Gina Marchese, ASUG Coordinator, SAP

1
ASUG Banking Financial Service Providers
SAPPHIRE Breakfast Session

• Gina Marchese, ASUG Coordinator, SAP
• Falk Rieker, Vice President SAP Banking Solutions
• Mike Ramsey, SAP Banking Field Services
• Thomas Neudenberger, COO realtime North America
  Inc.
• May 6th, 2008

2
Agenda

• 700am 715 am - Breakfast Served Opening
  Statements Dan Drechsel Thomas Balgheim (SAP)
• 715am 720am - ASUG Community Overview- Mike
  Ramsey
• 720am 725am - SAPs Commitment to the Banking
  Community of Interest- Mike Ramsey Falk Rieker
• 725am 735am - Banking Financial Services
  Key Discussion Topics- Mike Ramsey
• 735am 750am - bioLock- Realtime Security
  Fraud Mitigation- Thomas Neudenberger
• 750am 755am - Upcoming Events Next Steps
  Mike Ramsey
• 755am 800am - Questions  Customer Feedback

3
ASUG Overview

• ASUG is the largest independent, not-for-profit
  organization of SAP customer companies and
  eligible partner vendors in the world.
• ASUGs mission is to continuously educate its
  members, facilitate networking among colleagues
  and SAP representatives, and influence future SAP
  product releases and direction.
• ASUG as formed in 1990, and is made up of more
  than 1,700 corporate and 45,000 individual
  members in North America.

4
ASUG Communities

• ASUG Special Interest Group (SIG) Communities are
  aligned to SAP products and industries.
• ASUG Chapters are regionally based throughout N.
  America
• ASUG members have year-round direct access to
• Colleagues with similar interests and workplace
  challenges
• SAP representatives and resources
• Educational, networking and influencing
  opportunities

5
Year Round Education

• Customer-run, customer-driven education
• Convenient and accessible formats, including
• Face-to-Face educational events
• Forums
• Symposiums
• Chapter Meetings
• Annual Conference
• Webcasts and teleconferences
• On-Demand Education

6
ASUG Banking Community

• Free educational activities about newest product
  features-and-functions
• Banking Focused Webcasts
• ASUG SIG Community educational content
• Focused Banking area on asug.com
• Networking to share experiences and best
  practices
• ASUG Banking Discussion Forum
• Networking sessions at ASUG events
• Industry specific Benchmarking Studies
• asug.com online community
• Opportunities to influence and prioritize the
  development roadmap
• ASUG Influence Councils
• ASUG Executive Exchanges

7
Volunteers are Key

• ASUG is governed by its most valuable asset its
  members.
• SIG Chair
• Drive and manage the SIG's year-round community
• Communicate Influence needs of SIG membership and
  represent the SIG during Influence activities
  (i.e. assist in moderating Webcasts, help craft
  promotional material)
• Build and maintain solid relationships with ASUG
  HQ and SAP Points of Contacts

8
Membership Offer

• Membership dues reside at the corporate level
  which allows an unlimited number of employees
  within an organization to utilize company
  membership benefits without incurring individual
  membership charges. Membership dues are paid on
  an annual basis, not pro-rated and valid January
  1st through December 31st of each year.
• Complimentary ASUG memberships are available.
  Please inquire to Mike.Ramsey_at_SAP.COM!

9
SAPs Commitment to the Banking Community of
Interest

• SAP, working closely with ASUG, will drive the
  following initiatives to continue the growth of
  this COI
• Secure participation support from Banking
  Financial Service Providers in our European
  regions.
• SAP Management Solutions Expert participation
  in future Banking COI events.
• SAP will provide results of our surveys related
  to industry trends, business use cases,
  functional requirements, and customer priorities.
• SAP will provide continuous updates on topics of
  interest received from our customers feedback
  questions.

10
Banking Financial Services Key Discussion Topics

• Banking Hot Topics (as determined by initial
  Customer Survey)
• Upgradeability to the most current release
• Roadmap to transform their existing
  implementation to our SOA BPP
• Ways to improve overall customer experience and
  improve customer centricity
• Cleaning up back office processes
• IT Spending
• Meeting and maintaining Compliance and Regulatory
  guidelines
• Security concerns in the banking industry

11
The bioLock Overview
bioLock Protects Critical Data with Biometrics
for Fraud Prevention and True
Compliance
bioLock elevates IT security from access
control to fraud mitigation
12
Actual Financial Losses in 2006

• Average single loss was 159,000
• 25 caused 1 million in losses
• 9 cases of 1 billion in losses and more
• It takes 15 months to detect fraud

The so called occupational fraud (also known as
internal theft) and abuse imposes enormous costs
on organizations. The median loss caused by the
occupational frauds in this 2006 ACFE study was
159,000. Nearly one-quarter of the cases caused
at least 1 million in losses and nine cases
caused losses of 1billion or more. Participants
in the study estimate U.S. organizations lose 5
of their annual revenues to fraud. Read the full
study at http//www.acfe.com/documents/2006-rttn.
pdf (Source 2006 Study - Association of
Certified Fraud Examiners www.acfe.com)
13
Largest fraud case in history

• French Trader Jerome Kerviel stole computer
  passwords that allowed him to enter his phony
  deals into various trading systems and to bypass
  security measures
• He misappropriated IT access controls belonging
  to operators
• Kerviel overstepped his authority and bet 50
  billion Euros (73 billion) - more than the
  bank's market value
• This practice costs his employer, France's
  Societe Generale, 7.2 billion in losses
• Judges have filed charges against Jerome for
  forgery, breach of trust and unauthorized
  computer activity
• Investigators questioned Societe Generale's chief
  executive who is ultimately responsible for his
  employees actions
• There are many rumors about the banks future /
  the industry is speculating, that it could be
  bought out or broken up
• Poor IT Security is blamed for the losses and a
  special committee has recommended to immediately
  introduce stronger security systems, including
  biometric authentication, to prevent a
  recurrence.

Source SAP Info http//www.sap.info/public/INT/in
t/index/Category-28813c6138d029be8-int/0/articlesV
ersions-30698479ee4768f8a0 Source SAP Info
http//www.sap.info/public/INT/int/index/Category-
28813c6138d029be8-int/0/articlesVersions-3038947c2
9f746dbbe
14
20 Ways to get anybody's Password

• Look in desk drawers or on the yellow sticky
  note
• Look over shoulders of co-workers (shoulder
  surfing)
• Videotape it - watch for people with a cell phone
  around you
• Ask colleagues 40 admit to sharing passwords
• Get emergency password ( administrators /
  security guard)
• Call hotline to get password reset for any user
• Associate with owner (pet, family, hometown,
  birthday)
• Check unencrypted .ini files
• Try SAP default password for SAP - 06071992
• Key Catcher, Password Cracker Now Recovery
  Tools
• Monitoring / Sniffers (transfer from GUI not
  encrypted)

Download the Fishing for Passwords document at
www.showpasswordsthefinger.com
15
Would your security guard STOP this guy walking
through the main entrance?
Very Likely YES !!! Even this guy identifies
himself as SAP 1 on his space suit
SAP 1
Without using biometrics we can only identify
Space Suits with names on them (SAP User
Profile Names) walking around in the most
critical part of our organization the SAP
System.
We have NO WAY of identifying who is using the
suit (SAP user profile)
bioLock will uniquely identify the user behind
the Space Suit (User Profile)
16
Why biometrics for your SAP System?

• Biometric security for system, transaction and
  field level data
• Biometric security for user logon with
  convenient single sign on to multiple systems
  
• Enhanced user/transaction audit trail
• Easy 4-eyes principle and
  supervisor approval functionality
• Secure and convenient Fast User Switching
• Proof, who did what and when in the SAP System
  with a biometric log file

17
bioLock sits on top of SAP Security
bioLock will not touch or change your existing
security roles or profiles! It adds an additional
layer of security!
18
Independent Additional Protection
Finance
IT
HR
19
2nd layer protection with bioLock
bioLock
Logon / Task
20
Proof - in writing for the auditors
Proof - in writing for the auditors

• The log file proves
• Who logged on
• Who executed the task
• Who confirmed a task
• Who was rejected TRYING to execute a task that
  they were not allowed to execute

21
Case Study Finance System
The Challenge
A bank had multiple critical tasks in their
financial application including opening balance
sheets, approving budgets and issuing wire
transfers

• Groups of people had access to many parts of the
  finance system
• The client needed to uniquely identify the
  actual user and log activities
• Management requested that 2 individuals would
  authorize certain tasks

22
Conclusion

• SAP Security and ALL compliance efforts (SoDs)
  are solely
  based on password protected USER Profiles
• Passwords are not secure and offer very limited
  protection and no accountability at all
• Damages include severe financial losses,
  espionage, bad press, image loss, lawsuits,
  compliance violations, etc.
• Experts agree - Biometrics is the only solution
  approach to increase security, convenience and
  establish clear accountability
• A study confirms how a company can be compliant,
  but not secure
• bioLock is the only certified biometric
  technology available for SAP
• There is no comparable technology available for
  SAPs competitors

23
Resources
SAP WebEx recording View a presentation and
live demo of bioLock http//www.sap.com/community
/showdetail.epx?itemID11423 Thief misuses
authorizations and costs French bank 7
billion http//www.scmagazineus.com/Rogue-bank-tr
ader-bypasses-computer-security-loses-7-billion/ar
ticle/104519    SAP TV Movies about biometrics at
Brevard County Government and SOX
Compliance http//www.realtimenorthamerica.com/sa
ptv.shtml   Research study from the California
State University that has established -

without biometrics there is no true
compliance http//business.fullerton.edu/resource
s/biometrics/   View a PPT Screenshot
demonstration of the biometric technology at work
in the SAP System http//www.realtimenorthamerica
.com/download/bioLock_demo.ppt   SAP Info
Article Handling Accountability Issues with
bioLock at the Polk County School
District www.sap.info/int/go/36553/ A former
DuPont research chemist stole 400 million in
intellectual property from his employer http//ww
w.sap.info/public/INT/int/index/Category-28813c613
8d029be8-int/0/articlesVersions-2278745d982e50690f
  View how easy it is to identify a password
that was video taped with a cell
phone http//www.showpasswordsthefinger.com
24
Planning COI Focus Future Topics

• Do we have an agreement on the direction of
  current and future topics for his COI?
• Where can we add value to both our Banking
  Financial Service Provider customers?
• Are there specific high priority areas of focus
  you would like to have added to the Hot Topics
  list?

25
Next Steps

• Determine Customer Topics of Interest for future
  event planning
• Secure customer volunteers to lead Banking
  Community
• Upcoming group Webcast sessions and topics
• On-site meetings planned for 2008

26
Questions  Customer Feedback

• Open session for customer comments, questions,
  and feedback.