Reviewing 20 years of Biometric Granular Controls in SAP with bioLock

⇨ Even as the regulations and technologies have evolved, the underlying challenges of digital security have remained the same.

⇨ One of the most effective strategies organizations should employ is taking role provisioning seriously.

⇨ Biometric security like fingerprint scanners or palm vein reading devices are especially secure, as it cannot be duplicated or written down.

The technology in the SAP world is constantly changing. AI, automation, SAP S/4HANA – all buzzwords that SAP practitioners are very familiar with. Yet when it comes to GRC practices, even as technologies like biometric security evolve, the guiding principles for securing and protecting SAP environments stay the same. Unfortunately, the reasoning behind fraud, theft, and other malfeasance has stayed the same as well – greed.

“The first fraud that people knew of actually happened 200 BC when two merchants decided to insure a ship with the purpose of sinking it to collect the insurance money. Going on from there, there have been Ponzi schemes, and anything from Société Générale, you know it, you know it has been around for 2000 years, it will be around for the next 2000 years,” said Thomas Neudenberger, COO at realtime North America.

SAP Security in 2004 vs. 2024

Nearly 20 years ago, Neudenberger wrote an article for SAPinsider examining “security requirements and legislative mandates such as Sarbanes-Oxley, HIPAA, and the California Act.” In the article, he shared the story of an early adopter of realtime’s bioLock MFA4SAP security solution.

“Brevard County, home to Cape Canaveral and NASA facilities, is one of realtime North America’s first government organizations to implement the bioLock solution to provide enhanced system security. With large quantities of emergency stockpiles and secure space launch areas, Brevard required robust security access capabilities; with that in mind, Brevard selected bioLock to assist the county with a secure single sign-on solution for multiple systems, to provide enhanced security authorization for access to sensitive human resources information systems, and to assist in compliance with the federal HIPAA standards.”

• SAPinsider, April 2004

Even as the regulations and technologies have evolved, the underlying challenges of digital security have remained the same. Neudenberger highlighted the need for companies to be proactive in their security posture. Companies cannot afford to wait until after they have been breached to secure their SAP systems.

“Going back 20 years, every customer had some kind of breach before implementing bioLock. They had an issue, and they lost money which led them to engage with us. Some of them even lost credibility and they had to react. Over the last 10 years, companies became more proactive as they gained a greater understanding of the threats to their systems” said Neudenberger.

With fraud and other malfeasance increasing, companies now need to look for more solutions to keep their secure information safe. In 2004, realtime started assisting governments who needed high-tech solutions to keep important state secrets and government assets safe, but quickly moved on to other industries including banking, pharma, oil industry, energy, manufacturing and even school districts.

As fraud has gotten more advanced, companies have realized that they also need to add advanced levels of protection. Unfortunately, more and more enterprises have realized too late that their security standards were not high enough.

“Fraud has increased dramatically over the years and the fact that all systems are online has made systems more vulnerable as we can see in an explosion in “phishing” attacks. Back then, there were single isolated fraud cases, now it has exploded, especially during COVID – not because of COVID, but because procedures and responsibilities changed. People started working from home and with that a ton of fraud that was previously covered up was discovered during COVID. Before COVID we had seen fraudsters get away with fraud until they retired,” said Neudenberger.

Threats – Internal and External

It is important to remember that not all threats are external. There are numerous examples of business users exploiting their knowledge of a system to steal from their employer – sometimes millions of dollars. In fact, most of the well-known fraud cases from the largest NSA Data Breach to the multi-billion-dollar fraud case at Société Générale were all caused by employees – not hackers.

Organizations have had disgruntled employees leak sensitive information that they obtained by walking up to a colleague’s unlocked computer and downloading information they should not have had access to. Others have passwords written down on sticky notes, available for anyone to see. Or they simply share passwords, look over a colleague’s shoulder or ask colleagues, like Edward Snowden did.

With the boom of work-from-home and hybrid models, the physical locations where breaches can take place have multiplied. Companies should ensure that employees that are able to work from home are still adhering to their security protocols.

“Now everything is in the cloud, so physical security is nonexistent. People use their own devices to log on to the corporate network and even if they have a company issued laptop, they’re still using their own routers from home. Normal network traffic doesn’t encrypt the logon and password. In the past, you had to be an advanced hacker to get into these systems to see your logon and your password credentials being typed in. Today anybody can purchase AI hacking tools that can easily do the job for them. But why bother if you can buy SAP logon credentials on the dark web without any hacking efforts? The threat is always the same – ATO’s or account takeovers,” said Neudenberger.

Biometrics

The biometric security industry is growing rapidly as more companies seek to protect themselves as they want to know who they are really dealing with. Yet many organizations are still behind the times in terms of security capabilities. This can leave them exposed to millions of dollars’ worth of risk in the form of theft and reputational damage.

Biometric security like fingerprint scanners or palm vein reading devices are especially secure, as it cannot be duplicated or written down. This makes them especially potent weapons in the fight against fraud and theft. realtime North America provides its bioLock solutions to users around the world who want to fight off these threats.

SAP users can avoid these issues without suffering a hack or leak first. Unfortunately, many organizations do not have enterprise-wide buy-in. This can leave them exposed to unnecessary risk, simply because business leaders would rather use their budget on aspects of the business that can make money, rather than preventing losses. However, they should consider GRC controls as an essential part of the SAP landscape as not losing money increases the bottom line as well.

“When I talk with SAP users, I’ll normally ask them if they put a seat belt on when they drive and mostly they say ‘yes, because if you get in a car accident you don’t want to go through the windshield.’ It’s common sense. Not only does everybody know you wear a seat belt because if you get hit there will be a lot of damages, but also most states mandate that you wear your seat belt. We need to engage with SAP users and keep educating them about seizing the moment and going forward with biometric technology, that’s all we can do,” said Neudenberger.

Avoid Overpermitting with Granular Function Controls

Beyond biometric security, one of the most effective strategies organizations should employ is taking role provisioning seriously. As SAP organizations expand, different employees receive different permissions based on their position within the organization but there is still no guarantee that the authorized user, Joe, is actually executing the function unless it is reinforced by biometrics. Most organizations have too many SAP access roles and high employee turnover. This results in many users being overpermitted and as companies allow users to access information beyond what is absolutely necessary, they put themselves at risk.

“When the threat comes from inside the organization the damages are generally much bigger because they know everything about the system. But it doesn’t matter if the threat is inside or outside of the organizations, it’s the same threat because all a hacker does is takes over some credentials. bioLock protects systems the same way, not only on the logon, but more importantly on the function level. SAP Transactions, Tables, HR Infotypes, data and even a save or enter button. That’s where SAP landscapes should be protected because that’s where the damages come from,” said Neudenberger.

The task of assigning and managing these roles is extremely cumbersome, especially at larger organizations. Organizations often turn to field masking solutions in conjunction with biometric solutions to ensure that only those with high-level clearance can see personal identifiable information (PII). These solutions block out any important information from being shown on a screen unless an approved user signs in via biometric identification. In the pharmaceutical and healthcare industries, biometric bands have been added to biometrically enable glove users. Dual confirmation scenarios are used to require two biometric sign offs to further prevent corruption and collusion.

Looking to the future

For 20 years, realtime has sought to warn the SAPinsider community about some of the threats that could cause severe financial and reputational damage to their organizations. As the threats evolve, so do solutions like facial recognition, smart ID cards integrated with biometrics, and fingerprint scanners built-in to company-issued laptops, which can all be used today with bioLock to protect any mouse-click in SAP.

Biometrics may have seemed like science fiction back in 2004, but in 2024 it is a common part of daily operations for many organizations and a vital tool in the arsenal of GRC and cybersecurity practitioners at SAP organizations. It is also the only way to truly enforce a Zero Trust strategy.

“Biometrics is not going away. The biometric market is exploding. This technology is out there, at the airport, at the gym, and everywhere else these days. SAP practitioners need to know who the people accessing their most sensitive SAP functions are. You want to know who is at the keyboard when they hit the enter button to send a million-dollar wire transfer to the other side of the world. The bioLock control center inside SAP has allowed SAP customers to protect their most sensitive functions for 22 years. Back then realtime started with a Siemens ID Mouse with an Infineon fingerprint sensor. Since then, many Biometrics and other MFA Technologies have been implemented with bioLock making the technology very future proof. You just need to try it in your own SAP system and with your own data. Do a pilot, test bioLock out – You will quickly recognize the value for your organization,” said Neudenberger.