260 likes | 440 Views
Gina Marchese, ASUG Coordinator, SAP Falk Rieker, Vice President SAP Banking Solutions Mike Ramsey, SAP Banking Field Services Thomas Neudenberger, COO realtime North America Inc. May 6 th , 2008. ASUG Banking & Financial Service Providers SAPPHIRE Breakfast Session. Agenda.
E N D
Gina Marchese, ASUG Coordinator, SAP Falk Rieker, Vice President SAP Banking Solutions Mike Ramsey, SAP Banking Field Services Thomas Neudenberger, COO realtime North America Inc. May 6th, 2008 ASUG Banking & Financial Service Providers SAPPHIRE Breakfast Session
Agenda • 7:00am – 7:15 am -Breakfast Served & Opening Statements – Dan Drechsel & Thomas Balgheim (SAP) • 7:15am – 7:20am - ASUG Community Overview- Mike Ramsey • 7:20am – 7:25am - SAP’s Commitment to the Banking Community of Interest- Mike Ramsey & Falk Rieker • 7:25am – 7:35am - Banking & Financial Services Key Discussion Topics- Mike Ramsey • 7:35am – 7:50am - bioLock- Realtime Security & Fraud Mitigation- Thomas Neudenberger • 7:50am – 7:55am - Upcoming Events & Next Steps – Mike Ramsey • 7:55am – 8:00am - Questions & Customer Feedback
ASUG Overview • ASUG is the largest independent, not-for-profit organization of SAP customer companies and eligible partner vendors in the world. • ASUG’s mission is to continuously educate its members, facilitate networking among colleagues and SAP representatives, and influence future SAP product releases and direction. • ASUG as formed in 1990, and is made up of more than 1,700 corporate and 45,000 individual members in North America.
ASUG Communities • ASUG Special Interest Group (SIG) Communities are aligned to SAP products and industries. • ASUG Chapters are regionally based throughout N. America • ASUG members have year-round direct access to: • Colleagues with similar interests and workplace challenges • SAP representatives and resources • Educational, networking and influencing opportunities
Year Round Education Customer-run, customer-driven education Convenient and accessible formats, including: • Face-to-Face educational events • Forums • Symposiums • Chapter Meetings • Annual Conference • Webcasts and teleconferences • On-Demand Education
ASUG Banking Community Free educational activities about newest product features-and-functions • Banking Focused Webcasts • ASUG SIG Community educational content • Focused Banking area on asug.com Networking to share experiences and best practices • ASUG Banking Discussion Forum • Networking sessions at ASUG events • Industry specific Benchmarking Studies • asug.com online community Opportunities to influence and prioritize the development roadmap • ASUG Influence Councils • ASUG Executive Exchanges
Volunteers are Key ASUG is governed by its most valuable asset – its members. SIG Chair • Drive and manage the SIG's year-round community • Communicate Influence needs of SIG membership and represent the SIG during Influence activities (i.e. assist in moderating Webcasts, help craft promotional material) • Build and maintain solid relationships with ASUG HQ and SAP Points of Contacts
Membership Offer • Membership dues reside at the corporate level which allows an unlimited number of employees within an organization to utilize company membership benefits without incurring individual membership charges. Membership dues are paid on an annual basis, not pro-rated and valid January 1st through December 31st of each year. • Complimentary ASUG memberships are available. Please inquire to Mike.Ramsey@SAP.COM!
SAP’s Commitment to the Banking Community of Interest • SAP, working closely with ASUG, will drive the following initiatives to continue the growth of this COI: • Secure participation & support from Banking & Financial Service Providers in our European regions. • SAP Management & Solutions Expert participation in future Banking COI events. • SAP will provide results of our surveys related to industry trends, business use cases, functional requirements, and customer priorities. • SAP will provide continuous updates on topics of interest received from our customers feedback & questions.
Banking & Financial Services Key Discussion Topics Banking Hot Topics (as determined by initial Customer Survey) • Upgradeability to the most current release • Roadmap to transform their existing implementation to our SOA BPP • Ways to improve overall customer experience and improve customer centricity • Cleaning up back office processes • IT Spending • Meeting and maintaining Compliance and Regulatory guidelines • Security concerns in the banking industry
The bioLock Overview • bioLock Protects Critical Data with Biometrics for Fraud Prevention and “True” Compliance bioLock “elevates” IT security from access control to fraud mitigation
Actual Financial Losses in 2006 • Average single loss was $159,000 • 25% caused $1 million in losses • 9 cases of $1 billion in losses and more • It takes 15+ months to detect fraud The so called “occupational fraud” (also known as internal theft) and abuse imposes enormous costs on organizations. The median loss caused by the occupational frauds in this 2006 ACFE study was $159,000. Nearly one-quarter of the cases caused at least $1 million in losses and nine cases caused losses of $1billion or more. Participants in the study estimate U.S. organizations lose 5% of their annual revenues to fraud. Read the full study at: http://www.acfe.com/documents/2006-rttn.pdf (Source: 2006 Study - Association of Certified Fraud Examiners – www.acfe.com)
Largest fraud case in history • French Trader Jerome Kerviel stole computer passwords that allowed him to enter his phony deals into various trading systems and to bypass security measures • He misappropriated IT access controls belonging to operators • Kerviel overstepped his authority and bet 50 billion Euros ($73 billion) - more than the bank's market value • This practice costs his employer, France's SocieteGenerale, $7.2 billion in losses • Judges have filed charges against Jerome for forgery, breach of trust and unauthorized computer activity • Investigators questioned SocieteGenerale's chief executive who is ultimately responsible for his employees actions • There are many rumors about the banks future / the industry is speculating, that it could be bought out or broken up • Poor IT Security is blamed for the losses and a special committee has recommended to immediately introduce stronger security systems, including biometric authentication, to prevent a recurrence. Source SAP Info: http://www.sap.info/public/INT/int/index/Category-28813c6138d029be8-int/0/articlesVersions-30698479ee4768f8a0 Source SAP Info: http://www.sap.info/public/INT/int/index/Category-28813c6138d029be8-int/0/articlesVersions-3038947c29f746dbbe
20 Ways to get anybody's Password • Look in desk drawers or on the “yellow sticky note” • Look over shoulders of co-workers (shoulder surfing) • Videotape it - watch for people with a cell phone around you • Ask colleagues – 40% admit to sharing passwords • Get emergency password ( administrators / security guard) • Call hotline to get password reset for any user • Associate with owner (pet, family, hometown, birthday) • Check unencrypted .ini files • Try SAP default password for SAP* - 06071992 • Key Catcher, Password Cracker – Now: Recovery Tools • Monitoring / Sniffers (transfer from GUI not encrypted) Download the “Fishing for Passwords” document at www.showpasswordsthefinger.com
Would your security guard STOP this guy walking through the main entrance? Very Likely YES !!! Even this guy identifies himself as “SAP 1” on his space suit… SAP 1 Without using biometrics we can only identify “Space Suits” with names on them (SAP User Profile Names) walking around in the most critical part of our organization – the SAP System. We have NO WAY of identifying who is using the suit (SAP user profile) bioLock will uniquely identify the user behind the “Space Suit” (User Profile)
Why biometrics for your SAP System? • Biometric security for system, transaction and field level data • Biometric security for user logon with convenient single sign on to multiple systems • Enhanced user/transaction audit trail • Easy 4-eyes principle and supervisor approval functionality • Secure and convenient “Fast User Switching “ • Proof, who did what and when in the SAP System with a biometric log file
Additional biometric Security Existing SAP Security bioLock “sits” on top of SAP Security bioLock will not “touch” or change your existing security roles or profiles! It adds an additional layer of security!
bioLock Independent Additional Protection Finance IT HR SAP User Profile bioLock invites users via biometric template – the protection is defined in bioLock and supersedes the SAP User Profile
Access blocked Access authorized Fingerprint comparison with table bioLock prompts you for fingerprint bioLock checks SAP authentication rules bioLock user/ function bioLock templates Please Note: The biometric technology identifies unique points on your finger and creates an encrypted, digital template – it never stores an actual image of the finger!!! Existing Security Layer 1 2nd layer protection with bioLock bioLock Extra biolock Door Lock is detected Logon / Task Additional Security Layer 2
Proof - in writing for the auditors • The log file proves: • Who logged on • Who executed the task • Who confirmed a task • Who was rejected TRYING to execute a task that they were not allowed to execute Proof - in writing for the auditors Actual User – uniquely identified with biometrics Identified SAP User Profile “Space Suit”
The Solution: • bioLock with the dual confirmation group was installed • 2 people have to authorize tasks • Both will be uniquely identified… • …and logged in the log file Case Study: Finance System The Challenge: A bank had multiple critical tasks in their financial application including opening balance sheets, approving budgets and issuing wire transfers • Groups of people had access to many parts of the finance system • The client needed to uniquely identify the “actual user” and log activities • Management requested that 2 individuals would authorize certain tasks
Conclusion • SAP Security and ALL compliance efforts (SoD’s) are solely based on password protected USER Profiles • Passwords are not secure and offer very limited protection and no accountability at all • Damages include severe financial losses, espionage, bad press, image loss, lawsuits, compliance violations, etc. • Experts agree - Biometrics is the only solution approach to increase security, convenience and establish clear accountability • A study confirms how a company can be compliant, but not secure • bioLock is the only certified biometric technology available for SAP • There is no comparable technology available for SAP’s competitors
SAP WebEx recording – View a presentation and live demo of bioLock: http://www.sap.com/community/showdetail.epx?itemID=11423 Thief misuses authorizations and costs French bank $7 billion: http://www.scmagazineus.com/Rogue-bank-trader-bypasses-computer-security-loses-7-billion/article/104519 SAP TV Movies about biometrics at Brevard County Government and SOX Compliance: http://www.realtimenorthamerica.com/saptv.shtml Research study from the California State University that has established - without biometrics there is no true compliance: http://business.fullerton.edu/resources/biometrics/ View a PPT Screenshot demonstration of the biometric technology at work in the SAP System: http://www.realtimenorthamerica.com/download/bioLock_demo.ppt SAP Info Article: Handling Accountability Issues with bioLock at the Polk County School District www.sap.info/int/go/36553/ A former DuPont research chemist stole $400 million in intellectual property from his employer: http://www.sap.info/public/INT/int/index/Category-28813c6138d029be8-int/0/articlesVersions-2278745d982e50690f View how easy it is to identify a password that was video taped with a cell phone: http://www.showpasswordsthefinger.com Resources
Planning COI Focus & Future Topics • Do we have an agreement on the direction of current and future topics for his COI? • Where can we add value to both our Banking & Financial Service Provider customers? • Are there specific high priority area’s of focus you would like to have added to the “Hot Topics” list?
Next Steps • Determine Customer Topics of Interest for future event planning • Secure customer volunteers to lead Banking Community • Upcoming group Webcast sessions and topics • On-site meetings planned for 2008
Questions & Customer Feedback • Open session for customer comments, questions, and feedback.