SIM 102 Biometric Security for Any Transaction or Function within SAP for Clear Accountability

SIM 102Biometric Security for Any Transaction or Function within SAP for Clear Accountability

SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102

Contributing Speakers

Cyndi WolfDirector/Systems ApplicationsPolk County School DistrictEmail: [email protected]

Thomas NeudenbergerChief Operating Officerrealtime North America Inc. Email: [email protected]


Learning Objectives

As a result of this workshop, you will be able to understand:

Why the largest threats to your SAP security are passwords

That the resulting damages go in the millions and billions

You don’t have accountability in your system

Why the Polk County School District moved forward with innovative technology and decided to “show passwords the finger”*

*using biometrics of course

In use at The Polk County School District

Demo in the SAP System

Security / Accountability review

Biometric Technology Advantages


Expert Statements – SAP Movie

http://realtimenorthamerica.com/download/Expert_statements.wmv


5 Facts about IT Security

1. Data theft and espionage is a rapidly growing crime*

2. Intruders target user profiles with extended authorizations

3. Profiles are protected with passwords that offer very limited protection

4. Long-term damages include financial damages, image loss declined stock, law suits and compliance violations

5. Without biometrics deterring, prevention and conviction is impossible

*$ 400 Mio in damages at Dupont Espionage Case


Statistics: Threat in Numbers…

82% of all passwords are written down (SAP-Info Online)

40% say they share passwords frequently (Source: Rainbow)

71% would give up password for a candy bar (Infosecurity conference study in Europe)

95% result in significant financial losses (Source Gartner)

92% of corporations and government agencies detected computer security breaches in the last 12 months

Last year 26.5 million records were stolen at the Department for Veterans Affairs – a $26.5 billion lawsuit followed!


Customers Demand Biometric Devices

23% of all laptops shipped in 2007 have a build in fingerprint sensor!

Laptops with finger print sensors Over 100 different laptop models have build in fingerprint sensors

Many USB devices like mice, keyboards or other are being sold

One of the leading sensor manufacturers, Authentec, sold 10 million sensors from 1999 to 2006

Authentec sold an additional 10 million sensors from July 2006 to July 2007


Actually Financial Losses in 2006

The so called “occupational fraud” (also known as internal theft) and abuse imposes enormous costs on organizations. The median loss caused by the occupational frauds in this 2006 ACFE study was $159,000. Nearly one-quarter of the cases caused at least $1 million in losses and nine cases caused losses of $1billion or more. Participants in the study estimate U.S. organizations lose 5% of their annual revenues to fraud. Applied to the estimated 2006 United States Gross Domestic Product, this 5% figure would translate to approximately $652 billion in fraud losses.

Read the full study at: http://www.acfe.com/documents/2006-rttn.pdf(Source: 2006 Study - Association of Certified Fraud Examiners – www.acfe.com)

Average single loss was $159,000

25% caused $1 million in losses

9 cases of a $1 billion in losses and more


Customer Pain Points

SAP Logon: Unauthorized users use or share SAP User ID’s even at different locations at the same time

HR: Protecting and securing HR information including heath insurance info, salaries and social security numbers

Finance: Prevent tempering with payment release, salaries wire transfers, requesting or changing budgets

Balance Sheets: Access to critical company information

Research Data: Research data is stolen or changed

Purchasing: Unauthorized users purchase unauthorized items

Workflow Approval: People use supervisors passwords

Fast User Switching: Users are supposed to log in and out for minimum tasks but never do (bank, hospital, warehouse etc.)

Remember multiple passwords that could require up to 15 characters

True Identity Management / Compliance (Sarbanes-Oxley, Section 404, Internal Controls)


The 3 Ways to Protect I

There are 3 ways to protect physical or data access:

1. What you know…

2. What you have…

3. Who you are…


The 3 Ways to Protect II

What you know…

Passwords / PIN / Codes

What you have…

Smart Cards / Tokens / Keys

Who you are…

Biometrics – Fingerprint etc.


The 3 Ways to Protect III

Biometrics is the only true protection since the user will be UNIQUELY identified!!!

Smart Cards and Tokens can still be lost, stolen or passed on – and the user can not be identified or held responsible…

Passwords are historically accepted to attempt protecting computer systems…

They offer limited protection and no Accountability at all !!!

Lawyers love these 2 ways and call it:

SODDI

SOME OTHER DUDE DID IT – not my client of course…


20 Ways to Get Anybody’s Password at any Time

Look in drawers or on the “yellow sticky note” Look over shoulders of co-workers (shoulder Surfing) Ask colleagues – 40% admit to sharing passwords Get emergency password (at security guard) Call hotline to get password reset for any user Check unencrypted .ini files Try SAP default password for SAP* - 06071992 Key Catcher, Password Cracker – Now: Recovery Tools Monitoring / Sniffers (transfer from GUI not encrypted) Or simply associate with owner (pet, family, hometown)

Download the “Fishing for Passwords” document at www.bioLock.us


Verification versus Identification

Old Verification:

SAP User/

Password

Smart card or Logon /

Biometrics

Advanced Identification:

Searches Database of 100’s or 1000’s of biometric templates

Uniquely identifies Thomas and launches Thomas System

Might identify and reject Thomas based on authorization

Thomas Tasks or Attempts will be logged in an auditing log file


bioLock “sits” on top of SAP Security

Existing SAP Security

Additional bioLock Security

bioLock will not “touch” or change your existing security roles or profiles!


Independent Additional Protection


Protect selected – NOT ALL USERS

Until now you had to worry about protecting access for ALL SAP Users…

bioLock will protect individual functions in the system

You only need to protect the users that have access to those functions

ALL OTHERS will not be able to access them anyway – even SAP ALL

Functions can either be protected Globally or on Individual Basis

You only have to worry about a few hundred Users

Protected:

NO NEED

to protect!


Security Level - Overview

Level ILevel ISECURITYSECURITY

Level IILevel II

Level IIILevel III

Protect The King*Quote Keynote Speech RSA 2007 with Bill Gates

- Not The Castle!*


Why Should any Company Invest in Biometrics?

Prevent critical lawsuits, image loss and bad press

Protect themselves from monetary damages and espionage

Comply with mandatory regulations such as:

Biometric technology will prevent most attacks,

log uniquely identified users and their activities,

and ‘scare off’ potential attackers !!!

HIPAA

The California Act

Data Protection Act

FDA (Part 11-Electronic Records)

Sarbanes-Oxley Act – Section 404


Introduction: Polk County Public Schools

The eighth-largest school districtin Florida and among the largest 40 nationally

Nearly 93,000 students at almost 160 school sites

Largest employer in Polk Countywith more than 11,500 employees, half of whom are teachers

Bartow High’s International Baccalaureate School was ranked by Newsweek magazine in 2006 as #169 of the nation's top 1,000 public high schools

Abdu Taguri, CIO


The School Districts Security Challenges

User ID’s and passwords are written down and posted on or near workstations at an alarming rate

SAP is used for most of the district’s business processes: HR, Payroll, Finance, Asset Management, Purchasing, Warehousing, Work Orders, Project Systems

Security is role-based and assigned via position on the org chart; User IDs are maintained on HR Infotype 0105

Concern for “Accountability” of the principal as the CEO of the individual school

“Delegation of responsibility to school secretary via User ID and password sharing


The True Story at the Polk School District

What happened at the school:

At the school district a lady in the finance department paid most of her personal bills from the school district’s accounts. She would create fake invoices from non existing vendors over the exact amounts and than paid her personal bills with school funds. Her setup was so perfect that she got away with it for a long time.

Unfortunately “as a joke” one of her personal vendors called the school district and asked for a job opening. When asked for a reason he answered that he was looking for an employer that would pay his personal bills.

It was fortunate for the school that this person tried to make a joke and ended up stopping a financial fraud on a large scale.

This story was presented by Cyndi Wolf, Director of Systems Applications, who was in the schools finance department, when it happened


Biometric Approach: Polk County School District

Logon to the principal’s SAP User ID is protected to prevent: unauthorized access

well-intentioned “delegation”

Transactions protected: Requisition release

Payroll (time entry) approval

Biometric segregation of duty

Electronic signature in workflow (future)


How Is the Additional “lock” Implemented at Polk County?

1. SAP Logon - for individual users like the principal

2. Transactions

a) via Z_Transactions – like requisition release

b) via realtime’s automated security menu

3. Fields, Info Types, Values, Buttons, Mask Fields and more

a) via user exit

b) via field exit

c) via modification

bioLock can protect basically every mouse click in the SAP system!


Principal Log On - before and after bioLock

Before: Assistant has the password

and therefore authorization to use principal’s SAP User ID

In the event of an incident they can blame each other

It could be a 3rd party as well There is no proof of which

person did what and when Only a User ID is recognized

not the actual person on the system

There is absolutely NO accountability

After: Assistant’s biometric

template is assigned to principal’s SAP User ID

Both have to put the finger on the sensor to log in SAP using the principal’s user ID

Only these two can log in In addition to the log on,

critical tasks are protected A log file shows which

person – uniquely identified with biometrics - logged on or executed a task

CLEAR accountability


The proof Is always in Writing

The log file proves: Who did log on Who executed the task Who confirmed a task Who was rejected TRYING to

execute a task that they were not allow to execute


SAP Logon with bioLock at the Polk School District

bioLockbioLock

Logon authorized

Logon blocked

Logon bioLock checks authentication rules

bioLockuser/

function

bioLock prompts you for fingerprint

Fingerprint comparison with table

bioLocktemplates

bioLock technology identifies unique points on your finger and creates an encrypted, digital template – it never takes an actual image of the finger!!!

Please Note:


Summary

SAP Security and ALL compliance efforts (SoD’s) are solely based on password protected USER Profiles

Passwords are not secure and offer very limited protection and no accountability at all

Damages include severe financial losses, espionage, bad press, image loss, lawsuits, compliance violations, etc.

Experts agree… Biometrics is only solution approach to increase security, convenience and establish clear accountability

bioLock is the only certified biometric technology available for SAP


Do you need this “High Level Security”?

This is your “Security” now…

This is Security at the Polk County School District…

Contact realtime at [email protected] or 1877-bioLock to schedule a personalized online education for your team!


DEMOQuestions before the demo?


Further Information

SAP Public Web:SAP Developer Network (SDN): www.sdn.sap.com

Business Process Expert (BPX) Community: www.bpx.sap.com

Related Workshops/Lectures at SAP TechEd ’07Session SIM 210, Marathon OilUsing Risk-Based Role Design and APM to Achieve SOX Compliance

Security in Practice

Americas’ SAP Users’ Group (ASUG)www.asug.com

Related SAP Education and Certification Opportunitieshttp://www.sap.com/education/


ASUG and SAP: Partners in Education

ASUG, the Americas’ SAP Users’ Group, is the world’s largest, customer-run community of SAP professionals and partners, with 45,000 individual members and 1,800 companies represented. ASUG delivers the highest value to member companies, allowing them to maximize their SAP investments.

Some highlighted benefits include:

– Access to a year-round community for SAP customers and partners

– Diverse mix of educational topics and events through a variety of formats

– Exclusive opportunity to influence SAP future product direction

– Unparalleled networking opportunities with a dynamic professional network

– Unprecedented partnership with SAP

– Access to ASUG Groups and Chapters

To learn more about ASUG, visit the ASUG booth in the SDN Clubhouse, or visit our Web site at www.asug.com.


THANK YOU FOR YOUR

ATTENTION !

QUESTIONS – SUGGESTIONS – DISCUSSION

Q & A


Please complete your session evaluation.

Be courteous — deposit your trash, and do not take the handouts for the following session.

Feedback

Thank You !

Documents

SIM 102 Biometric Security for Any Transaction or Function within SAP for Clear Accountability