Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

ppt - realtime North America, Inc.

Technical
Overview
The only SAP®-certified fingerprint authentication,
identity and risk management for SAP® systems
Bulletproof SAP® security at
your fingertips!
© 2011 realtime North America Inc., Tampa, FL. All Rights Reserved.
Who is realtime?
Founded in 1986 by former SAP® managers
Certified software, services & special expertise partner
Specializing in governance, risk and compliance (GRC)
Serving many industry sectors including food,
pharmaceutical, chemical, automotive, aerospace,
defense, engineering, government and more
Flagship software product, certified by SAP® since 2002
is
Bulletproof SAP® security at your fingertips!
Selected realtime clients
3M, AIRBUS, Alcan, BASF IT Services B.V., Bayer,
Bayer CropScience, Brevard County Government,
California State University, Campbell's,
GlaxoSmithKline, Harman Kardon Music Group,
Krupp Bilstein, Linde, Loewe Opta, Marathon Oil, Océ
Document Technologies, Polk County School District,
Purdue Pharma, Siemens, ThyssenKrupp Michigan,
Toyota, United States Army…
Over 200 global clients served!
What were these users looking for?
was developed to provide these
benefits demanded by users:
Dramatically increase SAP® security capabilities
Manage user identities via indisputable biometrics
Control access to functions down to the field level
Enforce true Segregation of Duties (SoD)
Ensure meaningful compliance with:
Sarbanes-Oxley, HIPAA, ITAR and more
Are you still relying on this?
Traditional SAP® log-on process uses passwords
User password
SAP® Software
Passwords are written down, borrowed, stolen, misused
Provides “perimeter” security but no additional layers!
How to Bulletproof your system:
X
User’s
fingerprint
Encrypted scan
SAP® Software
SAP® log-on profiles are enhanced with fingerprint interface
User is prompted via bioLock software as shown above
Various hardware devices can be used to securely scan
fingerprints - while protecting users’ privacy!
What devices can verify user identity?
+
Plus one of these… (optional)
Potential future development
is hardware independent
Cherry ID Mouse
Leading Laptops
UPEK Eikon
23% have Swipe Sensors
Low-cost Device
Smart Card Option
Convenient Touch Sensor
bioLock ID Mouse
Zvetco P5000
High End Device
Cherry Keyboard
Powered by Secugen
Secugen Hamster
FIPS 201 Compliant
bioLock is compatible with over 80 laptops (with builtin fingerprint sensor) and over 50 independent devices
like mice, keyboards, or PCMCIA Cards.
SAP® logon & system access with
Logon
bioLock
user/
function
bioLock checks
authentication rules
bioLock prompts you for fingerprint
bioLock
templates
Fingerprint comparison with table
Logon blocked

Note:
Logon authorized

bioLock identifies unique points (minutiae) within a
fingerprint and creates an encrypted, digital template
– no images of fingerprints are ever stored!
5 Extra Levels of Security
Existing SAP® Security
Consists of Password Log-On
“Bulletproofing” with
I)
Authenticate user log-on based on fingerprint
II) Lock down any transaction (e.g. SE38 or ME21N)
III) Protect “infotypes”, fields, buttons according to
customizable profiles (e.g. HR infotype 167)
IV) Require authentication if a field value exceeds a
trigger amount (e.g. a transfer > $10,000)
V)
Require dual user authentication for critical SAP®
functions, viewing sensitive data or intellectual
property
- Seamless Integration
Unaffected by SAP® versions or upgrades
Existing SAP® passwords and authorizations are unchanged
Compatible with all SAP® versions from 4.x onward
Profiles are 100% customizable on a user-by-user basis
You decide what aspect of your system needs to be protected
and how stringently!
Bulletproof bioLock Security
- What is the impact on end-users?
One-time user enrollment takes only a few minutes
Use is very intuitive, no training required
Ongoing use consists of occasionally responding to a
prompt for user’s fingerprint – each profile can be unique
Fingerprint images are never stored – privacy is protected
A majority of end-users can be exempted, depending on
their security risk profile and management’s policies
- What is the impact on IT?
Installation is done in just a few hours, by downloading
program into its own /realtime named space within SAP®
Configuration is done in several days with the help of
realtime consultants.
bioLock is compatible with SAP® 4.x and higher, and is
unaffected by version upgrades.
Setting up user profiles can be done as quickly or as slowly
as desired.
As users are activated, a fingerprint scanning device is
installed at their work station. A robust audit trail is
automatically generated within SAP®.
Let’s get started
with the demo:
Select your SAP
system in the
SAP Logon.
Let’s start the traditional way and use
the SAP GUI to log on with User Name
and Password…
A stolen password won’t get you in!
Type in User Name
and Password
User “Smith” found out the password of user
“Jones” and logs on as SAP User “Jones”
Prevent Password Sharing!
In addition to the password, the logon is authenticated by verifying
user’s fingerprint (Security Level I)
Although the “Smith” fingerprint template exists in the SAP
system, another user cannot log in by borrowing this profile
Only Authorized Users can log on with an SAP User Profile.
Password sharing will not be possible anymore!
Now the real user “Jones” enters the
correct user name and password
After successful biometric identification
the actual user “Jones” can log on to the
“Jones” SAP User Profile.
User “Jones” selects the transaction “ME21N”
to display a purchase order
…and successfully authenticates
with a fingerprint (biometric
template)
Please NOTE:
This could be virtually any R/3 transaction
such as SE16 or SE38 (Security Level II)
User “Jones” successfully opens a
Purchase Order after fingerprint
authentication…
For demo purposes, User “Jones” then exits the
transaction and goes for coffee.
Another user, “Smith”, sits down at the
workstation which is logged in as “Jones” and
tries to re-open the transaction.
Step Up Control
Although the workstation is logged in with
the fully authorized SAP User Profile
“Jones”, the actual user, “Smith” fails the
fingerprint authentication!
Please NOTE:
Although the identity of the user
“Smith” is known to bioLock, for
security purposes this information is
not displayed, but the bioLock log file
will show that “Smith” tried to create a
PO while being logged in as “Jones”.
The system could immediately alert security
about this unauthorized access attempt.
Clear Log Files
Password sharing is a thing of the past:
“Smith” stole or borrowed a password but could not use it in
SAP due to the biometric verification!
SAP User “Jones” is uniquely identified as
“Jones” based on the fingerprint and logs
on to the SAP system.
“Smith” tries to create a Purchase Order – on a
computer logged on as SAP User “Jones” - and is
rejected due to the bioLock credential violation.
“Jones” logs out of the SAP system…
Another User, “Smith”, takes over the computer and
uses the realtime SINGLE SIGN ON to log on to SAP.
No Logon and Password information is requested!
“Smith” opens the optional “Single Sign On”
menu and selects the desired SAP system.
“Smith” selects the SAP Demo System…
Please NOTE:
The normal SAP log-on is
skipped. There is no need to
enter an SAP User or Password!
The identity of user “Smith” is verified
via fingerprint scan.
HR Protection for HIPAA Compliance
In this example we protect the Health Plan
Information down to the field level (Security Level III)
by locking Infotype 167.
If the field input
requires biometric
verification the
system will ask
for a fingerprint…
Infotype 167 is protected with biometrics based on the value (input)
– all other Infotypes can be accessed as usual.
Brevard County Government won the prestigious “InfoWorld 100 Award”
protecting their Health Plans with bioLock to comply with HIPAA!
View the movie clip that SAP made
about the bioLock installation at Brevard County
www.bioLock.us (click on movies in the Info Center)
After successful
authentication, the
health plan info is
displayed.
Smart Card Integration
Any functions (Level I, II and III) can
be protected via fingerprints, Smart
Cards or passwords using bioLock
Optional Smart Card Use:
As long as a user’s Smart Card is inserted in the
reader, protected functions can be accessed or
executed…
…but once the Smart Card is removed the
functions are locked down…
Access will be denied and the system will
request a “valid card”.
Field Masking
In this example “critical fields” in a screen normally
accessible to many users may be hidden based on
users’ SAP permissions and bioLock profiles.
The red boxes point out the hidden
data locations. A user with
appropriate security clearance
could view the data after successful
authentication of their biometric
fingerprint template.
SAP authorized user “Williams”, who is not enrolled in
the bioLock system, can access the general screen, but
cannot see the hidden fields.
While any user can view this screen
(based on SAP permission), only
authorized users can view the
hidden information in the red boxes
after biometric verification.
User “Smith” was assigned permission in
bioLock to view the information based on a
high-level security clearance.
Step up control
“Smith” views critical HR info
An unknown visitor is rejected
trying to view critical HR data
on the same workstation
Independent of the SAP User who signed on to the SAP system, bioLock
uniquely identifies the actual user and ONLY permits defined, invited users.
Fast User Switching
Sometimes multiple users share workstations, for
example: Hospitals, Warehouses, Financial Institutions, etc.
Due to time constraints, logging on/off is impractical, but
re-authentication via fingerprint scan is practical.
bioLock allows all users to authenticate on all
workstations at the beginning of a work session, using only
fingerprint authentication after the initial verification.
bioLock will always identify and
log the uniquely authenticated,
actual users – independent of
their SAP User profiles
Displaying the balance sheet is protected using the
“Dual Confirmation Group” function.
Two different users have to authorize this activity, just like
requiring two signatures on a check!
The first person will be asked to
authenticate…
Dual Controls
The message then prompts the 1st user
for the secondary authorization. There is
no “time-out” so the 1st user can await the
2nd user’s arrival.
A “dual confirmation group” can be defined. This
“group” could consist of more than two users any of
whom are authorized to provide the needed secondary
approval.
Only after two authorized users have authenticated
will the balance sheet will be displayed:
The idea of the dual confirmation group could be compared to
two signatures on a check…
… and is nearly a “must” for any financial and HR activity!
The log file shows that user “Smith”
requested the balance sheet report.
“Miller” confirmed the request.
Both were uniquely identified, logged and accountable!
Ultimate financial and payment control
In this screen $5,000
has been posted to an
account
As long as the amount is less than $50,000 no biometric verification is required!
This requirement came from the oldest Central Bank in the world:
All SAP authorized users can execute transfers below $50,000
Only defined users – as permitted by bioLock – can execute
transfers exceeding $50,000
Control Payments over certain amounts
If the amount entered exceeds a predefined
amount, in this example $50,000, the user
needs to authenticate via fingerprint scan.
911 – what is your emergency?
Imagine a user being forced to execute a
$1 Million transfer under duress…
The user could choose to put a different, predefined
911 emergency finger on the sensor.
This finger scan could alert security personnel without executing the
function, similar to pressing the “panic” button during a bank robbery
but without the intruder knowing that the button was pressed.
For Auditing purposes bioLock creates its own log file, which
shows all biometric activities and relevant information. This
information can be exported to different formats or emailed to
the supervisor…
Protected with a dual
confirmation group, this log
entry clearly confirms that
“Smith” opened a bioLock
transaction (could be a high
value financial transaction)
and “Miller” confirmed it!
911 Emergency !!!
“Smith” has a different fingerprint assigned for 911
Emergency. If forced by a 3rd party “Smith” could use
this fingerprint to alert security – just like activating a
silent alarm.
You can sort by color coded status (risk level).
You can sort on any column or filter by
keyword such as user name or rejected
transactions. You can also export and
email different formats to supervisors…
Auditors and management will love it!!!
Here is a quick overview
of the bioLock
administrative function:
The enrollment of any Biometric Info System (BIS)
User takes only seconds. Up to 10 fingers can be
enrolled - so if one finger or a hand gets injured
the user can switch!
Add a Smart Card for
the ultimate “Two-Step
Authentication”!
This menu controls the definition of
protection system functions.
Define a new number for
your protected function.
Define the text that will be displayed.
Select protection by finger scan,
Smart-Card, password or a
combination!
Other exceptions, terminations,
log file entries and general
protections can be defined in
these columns…
It is recommended to enroll the biometric template for the
bioLock User under the same name as the SAP User, so that
the biometric template is automatically assigned to the
corresponding SAP User Profile.
This table defines exceptions. The
biometric template for employee “Jones”
could be assigned to a supervisor’s SAP
User profile (“Smith”) so that “Jones” can
also work under the supervisor’s profile.
Multiple users could be assigned to
general SAP User ID’s for controlled fast
user switching (example: in a Warehouse)
Even if the computers are unlocked in this warehouse
scenario, only the 6 defined users can execute critical tasks.
Unauthorized users such as truck drivers don’t have access.
Most functions should be protected globally and
for all users by activating the “global check” in
the protected system functions (2 slides back).
In this table we can define exceptions and
manually assign certain functions to certain
users.
You can also define if a function for a
certain user should have extra protection
via “Dual Confirmation Group”.
To create the dual
confirmation group we
define a number and give
the group a name…
Please note:
If the dual authentication always requires
the same people one group could be used
for multiple taks!
… now assign two or more
biometric users to the group.
Any number of users can be
defined in the group, to ensure
availability of a backup person.
Please note:
The system’s flexibility could allow any
member of the group to “request” and any
other member to “confirm” a function – or
there could be a MASTER to “request” and
others who can only “confirm”.
Protecting an HR Infotype is
as easy as entering the
transaction number, info type
and the user into the table…
This security menu can protect one or more transactions automatically:
Define or
upload a file
with all the
transactions
that you want to
protect and
bioLock will
remove the
original
transaction
from the SAP
roles…
A great time saver to protect dozens of transactions!!!
Now the SAP User no longer has
permission for the original
transaction and has to execute the
desired transaction via the
realtime Security Menu.
bioLock is a very advanced
protection system that has been
installed in commercial and
government organizations.
SAP Public Sector is promoting
bioLock world wide through their
team and has presented bioLock
at their Homeland Security
Pavilion at Sapphire Shows.
…which of course is
protected with bioLock
Benefits of
The entire installation and configuration of bioLock can be
done quite rapidly. Only minimal training is required, and the
impact on both users and IT support staff is minimal, both
during installation and in use.
Since bioLock is certified by SAP®, ongoing compatibility with
different versions is assured.
In a very short time, you can start enjoying benefits such as:
1. Dramatically increased SAP® security capabilities
2. Manage users’ identities via indisputable biometrics
3. Control access to functions down to the field level
4. Enforce true Segregation of Duties (SoD)
5. Attain meaningful compliance with SOX, HIPAA & ITAR
Statistically, a starter package could cost less than a single
fraud incident.
is SAP® certified since 2002
bioLock is SAP
certified
Visit: www.bioLock.us
Please contact us for a
demonstration or pilot installation:
1-877-bioLock
info@biolock.us
realtime North America, Inc.
WORLD TRADE CENTER
1101 Channelside Drive, Tampa, FL 33602
T: 813-283-0070 F: 813-283-0071 Email: info@biolock.us Web: www.bioLock.us
Related documents
Process Mapping Financial Aid Processes for Greater Efficiency
Process Mapping Financial Aid Processes for Greater Efficiency
Why Competency Based Education?
Why Competency Based Education?
Satisfactory Academic Progress
Satisfactory Academic Progress
satisfactory academic progress 101
satisfactory academic progress 101
BP14i: Duet Enterprise for Microsoft SharePoint and SAP
BP14i: Duet Enterprise for Microsoft SharePoint and SAP
SAP CRM Product Master
SAP CRM Product Master
Financial Aid issues in a Competency-Based Education
Financial Aid issues in a Competency-Based Education
UG-2009-11SBOVersion88AtAGlance
UG-2009-11SBOVersion88AtAGlance
SAP – The Good, the Bad, and the Ugly
SAP – The Good, the Bad, and the Ugly
Employer Sponsored Pathways slides
Employer Sponsored Pathways slides
Download