gina marchese, asug coordinator, sap falk rieker, vice president sap banking solutions
DESCRIPTION
Gina Marchese, ASUG Coordinator, SAP Falk Rieker, Vice President SAP Banking Solutions Mike Ramsey, SAP Banking Field Services Thomas Neudenberger, COO realtime North America Inc. May 6 th , 2008. ASUG Banking & Financial Service Providers SAPPHIRE Breakfast Session. Agenda. - PowerPoint PPT PresentationTRANSCRIPT
Gina Marchese, ASUG Coordinator, SAPFalk Rieker, Vice President SAP Banking SolutionsMike Ramsey, SAP Banking Field ServicesThomas Neudenberger, COO realtime North America Inc.
May 6th, 2008
ASUG Banking & Financial Service Providers SAPPHIRE Breakfast Session
Agenda
• 7:00am – 7:15 am - Breakfast Served & Opening Statements – Dan Drechsel & Thomas Balgheim (SAP)
• 7:15am – 7:20am - ASUG Community Overview- Mike Ramsey
• 7:20am – 7:25am - SAP’s Commitment to the Banking Community of Interest- Mike Ramsey & Falk Rieker
• 7:25am – 7:35am - Banking & Financial Services Key Discussion Topics- Mike Ramsey
• 7:35am – 7:50am - bioLock- Realtime Security & Fraud Mitigation- Thomas Neudenberger
• 7:50am – 7:55am - Upcoming Events & Next Steps – Mike Ramsey
• 7:55am – 8:00am - Questions & Customer Feedback
ASUG Overview
• ASUG is the largest independent, not-for-profit organization of SAP customer companies and eligible partner vendors in the world.
• ASUG’s mission is to continuously educate its members, facilitate networking among colleagues and SAP representatives, and influence future SAP product releases and direction.
• ASUG as formed in 1990, and is made up of more than 1,700 corporate and 45,000 individual members in North America.
ASUG Communities
• ASUG Special Interest Group (SIG) Communities are aligned to SAP products and industries.
• ASUG Chapters are regionally based throughout N. America
• ASUG members have year-round direct access to:
• Colleagues with similar interests and workplace challenges• SAP representatives and resources• Educational, networking and influencing opportunities
Year Round Education
Customer-run, customer-driven education
Convenient and accessible formats, including:• Face-to-Face educational events
• Forums
• Symposiums
• Chapter Meetings
• Annual Conference• Webcasts and teleconferences• On-Demand Education
ASUG Banking Community
Free educational activities about newest product features-and-functions• Banking Focused Webcasts• ASUG SIG Community educational content • Focused Banking area on asug.com
Networking to share experiences and best practices• ASUG Banking Discussion Forum• Networking sessions at ASUG events • Industry specific Benchmarking Studies• asug.com online community
Opportunities to influence and prioritize the development roadmap• ASUG Influence Councils • ASUG Executive Exchanges
Volunteers are Key
ASUG is governed by its most valuable asset – its members.
SIG Chair• Drive and manage the SIG's year-round community • Communicate Influence needs of SIG membership
and represent the SIG during Influence activities (i.e. assist in moderating Webcasts, help craft promotional material)
• Build and maintain solid relationships with ASUG HQ and SAP Points of Contacts
Membership Offer
• Membership dues reside at the corporate level which allows an unlimited number of employees within an organization to utilize company membership benefits without incurring individual membership charges. Membership dues are paid on an annual basis, not pro-rated and valid January 1st through December 31st of each year.
• Complimentary ASUG memberships are available. Please inquire to [email protected]!
SAP’s Commitment to the Banking Community of Interest
• SAP, working closely with ASUG, will drive the following initiatives to continue the growth of this COI:• Secure participation & support from Banking & Financial
Service Providers in our European regions.• SAP Management & Solutions Expert participation in future
Banking COI events.• SAP will provide results of our surveys related to industry
trends, business use cases, functional requirements, and customer priorities.
• SAP will provide continuous updates on topics of interest received from our customers feedback & questions.
Banking & Financial Services Key Discussion Topics
Banking Hot Topics (as determined by initial Customer Survey)
• Upgradeability to the most current release
• Roadmap to transform their existing implementation to our SOA BPP
• Ways to improve overall customer experience and improve customer centricity
• Cleaning up back office processes
• IT Spending
• Meeting and maintaining Compliance and Regulatory guidelines
• Security concerns in the banking industry
The bioLock Overview
bioLock Protects Critical Data with Biometrics
for Fraud Prevention and “True”
Compliance
bioLock “elevates” IT security from access control to fraud mitigation
Actual Financial Losses in 2006
The so called “occupational fraud” (also known as internal theft) and abuse imposes enormous costs on organizations. The median loss caused by the occupational frauds in this 2006 ACFE study was $159,000. Nearly one-quarter of the cases caused at least $1 million in losses and nine cases caused losses of $1billion or more. Participants in the study estimate U.S. organizations lose 5% of their annual revenues to fraud.
Read the full study at: http://www.acfe.com/documents/2006-rttn.pdf (Source: 2006 Study - Association of Certified Fraud Examiners – www.acfe.com)
Average single loss was $159,000
25% caused $1 million in losses
9 cases of $1 billion in losses and more
It takes 15+ months to detect fraud
Largest fraud case in history
• French Trader Jerome Kerviel stole computer passwords that allowed him to enter his phony deals into various trading systems and to bypass security measures
• He misappropriated IT access controls belonging to operators
• Kerviel overstepped his authority and bet 50 billion Euros ($73 billion) - more than the bank's market value
• This practice costs his employer, France's Societe Generale, $7.2 billion in losses
• Judges have filed charges against Jerome for forgery, breach of trust and unauthorized computer activity
• Investigators questioned Societe Generale's chief executive who is ultimately responsible for his employees actions
• There are many rumors about the banks future / the industry is speculating, that it could be bought out or broken up
• Poor IT Security is blamed for the losses and a special committee has recommended to immediately introduce stronger security systems, including biometric authentication, to prevent a recurrence.
Source SAP Info: http://www.sap.info/public/INT/int/index/Category-28813c6138d029be8-int/0/articlesVersions-30698479ee4768f8a0Source SAP Info: http://www.sap.info/public/INT/int/index/Category-28813c6138d029be8-int/0/articlesVersions-3038947c29f746dbbe
20 Ways to get anybody's Password
• Look in desk drawers or on the “yellow sticky note”• Look over shoulders of co-workers (shoulder surfing)• Videotape it - watch for people with a cell phone around you• Ask colleagues – 40% admit to sharing passwords• Get emergency password ( administrators / security guard)• Call hotline to get password reset for any user• Associate with owner (pet, family, hometown, birthday)• Check unencrypted .ini files• Try SAP default password for SAP* - 06071992• Key Catcher, Password Cracker – Now: Recovery Tools• Monitoring / Sniffers (transfer from GUI not encrypted)
Download the “Fishing for Passwords” document at www.showpasswordsthefinger.com
Would your security guard STOP this guy walking through the main entrance?
Very Likely YES !!!
Even this guy identifies himself as “SAP 1” on his space suit…
bioLock will uniquely identify the user behind the “Space Suit” (User Profile)
Without using biometrics we can only identify “Space Suits” with names on them (SAP User Profile Names) walking around in the most critical part of our organization – the SAP System.
We have NO WAY of identifying who is using the suit (SAP user profile)
Why biometrics for your SAP System?
Biometric security for system, transaction and field level data
Biometric security for user logon with convenient single sign on to multiple systems
Enhanced user/transaction audit trail
Easy 4-eyes principle and supervisor approval functionality
Secure and convenient “Fast User Switching “
Proof, who did what and when in the SAP System with a biometric log file
bioLock “sits” on top of SAP Security
Existing SAP Security
Additional biometric Security
bioLock will not “touch” or change your existing security roles or profiles!
It adds an additional layer of security!
Independent Additional ProtectionIndependent Additional Protection
SAP User
Profile
SAP User
Profile
bioLock invites users via biometric template – the protection is defined in bioLock and supersedes the SAP User Profile
2nd layer protection with bioLock
bioLockbioLock
Access authorized
Access blocked
Logon/ Task
bioLock prompts you for fingerprint
Fingerprint comparison with table
bioLocktemplates
AdditionalSecurity Layer 2
bioLock checks SAPauthentication rules
ExistingSecurity Layer 1
The biometric technology identifies unique points on your finger and creates an encrypted, digital template – it never stores an actual image of the finger!!!
Please Note:
bioLockuser/function
Extra biolock Door Lock is detected
Proof - in writing for the auditors The log file proves:
Who logged on Who executed the task Who confirmed a task Who was rejected TRYING
to execute a task that they were not allowed to execute
Identified SAP User Profile“Space Suit”
Actual User – uniquely identified with biometrics
Proof - in writing for the auditors
Case Study: Finance System Case Study: Finance System
The Challenge:
Groups of people had access to many parts of the finance system The client needed to uniquely identify the “actual user” and log activities Management requested that 2 individuals would authorize certain tasks
A bank had multiple critical tasks in their financial application including opening balance sheets, approving budgets and issuing wire transfers
The Solution:
bioLock with the dual confirmation group was installed
2 people have to authorize tasks
Both will be uniquely identified…
…and logged in the log file
Conclusion
• SAP Security and ALL compliance efforts (SoD’s) are solely based on password protected USER Profiles
• Passwords are not secure and offer very limited protection and no accountability at all
• Damages include severe financial losses, espionage, bad press, image loss, lawsuits, compliance violations, etc.
• Experts agree - Biometrics is the only solution approach to increase security, convenience and establish clear accountability
• A study confirms how a company can be compliant, but not secure
• bioLock is the only certified biometric technology available for SAP
• There is no comparable technology available for SAP’s competitors
Resources
SAP WebEx recording – View a presentation and live demo of bioLock:http://www.sap.com/community/showdetail.epx?itemID=11423
Thief misuses authorizations and costs French bank $7 billion:
http://www.scmagazineus.com/Rogue-bank-trader-bypasses-computer-security-loses-7-billion/article/104519
SAP TV Movies about biometrics at Brevard County Government and SOX Compliance:
http://www.realtimenorthamerica.com/saptv.shtml
Research study from the California State University that has established - without biometrics there is no true compliance:
http://business.fullerton.edu/resources/biometrics/
View a PPT Screenshot demonstration of the biometric technology at work in the SAP System: http://www.realtimenorthamerica.com/download/bioLock_demo.ppt
SAP Info Article: Handling Accountability Issues with bioLock at the Polk County School Districtwww.sap.info/int/go/36553/
A former DuPont research chemist stole $400 million in intellectual property from his employer:
http://www.sap.info/public/INT/int/index/Category-28813c6138d029be8-int/0/articlesVersions-2278745d982e50690f
View how easy it is to identify a password that was video taped with a cell phone:
http://www.showpasswordsthefinger.com
Planning COI Focus & Future Topics
• Do we have an agreement on the direction of current and future topics for his COI?
• Where can we add value to both our Banking & Financial Service Provider customers?
• Are there specific high priority area’s of focus you would like to have added to the “Hot Topics” list?
Next Steps
Determine Customer Topics of Interest for future event planning
Secure customer volunteers to lead Banking Community
Upcoming group Webcast sessions and topics On-site meetings planned for 2008
Questions & Customer Feedback
• Open session for customer comments, questions, and feedback.