Touching SAP Data: User Access and Biometrics

Enterprises can record when users access data in an SAP system, but biometrics makes it possible to add physical evidence to the log.

Biometrics: the word alone conjures the enormous post-9/11 hype over facial recognition. The promise was the technology would catch all terrorists as they moved through airports. While the hyperbole sold, the technology didn’t deliver. The Boston Globe reported in September 2003 that Boston's Logan Airport face-recognition trials were halted when error rates exceeded 50 percent.

While biometrics isn’t a cure-all, it does have more realistic enterprise application. In an era of Sarbanes-Oxley holding CEOs accountable for their company’s financial statements, it helps to know exactly who touched the financial database, and when they touched it. Smart cards, passwords, and key fobs will record when each of those devices was used—but who was on the other end? Presumably it was the person to whom the device was issued. Without corroborating evidence, however, it’s still in question.

Biometrics seeks to remove the doubt. A fingerprint, for example, can put a relatively unique personal identifier into the record for cross-referencing, beyond the password used, whether the intended user accessed a system, and when. Research firm Frost & Sullivan predicts fingerprint-scanning technology revenues will grow from $75 million in 2003 to $1.5 billion by 2009.

One company offering biometric access software is realtime, formed by former SAP consultants. So far it’s the only company to offer biometric access control for anything from individual database fields to whole applications in SAP; it works on R/3 versions 4.x and later.

“The bioLocks software can protect anything inside the SAP software,” notes Thomas Neudenberger, chief operating officer of realtime North America.

Using bioLocks, users press their finger onto a fingerprint sensor three times to access protected applications or parts of them—such as individual fields, processes, or reports. The bioLocks software compares the readings with the data on file, saved as128-bit encrypted templates stored in an SAP table. Cryptographic service-provider technology watches the templates to sound alarms if someone tries to alter stored fingerprint data surreptitiously.

Neudenberger says rollout is on the order of “hours,” plus the time security managers need to gather employees’ digital fingerprints, typically done department-by-department, before enabling the software. Companies can also use the software for single sign-on in conjunction with the Seimens’ Software ID Center, which stores biometric data on a secure server.

While fingerprints aren’t the only biometric possibility today, he notes, but “it’s the one that is most accepted at the moment, plus the hardware costs are the cheapest at the moment.” Two popular fingerprint-reading devices, he says, are the Siemens ID mouse and keyboards from the German manufacturer Cherry.

One successful attack against fingerprint-reading technology in the past has been to literally breathe on the mouse; the previous fingerprint shows up again, the software sees it, and access is granted. Many manufacturers have since added algorithms to deny subsequent access attempts where the finger is in the exact position as before. “If the position of the finger is identical, they will not log you on because they treat it as trying to trick the system, and they ask you to reposition your finger,” notes Neudenberger.

No security technology is perfect, of course, but making life more difficult for attackers improves security. As Neudenberger says, “If I want to get into your computer to, let’s say, change salary information, would I go through your drawers to try and find a password and use a password cracker? Yes, probably. But would I cut off your finger to log in?”

Outside the realm of B-movies, the answer is, hopefully not.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.