The only SAP®-certified fingerprint authentication,
identity and risk management for SAP® systems
Bulletproof SAP® security at
your fingertips!
© 2011 realtime North America Inc., Tampa, FL. All Rights Reserved.
Who is realtime?
Founded in 1986 by former SAP® managers
Certified software, services & special expertise partner
Specializing in governance, risk and compliance (GRC)
Serving many industry sectors including food,
pharmaceutical, chemical, automotive, aerospace,
defense, engineering, government and more
Flagship software product, certified by SAP® since 2002
Bulletproof SAP® security at your fingertips!
Selected realtime clients
3M, AIRBUS, Alcan, BASF IT Services B.V., Bayer,
Bayer CropScience, Brevard County Government,
California State University, Campbell's,
GlaxoSmithKline, Harman Kardon Music Group,
Krupp Bilstein, Linde, Loewe Opta, Marathon Oil, Océ
Document Technologies, Polk County School District,
Purdue Pharma, Siemens, ThyssenKrupp Michigan,
Toyota, United States Army…
Over 200 global clients served!
What were these users looking for?
was developed to provide these
benefits demanded by users:
Dramatically increase SAP® security capabilities
Manage user identities via indisputable biometrics
Control access to functions down to the field level
Enforce true Segregation of Duties (SoD)
Ensure meaningful compliance with:
Sarbanes-Oxley, HIPAA, ITAR and more
Is your system bulletproof?
Standard Version
Bulletproof Version
Standard Protection
Bulletproof Protection
#1 Risk: Fraud is a growth industry
According to the ACFE’s
2010 Report to the Nations on
Occupational Fraud and Abuse ,
based on global data, organizations lose
about 5% of annual revenue to fraud.
Schemes can go undetected for years and
frequently involve first-time offenders.
Association of Certified Fraud Examiners
Are you concerned about…
Risk of Financial
HIPAA Compliance?
(Section 404)?
Industrial Espionage?
Other regulations?
How would an incident affect you?
Financial loss?
Negative publicity?
Loss of intellectual property?
Decline in stock price?
Are you still relying on this?
Traditional SAP® log-on process uses passwords
User password
SAP® Software
Passwords are written down, borrowed, stolen, misused
Provides “perimeter” security but no additional layers!
Fingerprint Scan = Maximum Security
Biometric technology
offers the highest
How to Bulletproof your system:
Encrypted scan
SAP® Software
SAP® log-on profiles are enhanced with fingerprint interface
User is prompted via bioLock software as shown above
Various hardware devices can be used to securely scan
fingerprints - while protecting users’ privacy!
What devices can verify user identity?
Plus one of these… (optional)
Potential Future Development
is hardware independent
Cherry ID Mouse
Leading Laptops
UPEK Eikon
23% have Swipe Sensors
Low-cost Device
Smart Card Option
Convenient Touch Sensor
bioLock ID Mouse
Zvetco P5000
High End Device
Cherry Keyboard
Powered by Secugen
Secugen Hamster
FIPS 201 Compliant
bioLock is compatible with over 80 laptops (with builtin fingerprint sensor) and over 50 independent devices
like mice, keyboards, or PCMCIA Cards.
SAP® log-on & system access with
bioLock checks
authentication rules
bioLock prompts you for fingerprint
Fingerprint comparison with table
Logon blocked
Logon authorized
bioLock identifies unique points (minutiae) within a
fingerprint and creates an encrypted, digital template
– no images of fingerprints are ever stored!
5 Extra Levels of Security
Existing SAP® Security
Consists of Password Log-On
“Bulletproofing” with
Authenticate user log-on based on fingerprint
II) Lock down any transaction (e.g. SE38 or ME21N)
III) Protect “infotypes”, fields, buttons according to
customizable profiles (e.g. HR infotype 167)
IV) Require authentication if a field value exceeds a
trigger amount (e.g. a transfer > $10,000)
Require dual user authentication for critical SAP®
functions, viewing sensitive data or intellectual
Bulletproof Security requires 5 Levels
Perimeter Security - Level I
Transactions – Level II
Fields - Level III
Financial Limits – Level IV
Dual Approval – Level V
All levels can be
controlled using
fingerprint scan!
Multiple Control Points per User
Log-on to a Profile (e.g. Admin)
Transactions (e.g. HR / PO / Finance)
Infotypes (e.g. 008/167 etc.)
Buttons (e.g. Print / Export / Execute)
Display (e.g. Balance Sheet)
Execute (e.g. prevent execution of anything…)
Tables within SE16/SE16N
Programs within SE38
Values (e.g. wire transfer of a certain amount)
Screens (e.g. export control / ITAR )
Dual Authentication
Mask Fields (e.g. make data invisible)
Example –
Masking Field Data:
Fast User Switching
Sometimes multiple users share workstations, for
example: Hospitals, Warehouses, Financial Institutions, etc.
Due to time constraints, logging on/off is impractical, but
re-authentication via fingerprint scan is practical.
bioLock allows all users to authenticate on all
workstations at the beginning of a work session, using only
fingerprint authentication after the initial verification.
bioLock will always identify and
log the uniquely authenticated,
actual users – independent of
their SAP User profiles
Example: Who Has Access?
6,000 Named SAP Users
Fraud is mostly committed
by stealing or cracking a
password to access profiles with
critical, extended authorizations
2,000 Users with potential
access to critical data
1,000 Users with restricted
roles to critical functions
VIP Only:
500 Permitted
Users for most
Bulletproof Data Protection
The threat comes from the
inside and outside!
- Seamless Integration
Unaffected by SAP® versions or upgrades
Existing SAP® passwords and authorizations are unchanged
Compatible with all SAP® versions from 4.x onward
Profiles are 100% customizable on a user-by-user basis
You decide what aspect of your system needs to be protected
and how stringently!
Bulletproof bioLock Security
What is the impact on users?
Only a minority of users are enrolled, depending on their
security risk profile and management’s policies
One-time user enrollment takes only a few minutes
Use is very intuitive, no training required
Ongoing use consists of occasionally providing a fingerprint
scan – each user profile can be unique
Fingerprint images are never stored – privacy is protected
Example – what a user sees…
User logs on using their SAP
User Profile and password
User is prompted for a fingerprint scan to
complete log-on (Security Level I)
Example – what a user sees…
User selects the transaction “ME21N”
to create a purchase order
User is prompted for a
fingerprint scan to
complete the activity
(Security Level II)
NOTE: This could be virtually any R/3
transaction such as SE16 or SE38
Example – what a user sees…
User attempts to look up Health Plan
information under Infotype 167
Infotype 167 (field level) is protected for HIPAA
compliance, so user is prompted for fingerprint
scan (Security Level III)
- What is the impact on IT?
Installation is done by simply downloading bioLock
transports into its own /realtime namespace within SAP®.
bioLock is compatible with SAP® 4.x and higher, and is
unaffected by version upgrades.
Configuration and training is done in several days with the
support of realtime consultants or partners.
Roll-out to selected users can be done quickly, slowly or in
phases as desired, or even by automated installation.
As users are activated, a fingerprint scanning device is
installed at their work station. A robust audit trail is
automatically generated within SAP®.
Log File
Enhanced activity logging
…and the REAL USER as
identified by fingerprint
Sorted by error / threat category
Audit trail is greatly enhanced
Unauthorized attempt to log on
with another user’s Password
Sample Success Stories Achieve compliance with HIPAA by protecting
private employee / HR information
Ensure proper approvals for purchasing by
automating workflow with external browser
access for senior executives
International bank prevents fraud with dual
authentication and strong financial controls,
masking data from unauthorized viewing
School Board prevents payroll and personal
expense fraud which went undetected for years
European power plant protects all purchase
orders and workflow for several thousand users
Benefits of
The entire installation and configuration of bioLock can be
done quite rapidly. Only minimal training is required, and the
impact on both users and IT support staff is minimal, both
during installation and in use.
Since bioLock is certified by SAP®, ongoing compatibility with
different versions is assured.
In a very short time, you can start enjoying benefits such as:
1. Dramatically increased SAP® security capabilities
2. Manage users’ identities via indisputable biometrics
3. Control access to functions down to the field level
4. Enforce true Segregation of Duties (SoD)
5. Attain meaningful compliance with SOX, HIPAA & ITAR
Statistically, a starter package could cost less than a single
fraud incident.
- SAP® certified since 2002
bioLock is SAP
Please contact us for a demonstration
or pilot installation:
[email protected]
realtime North America, Inc.
1101 Channelside Drive, Tampa, FL 33602
T: 813-283-0070 F: 813-283-0071 Email: [email protected]
Martin Lum
Director of Business Development, Northeast