identity Management / Compliance (Sarbanes-Oxley, Section 404,

Internal Controls)

Customer Pain Points

There are 3 ways to protect physical or data access:

1. What you know…

2. What you have…

3. Who you are…

The 3 Ways to Protect -- The 3 Ways to Protect -- II

What you know…

Passwords / PIN / Codes

What you have…

Smart Cards / Tokens / Keys

Who you are…

Biometrics – Fingerprint etc.

The 3 Ways to Protect -- IIThe 3 Ways to Protect -- II

The 3 Ways to Protect IIIBiometrics is the only true protection since the

user will be UNIQUELY identified!!!

Smart Cards and Tokens can still be lost, stolen or passed on – and the user can not

be identified or held responsible…

Passwords are historically accepted to attempt protecting computer systems…

They offer limited protection and no Accountability at all !!!

Lawyers

love these 2 ways and call

it:

SODDISOME OTHER DUDE DID IT – not my client of course…*

*Like in the multi million dollar case of UBS Paine Webber

• Look in drawers or on the “yellow sticky note”

• Look over shoulders of co-workers (shoulder Surfing)

• Ask colleagues – 40% admit to sharing passwords

• Get emergency password (at security guard)

• Call hotline to get password reset for any user

• Check unencrypted .ini files

• Try SAP default password for SAP* - 06071992

• Key Catcher, Password Cracker – Now: Recovery Tools

• Monitoring / Sniffers (transfer from GUI not encrypted)

• Videotape it - watch for people with a cell phone around you

• Or simply associate with owner (pet, family, hometown)

20 Ways to get anybody's Password:

Download the “Fishing for Passwords” document at www.showpasswordsthefinger.com

Old Verification:

SAP User/

Password

Smart card or Logon /

Biometrics

Advanced Identification:

Searches Database of 100’s or 1000’s of biometric templates

Uniquely identifies Thomas and launches Thomas System

Might identify and reject Thomas based on authorization

Thomas Tasks or Attempts will be logged in an auditing log file

Verification versus IdentificationVerification versus Identification

bioLock “sits” on top of SAP Security

Existing SAP Security

Additional bioLock Security

bioLock will not “touch” or change your existing security roles or profiles!

Independent Additional ProtectionIndependent Additional Protection

Until now you had to worry about protecting access for ALL SAP Users…

• bioLock will protect individual functions in the system

• You only need to protect the users that have access to those functions

• ALL OTHERS will not be able to access them anyway – even SAP ALL

• Functions can either be protected Globally or on Individual Basis

• You only have to worry about a few hundred Users

Protected:

NO NEED

to protect!

Protect selected – NOT all – UsersProtect selected – NOT all – Users

Level ILevel ISECURITYSECURITY

Level IILevel II

Level IIILevel III

Security Level - OverviewSecurity Level - Overview

Protect The King*Quote Keynote Speech RSA 2007 with Bill Gates

- Not The Castle!*

• Prevent critical lawsuits, image loss and bad press

• Protect themselves from monetary damages and espionage

• Comply with mandatory regulations such as:

Biometric technology will prevent most attacks,

log uniquely identified users and their activities,

and ‘scare off’ potential attackers !!!

HIPAA

The California Act

Data Protection Act

FDA (Part 11-Electronic Records)

Sarbanes-Oxley Act – Section 404

Why should any company invest in biometrics?

• Even your company is compliant it is still exposed to fraud

• DuPont was 100% compliant and all auditors signed off

• They had a $400 Million internal fraud case

• Companies blame and “sue” external auditors

• Insurances reject policies and payments

• More than the minimum requirements by mandatory regulations have to be done to protect assets and investors

• Without biometrics there is no true compliance

Download the complete research paper at: http://business.fullerton.edu/resources/biometrics/

A study from the California State University uncovers…

Introduction: Polk County Public Schools

The eighth-largest school districtin Florida and among the largest 40 nationally

Nearly 95,000 students at almost 160 school sites

Largest employer in Polk Countywith more than 15,000 employees, more than half of whom are teachers

Bartow High School is ranked 167th in Newsweek magazine’s 2007 list of the nation's top 1,257 high schools

Abdu Taguri, CIO

The School District’s Security Challenges

• User ID’s and passwords are written down and posted on or near workstations at an alarming rate

• SAP is used for most of the district’s business processes: HR, Payroll, Finance, Asset Management, Purchasing, Warehousing, Work Orders, Project Systems

• Security is role-based and assigned via position on the org chart; User IDs are maintained on HR Infotype 0105

• Concern for “Accountability” of the principal as the CEO of the individual school

• Delegation of responsibility to school secretary via User ID and password sharing

True Stories at the Polk School District

Years ago a school secretary paid many of her personal bills from the school district’s accounts. She would create fake requisitions and invoices for non-existing vendors using PO Box addresses she rented, and then forwarded the district’s checks to her debtors. Her setup was so perfect that she got away with it for several years.

Recently an school secretary used her legally provided access to approve herself overtime that resulted in significant overpayment to herself and financial loss to the school district.

.

Biometric Approach: Polk County School District

• Logon to the principal’s SAP User ID is protected to prevent:• unauthorized access• well-intentioned “delegation”

• Transactions protected:• Requisition release• Payroll (time entry) approval

• Biometric segregation of duty• Electronic signature in workflow (future)

How Is the Additional “lock” Implemented at Polk County?

1. SAP Logon - for individual users like the principal

2. Transactions

a) via Z_Transactions – like requisition release

b) via realtime’s automated security menu

3. Fields, Info Types, Values, Buttons, Mask Fields and more

a) via user exit

b) via field exit

c) via modification

bioLock can protect basically every mouse click in the SAP system!

Principal Log On – before and after bioLock

Before: Secretary has the password

and therefore authorization to use principal’s SAP User ID

In the event of an incident they can blame each other

It could be a 3rd party as well There is no proof of which

person did what and when Only a User ID is recognized

not the actual person on the system

There is absolutely NO accountability

After: Secretary’s biometric template

is assigned to principal’s SAP User ID

Both have to put the finger on the sensor to log in SAP using the principal’s User ID

Only these two can log in In addition to the log on, critical

tasks are protected A log file shows which person –

uniquely identified with biometrics - logged on or executed a task

CLEAR accountability

The proof Is always in Writing

The log file proves: Who did log on Who executed the task Who confirmed a task Who was rejected TRYING

to execute a task that they were not allow to execute

bioLockbioLock

Logon authorized

Logon blocked

Logon bioLock checks authentication rules

bioLockuser/

function

bioLock prompts you for fingerprint

Fingerprint comparison with table

bioLocktemplates

bioLock technology identifies unique points on your finger and creates an encrypted, digital template – it never takes an actual image of the finger!!!

Please Note:

The logon at the School District

Summary

• SAP Security and ALL compliance efforts (SoD’s) are solely based on password protected USER Profiles

• Passwords are not secure and offer very limited protection and no accountability at all

• Damages include severe financial losses, espionage, bad press, image loss, lawsuits, compliance violations, etc.

• Experts agree… Biometrics is only solution approach to increase security, convenience and establish clear accountability

• bioLock is the only certified biometric technology available for SAP

Do you need this “High Level Security”?

This is your “Security” now…

This is Security at the Polk County School District…

Contact realtime at info@bioLock.us or 1877-bioLock to schedule a personalized online education for your team!

Questions before the demo?

0108Session Code:

Email: cyndi.wolf@polk-fl.net

or thomas@realtimenorthamerica.com