Topics like Least Privileged Access, True Compliance and Accountability are commonplace when it comes to SAP Security.

However, an additional layer of protection, that of biometrics, can be added to the existing set of standard security tools provided by SAP.

What does biometrics mean in SAP and why might it make sense to use it?

Biometrics, in the field of computing, allows physical or behavioral characteristics to be used to identify a person.

It can thus be used in many ways (iris reading, fingerprinting, way of walking, voice etcc) and in different contexts, to gain access to a system or to perform critical operations, within a system, as a dual control mechanism.

Using these techniques can be even more useful when you add practices (bad practices) of managing information and carrying out business processes that have very little to do with the word "security" for example:

• Sharing one's passwords before going on vacation (do you keep track of multiple logons? Learn more here)
• Saving credentials on sheets of paper or files in unsecured locations
• Leaving one's desk unattended and with the computer unlocked

In this article we introduce a solution, available on the market, called bioLock. The goal of which is precisely to protect the SAP system in its entirety, as well as, potentially, to reduce to zero any risks that these bad practices would bring. 

How does it work? What benefits could it bring to your SAP system? Let's go into more detail!

What technology does bioLock use?

bioLock is software that relies on biometric analysis technologies and integrates into SAP systems via the ABAP language to make it possible to define "ID Checks" that can be set as mandatory upon the performance of any action in SAP.

For example, it can be used through the following products for the acquisition and authentication of the user's biometric information:

• Mouse with fingerprint reader
• Fujitsu Palm Vein
• Nymi Band
• Windows 10/HELLO

In fact, biometric authentication is at the heart of bioLock technology, through which the software provides a wide range of security options.

This allows for the creation of an Allow List, which contains all users who will be accepted when they attempt to perform a certain action.

All users not included in this list, on the other hand, will be automatically rejected by the system when they try to perform the action.

What can you do with bioLock?

Some of the most important functions of the software are:

• Logon Protection: places a biometric checkpoint at the Logon stage, so as to
  prevent access to the SAP system even for those who have login credentials but are not really the user they say they are.
  • Allows reducing access risks in workplaces where users access from the same PC, or public places such as Kiosks
• Function Protection: Restricts access to sensitive transactions, tables, functions or buttons within the SAP GUI
  
  
• Field Masking mirato: as a result of "ID Checks" the buttons/buttons, fields and rows of an SAP object can be hidden at will, so as to accomplish further segregation to access sensitive information and functionality. Read here how the native data masking functionality works in SAP

How does bioLock work?

To better understand the mechanisms underlying the operation of bioLock let's take a closer look at Function Protection. Three quick and easy steps are required to protect a function within SAP using the software.

• Create a function, enter the number you want to assign to it, and choose the access restriction method (onlyfinger, PalmSecure, Nymi Band...)
   
  • Select the Global Check Mark, to tell the software that you want to restrict access to potentially all users in the SAP system
    
    
  • Finally, select "Invite Defined" so that you can later select the users who will be part of the Allow List
    
    

• From now on, the transaction will be protected with the selected function
  
  
• Restrict access to the function by placing the desired users within the Allow List. As of now, no one outside of these will have access to the defined function
  
  

If you wish not only to prevent access, but also to operate at a more detailed level of security and segregate the actual execution within the transaction, you can add a bioLock Checkpoint within the ABAP code just before the execution involved, and link this entry to the function defined above.

Each action performed in the system can eventually be tracked to have a log of the activities performed. When can you use it?

• To track who did what, so for detective or forensic control activities
• To track who tried to do what

Did you know that this information can also be integrated into a SIEM?

How can bioLock help your company?

We have seen the way bioLock operates and through what tools and logic it aims to improve SAP system security.

In summary, what are the ways in which bioLock can help your company?

• Check IDs in SAP for employees, suppliers and customers
• Protection on standard or custom transactions
• In-depth security level for Functions, Values, Buttons and more
• Compatibility with Fingerprint, Palm Vein, Nymi Band and Smart Cards
• Contribution to a clearer definition of Responsibilities
• Control of access attempts via Log Files
• Security options where Segregation of Duties cannot reach (read more about SoD here)

Interested in learning more? Do you have additional concerns? Contact us here!