Presentation is loading. Please wait.

Presentation is loading. Please wait.

Biometric Security for Any Transaction or Function within SAP for Clear Accountability Cyndi Wolf, Polk County Public Schools Thomas Neudenberger, realtime.

Published byCynthia Boone Modified over 8 years ago

Similar presentations

Presentation on theme: "Biometric Security for Any Transaction or Function within SAP for Clear Accountability Cyndi Wolf, Polk County Public Schools Thomas Neudenberger, realtime."— Presentation transcript:

1 Biometric Security for Any Transaction or Function within SAP for Clear Accountability Cyndi Wolf, Polk County Public Schools Thomas Neudenberger, realtime North America Inc.

2 As a result of this workshop, you will be able to understand: Why the largest threats to your SAP security are passwords That the resulting damages go in the millions and billions Why you should protect data and not SAP users That you don’t have accountability in your system Why the Polk County School District is moving forward with innovative technology to “show passwords the finger”* *using biometrics of course

3 Expert Statements – SAP Movie http://realtimenorthamerica.com/download/Expert_statements.wmv

4 5 Facts about IT Security 1. Data theft and espionage is a rapidly growing crime * 2. Intruders target user profiles with extended authorizations 3.Profiles are protected with passwords that offer very limited protection 4. Long-term damages include financial damages, image loss declined stock, law suits and compliance violations 5.Without biometrics deterring, prevention and conviction is impossible *$ 400 Mio in damages at Dupont Espionage Case

5 Statistics: Threat in Numbers… 82% of all passwords are written down (SAP-Info Online) 40% say they share passwords frequently (Source: Rainbow) 71% would give up password for a candy bar (Infosecurity conference study in Europe) 95% result in significant financial losses (Source Gartner) 92% of corporations and government agencies detected computer security breaches in the last 12 months Last year 26.5 million records were stolen at the Department for Veterans Affairs – a $26.5 billion lawsuit followed!

6 Customers Demand Biometric Devices 23% of all laptops shipped in 2007 have a build in fingerprint sensor! Laptops with finger print sensors Over 100 different laptop models have build in fingerprint sensors Many USB devices like mice, keyboards or other are being sold under $50 One of the leading sensor manufacturers, Authentec, sold 10 million sensors from 1999 to 2006 Authentec sold an additional 10 million sensors from July 2006 to July 2007

7 Actually Financial Losses in 2006 The so called “occupational fraud” (also known as internal theft) and abuse imposes enormous costs on organizations. The median loss caused by the occupational frauds in this 2006 ACFE study was $159,000. Nearly one- quarter of the cases caused at least $1 million in losses and nine cases caused losses of $1billion or more. Participants in the study estimate U.S. organizations lose 5% of their annual revenues to fraud. Read the full study at: http://www.acfe.com/documents/2006-rttn.pdfhttp://www.acfe.com/documents/2006-rttn.pdf (Source: 2006 Study - Association of Certified Fraud Examiners – www.acfe.com)www.acfe.com Average single loss was $159,000 25% caused $1 million in losses 9 cases of a $1 billion in losses and more It takes 15 Month+ to detect fraud

8 SAP Logon: Unauthorized users use or share SAP User ID’s even at different locations at the same time HR: Protecting and securing HR information including heath insurance info, salaries and social security numbers Finance: Prevent tempering with payment release, salaries wire transfers, requesting or changing budgets Balance Sheets: Access to critical company information Research Data: Research data is stolen or changed Purchasing: Unauthorized users purchase unauthorized items Workflow Approval: People use supervisors passwords Fast User Switching: Users are supposed to log in and out for minimum tasks but never do (bank, hospital, warehouse etc.) Remember multiple passwords that could require up to 15 characters True Identity Management / Compliance (Sarbanes-Oxley, Section 404, Internal Controls) Customer Pain Points

9 There are 3 ways to protect physical or data access: 1. What you know… 2. What you have… 3. Who you are… The 3 Ways to Protect -- I

10 What you know… Passwords / PIN / Codes What you have… Smart Cards / Tokens / Keys Who you are… Biometrics – Fingerprint etc. The 3 Ways to Protect -- II

11 The 3 Ways to Protect III Biometrics is the only true protection since the user will be UNIQUELY identified!!! Smart Cards and Tokens can still be lost, stolen or passed on – and the user can not be identified or held responsible… Passwords are historically accepted to attempt protecting computer systems… They offer limited protection and no Accountability at all !!! Lawyers love these 2 ways and call it: SODDI SOME OTHER DUDE DID IT – not my client of course…* *Like in the multi million dollar case of UBS Paine Webber

12 Look in drawers or on the “yellow sticky note” Look over shoulders of co-workers (shoulder Surfing) Ask colleagues – 40% admit to sharing passwords Get emergency password (at security guard) Call hotline to get password reset for any user Check unencrypted.ini files Try SAP default password for SAP* - 06071992 Key Catcher, Password Cracker – Now: Recovery Tools Monitoring / Sniffers (transfer from GUI not encrypted) Videotape it - watch for people with a cell phone around you Or simply associate with owner (pet, family, hometown) 20 Ways to get anybody's Password: Download the “Fishing for Passwords” document at www.showpasswordsthefinger.com

13 Old Verification: SAP User/ Password Smart card or Logon / Biometrics Advanced Identification: Searches Database of 100’s or 1000’s of biometric templates Uniquely identifies Thomas and launches Thomas System Might identify and reject Thomas based on authorization Thomas Tasks or Attempts will be logged in an auditing log file Verification versus Identification

14 bioLock “sits” on top of SAP Security Existing SAP Security Additional bioLock Security bioLock will not “touch” or change your existing security roles or profiles!

15 Independent Additional Protection

16 Until now you had to worry about protecting access for ALL SAP Users… bioLock will protect individual functions in the system You only need to protect the users that have access to those functions ALL OTHERS will not be able to access them anyway – even SAP ALL Functions can either be protected Globally or on Individual Basis You only have to worry about a few hundred Users Protected: NO NEED to protect! Protect selected – NOT all – Users

17 Level I SECURITY Level II Level III Security Level - Overview Protect The King *Quote Keynote Speech RSA 2007 with Bill Gates - Not The Castle!*

18 Prevent critical lawsuits, image loss and bad press Protect themselves from monetary damages and espionage Comply with mandatory regulations such as: Biometric technology will prevent most attacks, log uniquely identified users and their activities, and ‘scare off’ potential attackers !!!  HIPAA  The California Act  Data Protection Act  FDA (Part 11-Electronic Records)  Sarbanes-Oxley Act – Section 404 Why should any company invest in biometrics?

19 Even your company is compliant it is still exposed to fraud DuPont was 100% compliant and all auditors signed off They had a $400 Million internal fraud case Companies blame and “sue” external auditors Insurances reject policies and payments More than the minimum requirements by mandatory regulations have to be done to protect assets and investors Without biometrics there is no true compliance Download the complete research paper at: http://business.fullerton.edu/resources/biometrics/ http://business.fullerton.edu/resources/biometrics/ A study from the California State University uncovers…

20 Introduction: Polk County Public Schools The eighth-largest school district in Florida and among the largest 40 nationally Nearly 95,000 students at almost 160 school sites Largest employer in Polk County with more than 15,000 employees, more than half of whom are teachers Bartow High School is ranked 167 th in Newsweek magazine’s 2007 list of the nation's top 1,257 high schools Abdu Taguri, CIO

21 The School District’s Security Challenges User ID’s and passwords are written down and posted on or near workstations at an alarming rate SAP is used for most of the district’s business processes: HR, Payroll, Finance, Asset Management, Purchasing, Warehousing, Work Orders, Project Systems Security is role-based and assigned via position on the org chart; User IDs are maintained on HR Infotype 0105 Concern for “Accountability” of the principal as the CEO of the individual school Delegation of responsibility to school secretary via User ID and password sharing

22 True Stories at the Polk School District Years ago a school secretary paid many of her personal bills from the school district’s accounts. She would create fake requisitions and invoices for non-existing vendors using PO Box addresses she rented, and then forwarded the district’s checks to her debtors. Her setup was so perfect that she got away with it for several years. Recently an school secretary used her legally provided access to approve herself overtime that resulted in significant overpayment to herself and financial loss to the school district..

23 Biometric Approach: Polk County School District Logon to the principal’s SAP User ID is protected to prevent: unauthorized access well-intentioned “delegation” Transactions protected: Requisition release Payroll (time entry) approval Biometric segregation of duty Electronic signature in workflow (future)

24 How Is the Additional “lock” Implemented at Polk County? 1. SAP Logon - for individual users like the principal 2. Transactions a)via Z_Transactions – like requisition release b)via realtime’s automated security menu 3. Fields, Info Types, Values, Buttons, Mask Fields and more a)via user exit b)via field exit c)via modification bioLock can protect basically every mouse click in the SAP system!

25 Principal Log On – before and after bioLock Before: Secretary has the password and therefore authorization to use principal’s SAP User ID In the event of an incident they can blame each other It could be a 3rd party as well There is no proof of which person did what and when Only a User ID is recognized not the actual person on the system There is absolutely NO accountability After: Secretary’s biometric template is assigned to principal’s SAP User ID Both have to put the finger on the sensor to log in SAP using the principal’s User ID Only these two can log in In addition to the log on, critical tasks are protected A log file shows which person – uniquely identified with biometrics - logged on or executed a task CLEAR accountability

26 The proof Is always in Writing The log file proves: Who did log on Who executed the task Who confirmed a task Who was rejected TRYING to execute a task that they were not allow to execute

27 bioLock Logon authorized Logon blocked  Logon bioLock checks authentication rules bioLock user/ function bioLock prompts you for fingerprint Fingerprint comparison with table bioLock templates bioLock technology identifies unique points on your finger and creates an encrypted, digital template – it never takes an actual image of the finger!!! Please Note: The logon at the School District

28 Summary SAP Security and ALL compliance efforts (SoD’s) are solely based on password protected USER Profiles Passwords are not secure and offer very limited protection and no accountability at all Damages include severe financial losses, espionage, bad press, image loss, lawsuits, compliance violations, etc. Experts agree… Biometrics is only solution approach to increase security, convenience and establish clear accountability bioLock is the only certified biometric technology available for SAP

29 Do you need this “High Level Security”? This is your “Security” now… This is Security at the Polk County School District… Contact realtime at info@bioLock.us or 1877-bioLock to schedule a personalized online education for your team!info@bioLock.us Questions before the demo?

30 0108 Session Code: Email: cyndi.wolf@polk-fl.netcyndi.wolf@polk-fl.net or thomas@realtimenorthamerica.comthomas@realtimenorthamerica.com

Download ppt "Biometric Security for Any Transaction or Function within SAP for Clear Accountability Cyndi Wolf, Polk County Public Schools Thomas Neudenberger, realtime."

Similar presentations

JPMorgan Chase Purchasing Card Training

JPMorgan Chase Purchasing Card Training
Electronic Timesheet User Manual

Electronic Timesheet User Manual
© Family Economics & Financial Education – October 2010 – The Essentials to Take Charge of Your Finances – Depository Institution Essentials – Slide 1.

© Family Economics & Financial Education – October 2010 – The Essentials to Take Charge of Your Finances – Depository Institution Essentials – Slide 1.
Section 22.1.

Section 22.1.
FRAUD: Risks and Prevention. Fraud: Risks and Prevention Implications of fraud What motivates one to commit fraud The importance of internal control Fraud.

FRAUD: Risks and Prevention. Fraud: Risks and Prevention Implications of fraud What motivates one to commit fraud The importance of internal control Fraud.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
Welcome to Florida International University Online J.O.B.S. Link Applicant Tutorial.

Welcome to Florida International University Online J.O.B.S. Link Applicant Tutorial.
Checking Account & Debit Card Simulation Understanding Checking Accounts and Debit Card Transactions.

Checking Account & Debit Card Simulation Understanding Checking Accounts and Debit Card Transactions.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
The only SAP ® -certified fingerprint authentication, identity and risk management for SAP ® systems Bulletproof SAP ® security at your fingertips! Marketing.

The only SAP ® -certified fingerprint authentication, identity and risk management for SAP ® systems Bulletproof SAP ® security at your fingertips! Marketing.
© 2007 realtime North America, Inc. 1 These are additional slides that can be added to the main Presentation on an individual basis: www.tinyurl.com/biolockppt.

© 2007 realtime North America, Inc. 1 These are additional slides that can be added to the main Presentation on an individual basis:
1.7.2.G1 Electronic/Online Banking & Bill Pay Take Charge of Your Finances.

1.7.2.G1 Electronic/Online Banking & Bill Pay Take Charge of Your Finances.
Security Controls – What Works

Security Controls – What Works
Logging into ITAMS as a Student or Hourly Employee To Login to ITAMS for the first time: Open your web browser. Click File, Open, and type the following.

Logging into ITAMS as a Student or Hourly Employee To Login to ITAMS for the first time: Open your web browser. Click File, Open, and type the following.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Secure mySAP ERP and Enforce Accountability for SOX Compliance with Biometrics Cyndi Wolf, Polk County Public Schools Thomas Neudenberger, realtime North.

Secure mySAP ERP and Enforce Accountability for SOX Compliance with Biometrics Cyndi Wolf, Polk County Public Schools Thomas Neudenberger, realtime North.
Introduction to SAP R/3.

Introduction to SAP R/3.
Biometrics: Voice Recognition

Biometrics: Voice Recognition
Online and Mobile Banking. Online banking Online Banking  Online banking is a fairly established practice in our internet-saturated world.  Many people.

Online and Mobile Banking. Online banking Online Banking  Online banking is a fairly established practice in our internet-saturated world.  Many people.

Similar presentations

Ads by Google