Founded in 1986 by former SAP ® managers Certified software, services & special expertise partner Specializing in governance, risk and compliance (GRC) Serving many industry sectors including food, pharmaceutical, chemical, automotive, aerospace, defense, engineering, government and more Flagship software product, certified by SAP ® since 2002 is Bulletproof SAP ® security at your fingertips! Who is realtime?
Selected realtime clients 3M, AIRBUS, Alcan, BASF IT Services B.V., Bayer, Bayer CropScience, Brevard County Government, California State University, Campbell's, GlaxoSmithKline, Harman Kardon Music Group, Krupp Bilstein, Linde, Loewe Opta, Marathon Oil, Océ Document Technologies, Polk County School District, Purdue Pharma, Siemens, ThyssenKrupp Michigan, Toyota, United States Army… Over 200 global clients served!
What were these users looking for? was developed to provide these benefits demanded by users: Dramatically increase SAP ® security capabilities Manage user identities via indisputable biometrics Control access to functions down to the field level Enforce true Segregation of Duties (SoD) Ensure meaningful compliance with: Sarbanes-Oxley, HIPAA, ITAR and more
Are you still relying on this? User password SAP ® Software Passwords are written down, borrowed, stolen, misused Provides “perimeter” security but no additional layers! Traditional SAP ® log-on process uses passwords
How to Bulletproof your system: User’s fingerprint Encrypted scanSAP ® Software SAP ® log-on profiles are enhanced with fingerprint interface User is prompted via bioLock software as shown above Various hardware devices can be used to securely scan fingerprints - while protecting users’ privacy! X
Potential future development Plus one of these … (optional) What devices can verify user identity? +
Cherry ID Mouse Convenient Touch Sensor bioLock ID Mouse Powered by Secugen bioLock is compatible with over 80 laptops (with built- in fingerprint sensor) and over 50 independent devices like mice, keyboards, or PCMCIA Cards. is hardware independent is hardware independent Leading Laptops 23% have Swipe Sensors UPEK Eikon Low-cost Device Cherry Keyboard Smart Card Option Secugen Hamster FIPS 201 Compliant Zvetco P5000 High End Device
logon & system access with SAP ® logon & system access with Logon authorized Logon blocked Logon bioLock checks authentication rules bioLock user/ function bioLock prompts you for fingerprint Fingerprint comparison with table bioLock templates bioLock identifies unique points (minutiae) within a fingerprint and creates an encrypted, digital template – no images of fingerprints are ever stored! Note:
5 Extra Levels of Security Existing SAP ® Security Consists of Password Log-On “Bulletproofing” with I)Authenticate user log-on based on fingerprint II)Lock down any transaction (e.g. SE38 or ME21N) III) Protect “infotypes”, fields, buttons according to customizable profiles (e.g. HR infotype 167) IV) Require authentication if a field value exceeds a trigger amount (e.g. a transfer > $10,000) V) Require dual user authentication for critical SAP ® functions, viewing sensitive data or intellectual property
Unaffected by SAP ® versions or upgrades Existing SAP ® passwords and authorizations are unchanged Compatible with all SAP ® versions from 4.x onward Profiles are 100% customizable on a user-by-user basis You decide what aspect of your system needs to be protected and how stringently! - Seamless Integration Bulletproof bioLock Security
One-time user enrollment takes only a few minutes Use is very intuitive, no training required Ongoing use consists of occasionally responding to a prompt for user’s fingerprint – each profile can be unique Fingerprint images are never stored – privacy is protected A majority of end-users can be exempted, depending on their security risk profile and management’s policies - What is the impact on end-users?
Installation is done in just a few hours, by downloading program into its own /realtime named space within SAP ® Configuration is done in several days with the help of realtime consultants. bioLock is compatible with SAP ® 4.x and higher, and is unaffected by version upgrades. Setting up user profiles can be done as quickly or as slowly as desired. As users are activated, a fingerprint scanning device is installed at their work station. A robust audit trail is automatically generated within SAP ®. - What is the impact on IT?
Let’s get started with the demo: Let’s start the traditional way and use the SAP GUI to log on with User Name and Password… Select your SAP system in the SAP Logon.
User “Smith” found out the password of user “Jones” and logs on as SAP User “Jones” Type in User Name and Password A stolen password won’t get you in!
In addition to the password, the log- on is authenticated by verifying user’s fingerprint (Security Level I) Prevent Password Sharing! Although the “Smith” fingerprint template exists in the SAP system, another user cannot log in by borrowing this profile Only Authorized Users can log on with an SAP User Profile. Password sharing will not be possible anymore!
After successful biometric identification the actual user “Jones” can log on to the “Jones” SAP User Profile. Now the real user “ Jones ” enters the correct user name and password
User “Jones” selects the transaction “ME21N” to display a purchase order Please NOTE: This could be virtually any R/3 transaction such as SE16 or SE38 (Security Level II) …and successfully authenticates with a fingerprint (biometric template)
User “Jones” successfully opens a Purchase Order after fingerprint authentication… For demo purposes, User “Jones” then exits the transaction and goes for coffee. Another user, “Smith”, sits down at the workstation which is logged in as “Jones” and tries to re-open the transaction.
Although the workstation is logged in with the fully authorized SAP User Profile “Jones”, the actual user, “Smith” fails the fingerprint authentication! Please NOTE: Although the identity of the user “Smith” is known to bioLock, for security purposes this information is not displayed, but the bioLock log file will show that “Smith” tried to create a PO while being logged in as “Jones”. The system could immediately alert security about this unauthorized access attempt. Step Up Control
SAP User “Jones” is uniquely identified as “Jones” based on the fingerprint and logs on to the SAP system. “Smith” tries to create a Purchase Order – on a computer logged on as SAP User “Jones” - and is rejected due to the bioLock credential violation. Password sharing is a thing of the past: “Smith” stole or borrowed a password but could not use it in SAP due to the biometric verification! Clear Log Files
“Jones” logs out of the SAP system… Another User, “Smith”, takes over the computer and uses the realtime SINGLE SIGN ON to log on to SAP. No Logon and Password information is requested! “Smith” opens the optional “Single Sign On” menu and selects the desired SAP system.
The identity of user “Smith” is verified via fingerprint scan. Please NOTE: The normal SAP log-on is skipped. There is no need to enter an SAP User or Password! “Smith” selects the SAP Demo System…
In this example we protect the Health Plan Information down to the field level (Security Level III) by locking Infotype 167. Infotype 167 is protected with biometrics based on the value (input) – all other Infotypes can be accessed as usual. If the field input requires biometric verification the system will ask for a fingerprint… HR Protection for HIPAA Compliance
After successful authentication, the health plan info is displayed. Brevard County Government won the prestigious “InfoWorld 100 Award” protecting their Health Plans with bioLock to comply with HIPAA! View the movie clip that SAP made about the bioLock installation at Brevard County www.bioLock.us (click on movies in the Info Center)
Optional Smart Card Use: As long as a user’s Smart Card is inserted in the reader, protected functions can be accessed or executed… …but once the Smart Card is removed the functions are locked down… Access will be denied and the system will request a “valid card”. Smart Card Integration Any functions (Level I, II and III) can be protected via fingerprints, Smart Cards or passwords using bioLock
The red boxes point out the hidden data locations. A user with appropriate security clearance could view the data after successful authentication of their biometric fingerprint template. In this example “critical fields” in a screen normally accessible to many users may be hidden based on users’ SAP permissions and bioLock profiles. SAP authorized user “Williams”, who is not enrolled in the bioLock system, can access the general screen, but cannot see the hidden fields. Field Masking
While any user can view this screen (based on SAP permission), only authorized users can view the hidden information in the red boxes after biometric verification. User “Smith” was assigned permission in bioLock to view the information based on a high-level security clearance.
Independent of the SAP User who signed on to the SAP system, bioLock uniquely identifies the actual user and ONLY permits defined, invited users. “Smith” views critical HR info An unknown visitor is rejected trying to view critical HR data on the same workstation Step up control
bioLock will always identify and log the uniquely authenticated, actual users – independent of their SAP User profiles Sometimes multiple users share workstations, for example: Hospitals, Warehouses, Financial Institutions, etc. Due to time constraints, logging on/off is impractical, but re-authentication via fingerprint scan is practical. bioLock allows all users to authenticate on all workstations at the beginning of a work session, using only fingerprint authentication after the initial verification. Fast User Switching
Displaying the balance sheet is protected using the “Dual Confirmation Group” function. Two different users have to authorize this activity, just like requiring two signatures on a check! The first person will be asked to authenticate…
The message then prompts the 1st user for the secondary authorization. There is no “time-out” so the 1 st user can await the 2 nd user’s arrival. A “dual confirmation group” can be defined. This “group” could consist of more than two users any of whom are authorized to provide the needed secondary approval. Dual Controls
Only after two authorized users have authenticated will the balance sheet will be displayed: The idea of the dual confirmation group could be compared to two signatures on a check… … and is nearly a “must” for any financial and HR activity!
The log file shows that user “Smith” requested the balance sheet report. “Miller” confirmed the request. Both were uniquely identified, logged and accountable!
In this screen $5,000 has been posted to an account Ultimate financial and payment control This requirement came from the oldest Central Bank in the world: All SAP authorized users can execute transfers below $50,000 Only defined users – as permitted by bioLock – can execute transfers exceeding $50,000 As long as the amount is less than $50,000 no biometric verification is required!
If the amount entered exceeds a predefined amount, in this example $50,000, the user needs to authenticate via fingerprint scan. Control Payments over certain amounts
911 – what is your emergency? Imagine a user being forced to execute a $1 Million transfer under duress… This finger scan could alert security personnel without executing the function, similar to pressing the “panic” button during a bank robbery but without the intruder knowing that the button was pressed. The user could choose to put a different, predefined 911 emergency finger on the sensor.
For Auditing purposes bioLock creates its own log file, which shows all biometric activities and relevant information. This information can be exported to different formats or emailed to the supervisor… Protected with a dual confirmation group, this log entry clearly confirms that “Smith” opened a bioLock transaction (could be a high value financial transaction) and “Miller” confirmed it! 911 Emergency !!! “Smith” has a different fingerprint assigned for 911 Emergency. If forced by a 3 rd party “Smith” could use this fingerprint to alert security – just like activating a silent alarm.
You can sort by color coded status (risk level).
You can sort on any column or filter by keyword such as user name or rejected transactions. You can also export and email different formats to supervisors… Auditors and management will love it!!!
Here is a quick overview of the bioLock administrative function: The enrollment of any Biometric Info System (BIS) User takes only seconds. Up to 10 fingers can be enrolled - so if one finger or a hand gets injured the user can switch! Add a Smart Card for the ultimate “Two-Step Authentication”!
This menu controls the definition of protection system functions.
Define a new number for your protected function. Define the text that will be displayed. Other exceptions, terminations, log file entries and general protections can be defined in these columns… Select protection by finger scan, Smart-Card, password or a combination!
It is recommended to enroll the biometric template for the bioLock User under the same name as the SAP User, so that the biometric template is automatically assigned to the corresponding SAP User Profile. This table defines exceptions. The biometric template for employee “Jones” could be assigned to a supervisor’s SAP User profile (“Smith”) so that “Jones” can also work under the supervisor’s profile. Multiple users could be assigned to general SAP User ID’s for controlled fast user switching (example: in a Warehouse) Even if the computers are unlocked in this warehouse scenario, only the 6 defined users can execute critical tasks. Unauthorized users such as truck drivers don’t have access.
Most functions should be protected globally and for all users by activating the “global check” in the protected system functions (2 slides back). In this table we can define exceptions and manually assign certain functions to certain users. You can also define if a function for a certain user should have extra protection via “Dual Confirmation Group”.
To create the dual confirmation group we define a number and give the group a name… Please note: If the dual authentication always requires the same people one group could be used for multiple taks!
Please note: The system’s flexibility could allow any member of the group to “request” and any other member to “confirm” a function – or there could be a MASTER to “request” and others who can only “confirm”. … now assign two or more biometric users to the group. Any number of users can be defined in the group, to ensure availability of a backup person.
Protecting an HR Infotype is as easy as entering the transaction number, info type and the user into the table…
This security menu can protect one or more transactions automatically: Define or upload a file with all the transactions that you want to protect and bioLock will remove the original transaction from the SAP roles… A great time saver to protect dozens of transactions!!!
Now the SAP User no longer has permission for the original transaction and has to execute the desired transaction via the realtime Security Menu. …which of course is protected with bioLock bioLock is a very advanced protection system that has been installed in commercial and government organizations. SAP Public Sector is promoting bioLock world wide through their team and has presented bioLock at their Homeland Security Pavilion at Sapphire Shows.
Benefits of The entire installation and configuration of bioLock can be done quite rapidly. Only minimal training is required, and the impact on both users and IT support staff is minimal, both during installation and in use. Since bioLock is certified by SAP ®, ongoing compatibility with different versions is assured. In a very short time, you can start enjoying benefits such as: 1.Dramatically increased SAP ® security capabilities 2.Manage users ’ identities via indisputable biometrics 3.Control access to functions down to the field level 4.Enforce true Segregation of Duties (SoD) 5.Attain meaningful compliance with SOX, HIPAA & ITAR Statistically, a starter package could cost less than a single fraud incident.
bioLock is SAP certified is SAP certified since 2002 is SAP ® certified since 2002 Visit: www.bioLock.us
realtime North America, Inc. WORLD TRADE CENTER 1101 Channelside Drive, Tampa, FL 33602 T: 813-283-0070 F: 813-283-0071 Email: firstname.lastname@example.org Web: www.bioLock.us Please contact us for a demonstration or pilot installation: 1-877-bioLock email@example.com