Upload
bethanie-briggs
View
227
Download
0
Tags:
Embed Size (px)
Citation preview
SIM 102Biometric Security for Any Transaction or Function within SAP for Clear Accountability
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Contributing Speakers
Cyndi WolfDirector/Systems ApplicationsPolk County School DistrictEmail: [email protected]
Thomas NeudenbergerChief Operating Officerrealtime North America Inc. Email: [email protected]
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Learning Objectives
As a result of this workshop, you will be able to understand:
Why the largest threats to your SAP security are passwords
That the resulting damages go in the millions and billions
You don’t have accountability in your system
Why the Polk County School District moved forward with innovative technology and decided to “show passwords the finger”*
*using biometrics of course
In use at The Polk County School District
Demo in the SAP System
Security / Accountability review
Biometric Technology Advantages
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Expert Statements – SAP Movie
http://realtimenorthamerica.com/download/Expert_statements.wmv
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
5 Facts about IT Security
1. Data theft and espionage is a rapidly growing crime*
2. Intruders target user profiles with extended authorizations
3. Profiles are protected with passwords that offer very limited protection
4. Long-term damages include financial damages, image loss declined stock, law suits and compliance violations
5. Without biometrics deterring, prevention and conviction is impossible
*$ 400 Mio in damages at Dupont Espionage Case
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Statistics: Threat in Numbers…
82% of all passwords are written down (SAP-Info Online)
40% say they share passwords frequently (Source: Rainbow)
71% would give up password for a candy bar (Infosecurity conference study in Europe)
95% result in significant financial losses (Source Gartner)
92% of corporations and government agencies detected computer security breaches in the last 12 months
Last year 26.5 million records were stolen at the Department for Veterans Affairs – a $26.5 billion lawsuit followed!
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Customers Demand Biometric Devices
23% of all laptops shipped in 2007 have a build in fingerprint sensor!
Laptops with finger print sensors Over 100 different laptop models have build in fingerprint sensors
Many USB devices like mice, keyboards or other are being sold
One of the leading sensor manufacturers, Authentec, sold 10 million sensors from 1999 to 2006
Authentec sold an additional 10 million sensors from July 2006 to July 2007
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Actually Financial Losses in 2006
The so called “occupational fraud” (also known as internal theft) and abuse imposes enormous costs on organizations. The median loss caused by the occupational frauds in this 2006 ACFE study was $159,000. Nearly one-quarter of the cases caused at least $1 million in losses and nine cases caused losses of $1billion or more. Participants in the study estimate U.S. organizations lose 5% of their annual revenues to fraud. Applied to the estimated 2006 United States Gross Domestic Product, this 5% figure would translate to approximately $652 billion in fraud losses.
Read the full study at: http://www.acfe.com/documents/2006-rttn.pdf(Source: 2006 Study - Association of Certified Fraud Examiners – www.acfe.com)
Average single loss was $159,000
25% caused $1 million in losses
9 cases of a $1 billion in losses and more
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Customer Pain Points
SAP Logon: Unauthorized users use or share SAP User ID’s even at different locations at the same time
HR: Protecting and securing HR information including heath insurance info, salaries and social security numbers
Finance: Prevent tempering with payment release, salaries wire transfers, requesting or changing budgets
Balance Sheets: Access to critical company information
Research Data: Research data is stolen or changed
Purchasing: Unauthorized users purchase unauthorized items
Workflow Approval: People use supervisors passwords
Fast User Switching: Users are supposed to log in and out for minimum tasks but never do (bank, hospital, warehouse etc.)
Remember multiple passwords that could require up to 15 characters
True Identity Management / Compliance (Sarbanes-Oxley, Section 404, Internal Controls)
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
The 3 Ways to Protect I
There are 3 ways to protect physical or data access:
1. What you know…
2. What you have…
3. Who you are…
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
The 3 Ways to Protect II
What you know…
Passwords / PIN / Codes
What you have…
Smart Cards / Tokens / Keys
Who you are…
Biometrics – Fingerprint etc.
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
The 3 Ways to Protect III
Biometrics is the only true protection since the user will be UNIQUELY identified!!!
Smart Cards and Tokens can still be lost, stolen or passed on – and the user can not be identified or held responsible…
Passwords are historically accepted to attempt protecting computer systems…
They offer limited protection and no Accountability at all !!!
Lawyers love these 2 ways and call it:
SODDI
SOME OTHER DUDE DID IT – not my client of course…
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
20 Ways to Get Anybody’s Password at any Time
Look in drawers or on the “yellow sticky note” Look over shoulders of co-workers (shoulder Surfing) Ask colleagues – 40% admit to sharing passwords Get emergency password (at security guard) Call hotline to get password reset for any user Check unencrypted .ini files Try SAP default password for SAP* - 06071992 Key Catcher, Password Cracker – Now: Recovery Tools Monitoring / Sniffers (transfer from GUI not encrypted) Or simply associate with owner (pet, family, hometown)
Download the “Fishing for Passwords” document at www.bioLock.us
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Verification versus Identification
Old Verification:
SAP User/
Password
Smart card or Logon /
Biometrics
Advanced Identification:
Searches Database of 100’s or 1000’s of biometric templates
Uniquely identifies Thomas and launches Thomas System
Might identify and reject Thomas based on authorization
Thomas Tasks or Attempts will be logged in an auditing log file
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
bioLock “sits” on top of SAP Security
Existing SAP Security
Additional bioLock Security
bioLock will not “touch” or change your existing security roles or profiles!
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Independent Additional Protection
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Protect selected – NOT ALL USERS
Until now you had to worry about protecting access for ALL SAP Users…
bioLock will protect individual functions in the system
You only need to protect the users that have access to those functions
ALL OTHERS will not be able to access them anyway – even SAP ALL
Functions can either be protected Globally or on Individual Basis
You only have to worry about a few hundred Users
Protected:
NO NEED
to protect!
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Security Level - Overview
Level ILevel ISECURITYSECURITY
Level IILevel II
Level IIILevel III
Protect The King*Quote Keynote Speech RSA 2007 with Bill Gates
- Not The Castle!*
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Why Should any Company Invest in Biometrics?
Prevent critical lawsuits, image loss and bad press
Protect themselves from monetary damages and espionage
Comply with mandatory regulations such as:
Biometric technology will prevent most attacks,
log uniquely identified users and their activities,
and ‘scare off’ potential attackers !!!
HIPAA
The California Act
Data Protection Act
FDA (Part 11-Electronic Records)
Sarbanes-Oxley Act – Section 404
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Introduction: Polk County Public Schools
The eighth-largest school districtin Florida and among the largest 40 nationally
Nearly 93,000 students at almost 160 school sites
Largest employer in Polk Countywith more than 11,500 employees, half of whom are teachers
Bartow High’s International Baccalaureate School was ranked by Newsweek magazine in 2006 as #169 of the nation's top 1,000 public high schools
Abdu Taguri, CIO
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
The School Districts Security Challenges
User ID’s and passwords are written down and posted on or near workstations at an alarming rate
SAP is used for most of the district’s business processes: HR, Payroll, Finance, Asset Management, Purchasing, Warehousing, Work Orders, Project Systems
Security is role-based and assigned via position on the org chart; User IDs are maintained on HR Infotype 0105
Concern for “Accountability” of the principal as the CEO of the individual school
“Delegation of responsibility to school secretary via User ID and password sharing
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
The True Story at the Polk School District
What happened at the school:
At the school district a lady in the finance department paid most of her personal bills from the school district’s accounts. She would create fake invoices from non existing vendors over the exact amounts and than paid her personal bills with school funds. Her setup was so perfect that she got away with it for a long time.
Unfortunately “as a joke” one of her personal vendors called the school district and asked for a job opening. When asked for a reason he answered that he was looking for an employer that would pay his personal bills.
It was fortunate for the school that this person tried to make a joke and ended up stopping a financial fraud on a large scale.
This story was presented by Cyndi Wolf, Director of Systems Applications, who was in the schools finance department, when it happened
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Biometric Approach: Polk County School District
Logon to the principal’s SAP User ID is protected to prevent: unauthorized access
well-intentioned “delegation”
Transactions protected: Requisition release
Payroll (time entry) approval
Biometric segregation of duty
Electronic signature in workflow (future)
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
How Is the Additional “lock” Implemented at Polk County?
1. SAP Logon - for individual users like the principal
2. Transactions
a) via Z_Transactions – like requisition release
b) via realtime’s automated security menu
3. Fields, Info Types, Values, Buttons, Mask Fields and more
a) via user exit
b) via field exit
c) via modification
bioLock can protect basically every mouse click in the SAP system!
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Principal Log On - before and after bioLock
Before: Assistant has the password
and therefore authorization to use principal’s SAP User ID
In the event of an incident they can blame each other
It could be a 3rd party as well There is no proof of which
person did what and when Only a User ID is recognized
not the actual person on the system
There is absolutely NO accountability
After: Assistant’s biometric
template is assigned to principal’s SAP User ID
Both have to put the finger on the sensor to log in SAP using the principal’s user ID
Only these two can log in In addition to the log on,
critical tasks are protected A log file shows which
person – uniquely identified with biometrics - logged on or executed a task
CLEAR accountability
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
The proof Is always in Writing
The log file proves: Who did log on Who executed the task Who confirmed a task Who was rejected TRYING to
execute a task that they were not allow to execute
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
SAP Logon with bioLock at the Polk School District
bioLockbioLock
Logon authorized
Logon blocked
Logon bioLock checks authentication rules
bioLockuser/
function
bioLock prompts you for fingerprint
Fingerprint comparison with table
bioLocktemplates
bioLock technology identifies unique points on your finger and creates an encrypted, digital template – it never takes an actual image of the finger!!!
Please Note:
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Summary
SAP Security and ALL compliance efforts (SoD’s) are solely based on password protected USER Profiles
Passwords are not secure and offer very limited protection and no accountability at all
Damages include severe financial losses, espionage, bad press, image loss, lawsuits, compliance violations, etc.
Experts agree… Biometrics is only solution approach to increase security, convenience and establish clear accountability
bioLock is the only certified biometric technology available for SAP
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Do you need this “High Level Security”?
This is your “Security” now…
This is Security at the Polk County School District…
Contact realtime at [email protected] or 1877-bioLock to schedule a personalized online education for your team!
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
DEMOQuestions before the demo?
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Further Information
SAP Public Web:SAP Developer Network (SDN): www.sdn.sap.com
Business Process Expert (BPX) Community: www.bpx.sap.com
Related Workshops/Lectures at SAP TechEd ’07Session SIM 210, Marathon OilUsing Risk-Based Role Design and APM to Achieve SOX Compliance
Security in Practice
Americas’ SAP Users’ Group (ASUG)www.asug.com
Related SAP Education and Certification Opportunitieshttp://www.sap.com/education/
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
ASUG and SAP: Partners in Education
ASUG, the Americas’ SAP Users’ Group, is the world’s largest, customer-run community of SAP professionals and partners, with 45,000 individual members and 1,800 companies represented. ASUG delivers the highest value to member companies, allowing them to maximize their SAP investments.
Some highlighted benefits include:
– Access to a year-round community for SAP customers and partners
– Diverse mix of educational topics and events through a variety of formats
– Exclusive opportunity to influence SAP future product direction
– Unparalleled networking opportunities with a dynamic professional network
– Unprecedented partnership with SAP
– Access to ASUG Groups and Chapters
To learn more about ASUG, visit the ASUG booth in the SDN Clubhouse, or visit our Web site at www.asug.com.
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
THANK YOU FOR YOUR
ATTENTION !
QUESTIONS – SUGGESTIONS – DISCUSSION
Q & A
SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Please complete your session evaluation.
Be courteous — deposit your trash, and do not take the handouts for the following session.
Feedback
Thank You !