Session ID Title - PowerPoint by liwenting


									SIM 102
Biometric Security for Any
Transaction or Function Within
SAP for Clear Accountability
Contributing Speaker(s)

     Cyndi Wolf
     Director/Systems Applications

     Polk County School District


     Thomas Neudenberger
     Chief Operating Officer

     realtime North America Inc.


                     SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Learning Objectives

As a result of this workshop,
you will be able to understand:

  Why the largest threats to your SAP security are passwords

  That the resulting damages go in the millions and billions

  You don’t have accountability in your system

  Why the Polk County School District moved forward with innovative
   technology and decided to ―show passwords the finger‖*

               *using biometrics of course

                       SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Security / Accountability review

Biometric Technology Advantages

In use at The Polk County School District

Demo in the SAP System
Expert Statements – SAP Movie

                                                                             Please note – this slide
                                                                             will be replaced with
                                                                             the actual 3 minute
                                                                             movie during the
                                                                             session. In the attempt
                                                                             to reduce the size of
                                                                             this presentation for
                                                                             download the movie is
                                                                             not included in this
                                                                             version – please click
                                                                             the link to view
                                                                             (Please delete this
                                                                             before approving the

                       SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
5 Facts about IT Security

1. Data theft and espionage is a rapidly growing crime*
2. Intruders target user profiles with extended authorizations
3. Profiles are protected with passwords that offer very limited
4. Long-term damages include financial damages, image loss
   declined stock, law suits and compliance violations
5. Without biometrics deterring, prevention and conviction is

   *$ 400 Mio in damages at Dupont Espionage Case

                      SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Statistics: Threat in numbers…

                       Laptops with finger print sensors

   82% of all                                             92% of corporations and
   passwords are                                          government agencies
   written down                                           detected computer
   (SAP-Info Online)                                      security breaches in the
                                                          last 12 months

   40% say they                                           95% result in significant
   share passwords                                        financial losses (Source
   frequently                                             Gartner)
   (Source: Rainbow)

                                          Last year 26.5 million
   71% would give
                                          records were stolen at the
   up password forAs a result 23% of all laptops
                                          Department for Veterans
   a candy bar                            have a build in
                          shipped in 2007 Affairs – a $26.5 billion
   (Infosecurity conference
   study in Europe)
                               fingerprint sensor!
                                          lawsuit followed!

                            SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Actually financial losses in 2006

                 • Average single loss was $159,000
                 • 25% caused $1 million in losses
                 • 9 cases of a $1 billion in losses and more

 The so called “occupational fraud” (also known as internal theft) and abuse
imposes enormous costs on organizations. The median loss caused by the
occupational frauds in this 2006 ACFE study was $159,000. Nearly one-
quarter of the cases caused at least $1 million in losses and nine cases
caused losses of $1billion or more. Participants in the study estimate U.S.
organizations lose 5% of their annual revenues to fraud. Applied to the
estimated 2006 United States Gross Domestic Product, this 5% figure would
translate to approximately $652 billion in fraud losses.
Read the full study at:
(Source: 2006 Study - Association of Certified Fraud Examiners –

                                     SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Customer Pain Points

    SAP Logon: Unauthorized users use or share SAP User ID’s even at
       different locations at the same time
    HR: Protecting and securing HR information including heath insurance info,
       salaries and social security numbers
    Finance: Prevent tempering with payment release, salaries wire transfers,
       requesting or changing budgets
     Balance Sheets: Access to critical company information
     Research Data: Research data is stolen or changed
     Purchasing: Unauthorized users purchase unauthorized items
     Workflow Approval: People use supervisors passwords
     Fast User Switching: Users are supposed to log in and out for minimum tasks
       but never do (bank, hospital, warehouse etc.)
     Remember multiple passwords that could require up to 15 characters
     True Identity Management / Compliance (Sarbanes-Oxley, Section 404, Internal Controls)

                               SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
The 3 Ways to Protect I

            There are 3 ways to protect
             physical or data access:

             1. What you know…

           2. What you have…

       3. Who you are…

                   SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
The 3 Ways to Protect II

             What you know…

             Passwords / PIN / Codes

          What you have…

          Smart Cards / Tokens / Keys

       Who you are…

       Biometrics – Fingerprint etc.

                   SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
The 3 Ways to Protect III

    Biometrics is the only true protection since
    the user will be UNIQUELY identified!!!
    Smart Cards and Tokens can still be lost,
    stolen or passed on – and the user can
    not be identified or held responsible…                                 Lawyers
                                                                           love these
    Passwords are historically accepted to                                 2 ways
    attempt protecting computer systems…                                   and call it:

    They offer limited protection and
    no Accountability at all !!!

   SOME OTHER DUDE DID IT – not my client of course…

                     SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
20 Ways to get anybody‟s password at any time

 •   Look in drawers or on the ―yellow sticky note‖
 •   Look over shoulders of co-workers (shoulder Surfing)
 •   Ask colleagues – 40% admit to sharing passwords
 •   Get emergency password (at security guard)
 •   Call hotline to get password reset for any user
 •   Check unencrypted .ini files
 •   Try SAP default password for SAP* - 06071992
 •   Key Catcher, Password Cracker – Now: Recovery Tools
 •   Monitoring / Sniffers (transfer from GUI not encrypted)
 •   Or simply associate with owner (pet, family, hometown)

Download the “Fishing for Passwords” document at

                       SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Verification versus Identification

 Old Verification:                                     Advanced Identification:

                     SAP User/
                                                         Searches Database of 100’s or
                                                         1000’s of biometric templates

                                                         Uniquely identifies Thomas
                                                         and launches Thomas System
                                                          Might identify and reject
                                                          Thomas based on authorization
Smart card or Logon /
                                                               Thomas Tasks or Attempts will
                                                               be logged in an auditing log file

                          SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
bioLock “sits” on top of SAP Security

  Additional bioLock Security

            Existing SAP Security

   bioLock will not “touch” or change
 your existing security roles or profiles!

                   SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Independent Additional Protection

                  SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Protect selected – NOT ALL USERS

          Until now you had to worry about
          protecting access for ALL SAP Users…

   • bioLock will protect individual functions in the system
   • You only need to protect the users that have access to those functions
   • ALL OTHERS will not be able to access them anyway – even SAP ALL
   • Functions can either be protected Globally or on Individual Basis
   • You only have to worry about a few hundred Users


                               NO NEED
                            to protect!

                         SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Security Level - Overview

                                                                           Level I
                                                                             Level II
                                                                               Level III

    Protect The King - Not The Castle!*
        *Quote Keynote Speech RSA 2007 with Bill Gates

                    SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Why should any company invest in biometrics?

  •   Prevent critical lawsuits, image loss and bad press
  •   Protect themselves from monetary damages and espionage
  •   Comply with mandatory regulations such as:

                 HIPAA
                 The California Act
                 Data Protection Act
                 FDA (Part 11-Electronic Records)
                 Sarbanes-Oxley Act – Section 404

          Biometric technology will prevent most attacks,
          log uniquely identified users and their activities,
                and „scare off‟ potential attackers !!!

                       SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Introduction: Polk County Public Schools

• The eighth-largest school district
  in Florida and among the largest
  40 nationally
• Nearly 93,000 students at almost
  160 school sites
• Largest employer in Polk County
  with more than 11,500 employees,        Abdu Taguri, CIO
  half of whom are teachers
• Bartow High’s International Baccalaureate School was
  ranked by Newsweek magazine in 2006 as #169 of the
  nation's top 1,000 public high schools

                     SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
The School Districts Security Challenges

• User ID’s and passwords are written down and posted on
                 True Story explained :
  or near workstations at an alarming rate
     At the school district a lady in the finance department paid
     most of her for most of the the school district’s accounts.
• SAP is used personal bills from district’s business processes:
     She would Finance, Asset from non existing vendors over
  HR, Payroll,create fake invoicesManagement, Purchasing,
     the exact amounts and than paid her personal bills
  Warehousing, Work Orders, Project Systemswith school
     funds. Her setup was so perfect that she got away with it for a
• Security is role-based and assigned via position on the org
     long time.
  chart; User IDs are maintained on HR Infotype 0105
     Unfortunately “as a joke” one of her personal vendors called
     the school “Accountability” a the principal as the CEO of
• Concern fordistrict and asked forof job opening. When asked
       individual school
  thefor a reason he answered that he was looking for an employer
   • that would pay his personal bills. to school secretary via
      “Delegation” of responsibility
      User ID and for the school that this
     It was fortunate password sharing person tried to make a

   • joke and ended up stopping a financial fraud on a large scale.
      “True Story”
      This story was presented by Cindy Wolf, Director of Systems Integration,
      who was in the schools finance department, when it happened

                                 SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Biometric Approach: Polk County School District

  Logon to the principal’s SAP User ID is protected
     to prevent:
      • unauthorized access
      • well-intentioned ―delegation‖
  Transactions protected:
      • Requisition release
      • Payroll (time entry) approval
  • Biometric segregation of duty
  • Electronic signature in workflow (future)

                   SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
How is the additional “lock” implemented at Polk County?

    1. SAP Logon - for individual users like the principal

    2. Transactions
    a) via Z_Transactions – like requisition release
    b) via realtime’s automated security menu

    3. Fields, Info Types, Values, Buttons, Mask Fields and more
    a) via user exit
    b) via field exit                               bioLock can protect
                                                    basically every mouse click
    c) via modification
                                                    in the SAP system!

                         SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
 Principal Log On - before and after bioLock

Before:                                                 After:
• Assistant has the password                            • Assistant’s biometric
  and therefore authorization to                           template is assigned to
  use principal’s SAP User ID                              principal’s SAP User ID
• In the event of an incident                           • Both have to put the finger on
  they can blame each other                                the sensor to log in SAP
• It could be a 3rd party as well                          using the principal’s user ID
• There is no proof of which                            • Only these two can log in
  person did what and when                              • In addition to the log on,
• Only a User ID is recognized                             critical tasks are protected
  not the actual person on the                          • A log file shows which
  system                                                   person – uniquely identified
• There is absolutely                                      with biometrics - logged on
  NO accountability                                        or executed a task
                                                        • CLEAR accountability

                       SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
      The prove is in writing

The log file proves:

•   Who did log on
•   Who executed the task
•   Who confirmed a task
•   Who was rejected TRYING to
    execute a task that they were not
    allow to execute

                              SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
 SAP Logon with bioLock at the Polk School District


                                         Logon                           bioLock checks         bioLock
                                                                       authentication rules       user/

                                           bioLock prompts you for fingerprint

                                           Fingerprint comparison with table

                                                          Logon blocked                 Logon authorized

                                                                                              
Please   bioLock technology identifies unique points on your finger and creates an
Note:    encrypted, digital template – it never takes an actual image of the finger!!!

                             SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102

 SAP Security and ALL compliance efforts (SoD’s) are solely based
  on password protected USER Profiles

 Passwords are not secure and offer very limited protection
  and no accountability at all

 Damages include severe financial losses, espionage,
  bad press, image loss, lawsuits, compliance violations, etc.

 Experts agree…
  Biometrics is only solution approach to increase security,
  convenience and establish clear accountability

 bioLock is the only certified biometric technology available for SAP

                      SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Do you need this “High Level Security”?

                       This is your “Security” now…

  This is Security at the Polk
  County School District…

 Contact realtime at or 1877-bioLock to
 schedule a personalized online education for your team!

                              SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Questions before the demo?

     SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
Further Information

   SAP Public Web:
    SAP Developer Network (SDN):
    Business Process Expert (BPX) Community:
   Americas‟ SAP Users‟ Group (ASUG)

   Related SAP Education and Certification Opportunities

   Related Workshops/Lectures at SAP TechEd ‟07
    Session SIM 210, Marathon Oil
    Using Risk-Based Role Design and APM to Achieve SOX Compliance
    Security in Practice

                      SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
   ASUG and SAP: Partners in Education

ASUG, the Americas’ SAP Users’ Group, is the world’s largest, customer-run community of SAP
professionals and partners, with 45,000 individual members and 1,800 companies represented. ASUG
delivers the highest value to member companies, allowing them to maximize their SAP investments.

Some highlighted benefits include:
    – Access to a year-round community for SAP customers and partners
    – Diverse mix of educational topics and events through a variety of formats
    – Exclusive opportunity to influence SAP future product direction
    – Unparalleled networking opportunities with a dynamic professional network
    – Unprecedented partnership with SAP
    – Access to ASUG Groups and Chapters

To learn more about ASUG, visit the ASUG booth in the SDN Clubhouse, or visit our Web site at

                                   SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102

                THANK YOU FOR YOUR
                ATTENTION !

QUESTIONS   –      SUGGESTIONS                                         –   DISCUSSION

                 SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102
      Please complete your session evaluation.

         Be courteous — deposit your trash,
and do not take the handouts for the following session.

                  Thank You !

                   SAP AG 2007, SAP TechEd ’07 / Session ID / SIM 102

To top