530 likes | 860 Views
Technical Overview . The only SAP ® -certified fingerprint authentication, identity and risk management for SAP ® systems. Bulletproof SAP ® security at your fingertips! . © 2011 realtime North America Inc., Tampa, FL. All Rights Reserved. Who is realtime ?.
E N D
Technical Overview The only SAP®-certified fingerprint authentication, identity and risk management for SAP® systems Bulletproof SAP® security at your fingertips! © 2011 realtimeNorth America Inc., Tampa, FL. All Rights Reserved.
Who is realtime? Founded in 1986 by former SAP® managers Certified software, services & special expertise partner Specializing in governance, risk and compliance (GRC) Serving many industry sectors including food, pharmaceutical, chemical, automotive, aerospace, defense, engineering, government and more Flagship software product, certified by SAP® since 2002 is Bulletproof SAP® security at your fingertips!
Selected realtime clients • 3M, AIRBUS, Alcan, BASF IT Services B.V., Bayer, Bayer CropScience, Brevard County Government, California State University, Campbell's, GlaxoSmithKline, Harman Kardon Music Group, Krupp Bilstein, Linde, Loewe Opta, Marathon Oil, Océ Document Technologies, Polk County School District, Purdue Pharma, Siemens, ThyssenKrupp Michigan, Toyota, United States Army… • Over 200 global clients served!
What were these users looking for? was developed to provide these benefits demanded by users: Dramatically increase SAP® security capabilities Manage user identities via indisputable biometrics Control access to functions down to the field level Enforce true Segregation of Duties (SoD) Ensure meaningful compliance with: Sarbanes-Oxley, HIPAA, ITAR and more
Are you still relying on this? • Traditional SAP® log-on process uses passwords User password SAP® Software Passwords are written down, borrowed, stolen, misused Provides “perimeter” security but no additional layers!
How to Bulletproof your system: X User’s fingerprint Encrypted scan SAP® Software SAP® log-on profiles are enhanced with fingerprint interface User is prompted via bioLock software as shown above Various hardware devices can be used to securely scan fingerprints - while protecting users’ privacy!
What devices can verify user identity? + Plus one of these… (optional) Potential future development
is hardware independent Leading Laptops 23% have Swipe Sensors UPEK Eikon Low-cost Device Cherry Keyboard Smart Card Option Cherry ID Mouse Convenient Touch Sensor bioLock ID Mouse Powered by Secugen Secugen Hamster FIPS 201 Compliant Zvetco P5000 High End Device bioLock is compatible with over 80 laptops (with built-in fingerprint sensor) and over 50 independent devices like mice, keyboards, or PCMCIA Cards.
Logon authorized Logon blocked bioLock prompts you for fingerprint Fingerprint comparison with table bioLock checks authentication rules bioLock user/ function bioLock templates Note: bioLock identifies unique points (minutiae) within a fingerprint and creates an encrypted, digital template – no images of fingerprints are ever stored! SAP® logon & system access with Logon
5 Extra Levels of Security • Existing SAP® Security • Consists of Password Log-On • “Bulletproofing” with • Authenticate user log-on based on fingerprint • Lock down any transaction (e.g. SE38 or ME21N) • III) Protect “infotypes”, fields, buttons according to customizable profiles (e.g. HR infotype 167) • IV) Require authentication if a field value exceeds a trigger amount (e.g. a transfer > $10,000) • V) Require dual user authentication for critical SAP® functions, viewing sensitive data or intellectual property
Bulletproof bioLock Security - Seamless Integration • Unaffected by SAP® versions or upgrades • Existing SAP® passwords and authorizations are unchanged • Compatible with all SAP® versions from 4.x onward • Profiles are 100% customizable on a user-by-user basis You decide what aspect of your system needs to be protected and how stringently!
- What is the impact on end-users? One-time user enrollment takes only a few minutes Use is very intuitive, no training required Ongoing use consists of occasionally responding to a prompt for user’s fingerprint – each profile can be unique Fingerprint images are never stored – privacy is protected A majority of end-users can be exempted, depending on their security risk profile and management’s policies
- What is the impact on IT? Installation is done in just a few hours, by downloading program into its own /realtime named space within SAP® Configuration is done in several days with the help of realtime consultants. bioLock is compatible with SAP® 4.x and higher, and is unaffected by version upgrades. Setting up user profiles can be done as quickly or as slowly as desired. As users are activated, a fingerprint scanning device is installed at their work station. A robust audit trail is automatically generated within SAP®.
Let’s get started with the demo: Select your SAP system in the SAP Logon. Let’s start the traditional way and use the SAP GUI to log on with User Name and Password…
A stolen password won’t get you in! Type in User Name and Password User “Smith” found out the password of user “Jones” and logs on as SAP User “Jones”
Prevent Password Sharing! In addition to the password, the log-on is authenticated by verifying user’s fingerprint (Security Level I) Although the “Smith” fingerprint template exists in the SAP system, another user cannot log in by borrowing this profile Only Authorized Users can log on with an SAP User Profile. Password sharing will not be possible anymore!
Now the real user “Jones” enters the correct user name and password After successful biometric identification the actual user “Jones” can log on to the “Jones” SAP User Profile.
User “Jones” selects the transaction “ME21N” to display a purchase order …and successfully authenticates with a fingerprint (biometric template) Please NOTE: This could be virtually any R/3 transaction such as SE16 or SE38 (Security Level II)
User “Jones” successfully opens a Purchase Order after fingerprint authentication… For demo purposes, User “Jones” then exits the transaction and goes for coffee. Another user, “Smith”, sits down at the workstation which is logged in as “Jones” and tries to re-open the transaction.
Step Up Control Although the workstation is logged in with the fully authorized SAP User Profile “Jones”, the actual user, “Smith” fails the fingerprint authentication! Please NOTE: Although the identity of the user “Smith” is known to bioLock, for security purposes this information is not displayed, but the bioLock log file will show that “Smith” tried to create a PO while being logged in as “Jones”. The system could immediately alert security about this unauthorized access attempt.
Clear Log Files Password sharing is a thing of the past: “Smith” stole or borrowed a password but could not use it in SAP due to the biometric verification! SAP User “Jones” is uniquely identified as “Jones” based on the fingerprint and logs on to the SAP system. “Smith” tries to create a Purchase Order – on a computer logged on as SAP User “Jones” - and is rejected due to the bioLock credential violation.
“Jones” logs out of the SAP system… Another User, “Smith”, takes over the computer and uses the realtime SINGLE SIGN ON to log on to SAP. No Logon and Password information is requested! “Smith” opens the optional “Single Sign On” menu and selects the desired SAP system.
“Smith” selects the SAP Demo System… Please NOTE: The normal SAP log-on is skipped. There is no need to enter an SAP User or Password! The identity of user “Smith” is verified via fingerprint scan.
HR Protection for HIPAA Compliance Infotype 167 is protected with biometrics based on the value (input) – all other Infotypes can be accessed as usual. In this example we protect the Health Plan Information down to the field level (Security Level III) by locking Infotype 167. If the field input requires biometric verification the system will ask for a fingerprint…
Brevard County Government won the prestigious “InfoWorld 100 Award” protecting their Health Plans with bioLock to comply with HIPAA! View the movie clip that SAP made about the bioLock installation at Brevard County www.bioLock.us (click on movies in the Info Center) After successful authentication, the health plan info is displayed.
Smart Card Integration Any functions (Level I, II and III) can be protected via fingerprints, Smart Cards or passwords using bioLock Optional Smart Card Use: As long as a user’s Smart Card is inserted in the reader, protected functions can be accessed or executed… …but once the Smart Card is removed the functions are locked down… Access will be denied and the system will request a “valid card”.
Field Masking The red boxes point out the hidden data locations. A user with appropriate security clearance could view the data after successful authentication of their biometric fingerprint template. In this example “critical fields” in a screen normally accessible to many users may be hidden based on users’ SAP permissions and bioLock profiles. SAP authorized user “Williams”, who is not enrolled in the bioLock system, can access the general screen, but cannot see the hidden fields.
While any user can view this screen (based on SAP permission), only authorized users can view the hidden information in the red boxes after biometric verification. User “Smith” was assigned permission in bioLock to view the information based on a high-level security clearance.
Step up control “Smith” views critical HR info An unknown visitor is rejected trying to view critical HR data on the same workstation Independent of the SAP User who signed on to the SAP system, bioLock uniquely identifies the actual user and ONLY permits defined, invited users.
Fast User Switching • Sometimes multiple users share workstations, for example: Hospitals, Warehouses, Financial Institutions, etc. • Due to time constraints, logging on/off is impractical, but re-authentication via fingerprint scan is practical. • bioLock allows all users to authenticate on all workstations at the beginning of a work session, using only fingerprint authentication after the initial verification. bioLock will always identify and log the uniquely authenticated, actual users – independent of their SAP User profiles
Displaying the balance sheet is protected using the “Dual Confirmation Group” function. Two different users have to authorize this activity, just like requiring two signatures on a check! The first person will be asked to authenticate…
Dual Controls The message then prompts the 1st user for the secondary authorization. There is no “time-out” so the 1st user can await the 2nd user’s arrival. A “dual confirmation group” can be defined. This “group” could consist of more than two users any of whom are authorized to provide the needed secondary approval.
Only after two authorized users have authenticated will the balance sheet will be displayed: The idea of the dual confirmation group could be compared to two signatures on a check… … and is nearly a “must” for any financial and HR activity!
The log file shows that user “Smith” requested the balance sheet report. “Miller” confirmed the request. Both were uniquely identified, logged and accountable!
Ultimate financial and payment control In this screen $5,000 has been posted to an account As long as the amount is less than $50,000 no biometric verification is required! This requirement came from the oldest Central Bank in the world: All SAP authorized users can execute transfers below $50,000 Only defined users – as permitted by bioLock – can execute transfers exceeding $50,000
Control Payments over certain amounts If the amount entered exceeds a predefined amount, in this example $50,000, the user needs to authenticate via fingerprint scan.
911 – what is your emergency? Imagine a user being forced to execute a $1 Million transfer under duress… The user could choose to put a different, predefined 911 emergency finger on the sensor. This finger scan could alert security personnel without executing the function, similar to pressing the “panic” button during a bank robbery but without the intruder knowing that the button was pressed.
For Auditing purposes bioLock creates its own log file, which shows all biometric activities and relevant information. This information can be exported to different formats or emailed to the supervisor… Protected with a dual confirmation group, this log entry clearly confirms that “Smith” opened a bioLock transaction (could be a high value financial transaction) and “Miller” confirmed it! 911 Emergency !!! “Smith” has a different fingerprint assigned for 911 Emergency. If forced by a 3rd party “Smith” could use this fingerprint to alert security – just like activating a silent alarm.
You can sort on any column or filter by keyword such as user name or rejected transactions. You can also export and email different formats to supervisors… Auditors and management will love it!!!
Here is a quick overview of the bioLock administrative function: The enrollment of any Biometric Info System (BIS) User takes only seconds. Up to 10 fingers can be enrolled - so if one finger or a hand gets injured the user can switch! Add a Smart Card for the ultimate “Two-Step Authentication”!
This menu controls the definition of protection system functions.
Other exceptions, terminations, log file entries and general protections can be defined in these columns… Define a new number for your protected function. Define the text that will be displayed. Select protection by finger scan, Smart-Card, password or a combination!
Multiple users could be assigned to general SAP User ID’s for controlled fast user switching (example: in a Warehouse) It is recommended to enroll the biometric template for the bioLock User under the same name as the SAP User, so that the biometric template is automatically assigned to the corresponding SAP User Profile. This table defines exceptions. The biometric template for employee “Jones” could be assigned to a supervisor’s SAP User profile (“Smith”) so that “Jones” can also work under the supervisor’s profile. Even if the computers are unlocked in this warehouse scenario, only the 6 defined users can execute critical tasks. Unauthorized users such as truck drivers don’t have access.
Most functions should be protected globally and for all users by activating the “global check” in the protected system functions (2 slides back). In this table we can define exceptions and manually assign certain functions to certain users. You can also define if a function for a certain user should have extra protection via “Dual Confirmation Group”.
To create the dual confirmation group we define a number and give the group a name… Please note: If the dual authentication always requires the same people one group could be used for multiple taks!
Any number of users can be defined in the group, to ensure availability of a backup person. … now assign two or more biometric users to the group. Please note: The system’s flexibility could allow any member of the group to “request” and any other member to “confirm” a function – or there could be a MASTER to “request” and others who can only “confirm”.
Protecting an HR Infotype is as easy as entering the transaction number, info type and the user into the table…
This security menu can protect one or more transactions automatically: Define or upload a file with all the transactions that you want to protect and bioLock will remove the original transaction from the SAP roles… A great time saver to protect dozens of transactions!!!
Now the SAP User no longer has permission for the original transaction and has to execute the desired transaction via the realtime Security Menu. bioLock is a very advanced protection system that has been installed in commercial and government organizations. SAP Public Sector is promoting bioLock world wide through their team and has presented bioLock at their Homeland Security Pavilion at Sapphire Shows. …which of course is protected with bioLock