2016 04.ASUG HANA - Security.overview

Public
ASUG Webinar
SAP HANA Security Overview
Andrea Kristen, Holger Mack, SAP SE
April 2016
secure information access
secure system setup
secure software
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.
2016 SAP SE or an SAP affiliate company. All rights reserved.
Public
Agenda
SAP HANA scenarios
Secure information access
Secure system setup, administration and operation
Secure software and patching
Public
Manage secure data access and keep your systems protected

SAP HANA provides a comprehensive security framework
Securely run SAP HANA in a variety of environments
Meet increasing regulatory and compliance requirements
Easily configure, manage and monitor security
Keep up to date with relevant security updates
Public
SAP HANAs unified security architecture

Browser
SAP HANA Tools

Application Server
Studio
Client
JDBC/ODBC
HTTP(S)
Cockpit
Database
XS Classic
Encryption
Authentication/SSO
Authorization
Users/Roles
Design Time Repository

Application
Audit Logging
SAP HANA
Public
SAP HANA scenarios
Traditional security architecture

Client
Application
Application
Application
end users
Application server
administrators
Application Server
Technical
account
Database
Database
administrators
Public
Typical SAP HANA scenarios

Traditional 3-tier application
Data mart (3-tier or 2-tier)
Client
Native 2-tier application

Client
Client
ABAP application
permissions
Client
BI application
permissions
Application Server
BI Server
Database
permissions
SAP HANA
Source
SAP HANA
XS application
and database
permissions
XS
Replication
SAP HANA
Public
Traditional 3-tier application Database migration to SAP HANA

Database migration to SAP HANA
no change to the security model
Client
ERP
BW
Application Server
End users in the application server layer

Security functions of the application server apply
No change to authentication/authorization management
Application server connects with technical account to

SAP HANA
SAP HANA security functions are used to manage

administrative access to SAP HANA
SAP HANA
Examples: Business Warehouse on SAP HANA,

Business Suite on SAP HANA
Public
S4HANA On Premise
Clients
Fiori
Web UI
SAPGUI
S4HANA
Application Server
Same security model as traditional ABAP

applications
End users in S/4HANA AppServer (NetWeaver)
NetWeaver security functions apply, e.g. for authentication
and authorization
Frontend/client security
Input validation, encrypted communication
Application server connects with technical account to

SAP HANA
SAP HANA

Public
10
S/4HANA OnPremise Fiori Launchpad
Fiori delivers state-of-the-art UX with security

benefits
Fiori delivers state-of-the-art HTML5 technology
SAP adheres to a safe and proven HTML5 subset only
Standard ODATA protocol used for data transport
Fiori role/authorization handling

Fiori Launchpad provides a role-specific and
individualized subset of the available apps
Privileges are assigned to the end user via PFCG
roles
Public
11
Integrated scenario Reporting on ERP data in SAP HANA
Client
BI Client
Browser
Direct user access to SAP HANA

modified security model
SAP HANA Live for SAP Business Suite supports direct
access to ERP data in SAP HANA
ERP data is exposed via SAP HANA views
ERP
Application
Server
Read only
Authorization checks using SAP HANA privileges
SAP HANA Live

XS
End users both in application server layer and

in SAP HANA
Tool support for generation of SAP HANA privileges from
ABAP PFCG roles
SAP HANA

Public
12
Integrated scenario Reporting on BW data in SAP HANA
Client
BI Client
Browser

modified security model
SAP Business Warehouse supports direct access to BW
data in SAP HANA
BW data is exposed via SAP HANA views
BW
Application
Server
Read only
Info provider
End users both in application server layer and

in SAP HANA
Automatic generation of SAP HANA views, privileges and
roles based on BW privileges, automatic role assignment
SAP HANA

Public
13
Integrated scenarios user generation from ABAP

SAP HANA users can be generated from ABAP users
Since NW 7.40 SPS 3
Application
Server
User management transaction SU01
Since NW 7.40 SPS 6

Report for mass synchronization: RSUSR_DBMS_USERS
User copy supported in SU01
SAP HANA
Public
14
Data mart Customer-specific analytic reporting on SAP HANA
Client
Client
SAP BusinessObjects
Business Intelligence

based on SAP HANA native security model
Custom reports and dashboards support direct
access to data in SAP HANA using BI tools
Data is exposed via SAP HANA analytic views
Read only
Often on replicated/aggregated data
End users in SAP HANA

SAP HANA
Replication
Source
SAP HANA privileges need to be modelled for the

individual project

Public
15
Applications built on SAP HANA XS classic model
Client
HTTP(S)
Presentation Logic
XS
Control Flow Logic
DB
Calculation Logic
SAP HANA

integrated security model
SAP HANA supports direct access to data via webbased native applications based on XS classic
End users in SAP HANA
Security functions of SAP HANA apply: Authorization,
authentication/SSO, encryption, audit logging
Additional security functions for XS classic
applications:
Application-specific authorization checks need to be
modelled for the individual XS classic application
Protection against XSRF, SQL injection, XSS
For outgoing connections: OAuth client support

Public
16
Applications built on SAP HANA XS advanced model

Presentation
Logic
HTTP(S)
Client
Security aspects
Support for decoupling application layer and data layer
UAA
node.js
Development
Tools
XS Advanced Model
Java
XSJS
App. Coding
JDBC
Identity
Provider (IDP)
New scalable, flexible application runtime option

(introduced with SAP HANA SPS11)
Calculation
Logic
Container
SAP HANA
Separate deployment (e.g. network zones) and scaling of

application layer
Isolation for applications

data layer: separate containers per application
application layer: separate OS users per application configurable
New user and role management for business users

business users managed via identity provider (external SAML2
compliant identity provider or HANA as native identity provider)
business user authorized based on scopes for functional
authorizations (e.g. view cost center data) and attributes for
instance based authorizations (e.g. cost center XYZ)
Central user account and authentication server (UAA)

Public
17
Multitenant database containers a new way to separate access

Run multiple applications on one HANA system
1 system database and multiple tenant databases
Shared software installation
Application 1
Application 2
Application N
Tenant
database 1
Tenant
database 2
Tenant
database N
Strong isolation features

Users, database catalog, repository, persistence, backups,
traces and diagnosis files per database
Isolation level high: dedicated OS user/group per tenant
Overall system administration from system database.
But: No direct access to tenant database schemas from the
system database
Security-relevant features configurable per database
More information
SAP Note 2096000
System
database
SAP HANA system
Public
18
Secure information access
Manage and control compliant access to your critical data

Comprehensive role and privilege framework
Authentication and single sign-on
User and identity management
Audit logging
Public
20
Comprehensive role and privilege framework

SAP HANAs comprehensive authorization framework
provides highly granular access control
Roles are used to bundle and structure privileges for
dedicated groups of users
Developers
Role
Privileges define what users can see and do

Based on standard SQL object privileges, HANA-specific
extensions for business applications
End user privileges: Access to database content (e.g. SELECT on
table) SQL privileges, analytic privileges; execution of
application functions XS application privileges
Administrator privileges: execution of administration tasks (e.g.
backups, user management) System privileges
Developer privileges: Access to development artifacts in the
repository Package privileges
Role
Transport
Role transport available for DEV/QA/PROD system landscapes
Administrators
Grant
Repository
DEV
PROD
Public
21
Authentication and single sign-on

Access to SAP HANA data, functions and applications requires authentication
Authentication options configurable per user
Password login
Password policy: change frequency, strength, password blacklist etc.
No default passwords, mandatory password change after first logon
for end users
Single sign-on
Kerberos/SPNEGO
SAML
SAP logon and assertion tickets
X.509 (only XS classic)
Public
22
User and identity management

SAP HANA users
For logon a user in SAP HANAs user store is required
Bootstrapping user SYSTEM created during installation.
Recommendation: create dedicated administrators and lock
SYSTEM user
Automatic locking of users in certain situations (e.g. if their
validity expired or they entered a wrong password several
times), manual locking also possible
User administration and role assignment

SAP HANA Studio/Cockpit for user/role management
Self services for web-based password reset and requesting
new user account
Connectors for SAP Identity Management, SAP Access Control
SQL interface for connecting custom solutions
Public
23
Audit logging
SAP HANA offers highly configurable, policy-based audit logging for critical system events
User management: e.g. user changes, role granting

System access and configuration: e.g. failed logons, parameter changes
Data access: e.g. read and write access to tables and views, execution of procedures
Log all: firefighter logging, e.g. for support cases
Audit policies
Include events to be recorded
If audit logging is enabled, some critical events are
always logged, e.g. disabling of audit logging
Audit trail
Linux syslog or secure database table
Public
24
Secure system setup,

administration and operation
Run your system securely

Security administration, configuration and monitoring
Secure network communication
Data encryption
Security infrastructure integration
Public
26
SAP tools for administration, configuration and monitoring

SAP HANA Studio is the
main administration tool for
the SAP HANA database.
Web-based tool for landscape

monitoring of SAP databases
SAP HANA is fully integrated

into SAP Solution Manager.
Web-based tools SAP DB
Control Center and SAP
HANA Cockpit. Cockpit is
planned to replace Studios
administration and monitoring
capabilities for SAP HANA
databases in the future.
SAP HANA Cockpit
SAP DB Control Center
Web-based tool to administrate

and monitor individual SAP HANA
databases
SAP Solution
Manager / DBA
Cockpit
SAP HANA Studio

Main administration tool
for SAP HANA, based on
Eclipse
SAP
HANA
Central tool to manage the

SAP landscape, based on
the SAP NetWeaver
Application Server
Public
27
Security administration, configuration and monitoring

using SAP HANA Cockpit
SAP HANA Cockpit is installed with SAP HANA as
automated content
Role-based access to tiles
applies on top of the usual SAP HANA privileges
Default homepage of tiles is customizable
Public
28
The security dashboard in SAP HANA Cockpit

The security dashboard in SAP HANA Cockpit provides an overview of important security KPIs
Get alerts about security issues

View information about important security settings
Network communication channels, TLS/SSL
Encryption and keys
Authentication methods and password policy
Audit logging policies
Drill-down to related tasks and further information
Public
29
When to use which tool?
EarlyWatch Alert
Security Optimization Services
Configuration Validation
SAP HANA Cockpit
Detailed information on SAP HANA systems
Overview information on SAP system landscape
Security monitoring
Security alerting
Security configuration and administration
Security monitoring
Security alerting
Security assessment
Leverage the same system information

consistent view regardless of tool
Public
30
Secure system set-up

SAP HANA is designed to run in different environments in a secure fashion
Incorrectly configured security settings are one of the most common
causes of security problems SAP offers supports tools, settings,
and information to help you to run SAP HANA securely
A security checklist of critical configuration settings is provided in the
SAP HANA Security Guide
SAP HANA recommendations in SAP Security Baseline template
DSAG Prfleitfaden ERP 6.0
Monitoring
Alerts in SAP HANA ( SAP HANA Studio, SAP HANA Cockpit)
Integration with SAP Solution Manager, SAP Early Watch Alert and
Configuration Validation
Public
31
Secure communication
SAP HANA supports TLS/SSL connection encryption for network communication channels
Encryption of client-server communication (external channels) can be enforced
Automatic setup of key management infrastructure (PKI) for internal communication channels
Documented network communication channels, recommendations on the use of firewalls and network zones
External channels
Client - server
Internal channels
Scale-out system
System replication
+ SAP HANA option
Client
SAP HANA
SAP HANA
SAP HANA
SAP HANA
Host1
Host2
SAP HANA
Primary
System
Secondary
System
Data Center 1
Data Center 2
Hot
store
Warm
store
Public
32
Data encryption
Authorization is the primary means for fine-granular access control
Encryption addresses potential authorization bypass on lower architecture layers or by highly
privileges users
SAP HANA supports SAPs standard cryptographic library, which is FIPS-certified
Data at rest encryption (data volume encryption)
Encryption of SAP HANAs data files
Page content is encrypted using the AES-256-CBC algorithm
Encryption does not increase the data size
Application encryption
Encryption APIs are available for applications based on SAP HANA
extended application services (XS) for storing values in encrypted form
Backup encryption
Backup encryption is provided by a wide variety of 3rd party backup tool
are company.
certified
for
SAP HANAs Backint interface
vendors
2016 SAP SE or who
an SAP affiliate
All rights
reserved.
Public
33
Backup tools certified for SAP HANA

Certification is an installation prerequisite for tools using the Backint for SAP HANA API
See SAP Note 1730932 (Using backup tools with Backint)
Certified tools (as of 2016-01-13)

Vendor
Backup Tool
On Intel Architecture
On POWER Architecture
Allen Systems
ASG-Time Navigator
Yes
No
Commvault
Simpana, Hitachi Data Protection Suite (via Simpana Backint interface)
Yes
No
EMC
Networker, EMC Interface for Data Domain Boost
Yes
No
HP
Data Protector, HP StoreOnce Plug-in for SAP HANA
Yes
No
IBM
Tivoli Storage Manager for Enterprise
Yes
No
IBM
Spectrum Protect for Enterprise Resource Planning
No
Yes
Libelle
BusinessShadow
Yes
No
SEP
Sesam
Yes
No
Symantec
NetBackup*
Yes
No
Online listing of certified tools: Application Development Partner Directory

Enter the search term HANA-BRINT and click on a partner name SAP Certified Solutions for further details
Public
34
Security infrastructure integration

SAP HANA supports industry standards and documented interfaces to enable integration with
the customers security network and datacenter infrastructures
Identity management
Connector for SAP Identity Management, SQL interface for integration with other identity management solutions
Compliance
Connector for SAP Access Control
E.g. for Microsoft Active Directory
Logging
Standard logging infrastructures (Linux syslog)
Threat detection
SAP Enterprise Threat Detection support
Antivirus
XS antivirus interface
Data Center
Single Sign-On
Identity Management
SQL
Compliance
SQL
Single Sign-On
Kerberos
SAML
Logging
syslog
Threat Detection
Log data
Antivirus
NW-VSI
compatible
XS
SAP HANA
Public
35
Secure software and patching
Maintain security of your SAP HANA systems and stay up-to-date
Prevent Detect React

SAP secure development lifecycle
Security patches and updates
Security services by SAP
Public
37
SAP secure software development lifecycle

At the core of SAPs development processes is a comprehensive security strategy based on
three pillars: Prevent Detect React
The secure software development lifecycle (secure SDL)
Provides a comprehensive framework of processes, guidelines, tools and staff training
Ensures that security is an integral component of the architecture, design, and implementation of SAP solutions
Is a risk-based approach, which uses threat-modeling and security risk assessment methods to determine the
security controls enforced during software provisioning and operations, including comprehensive security testing
with automated and manual tests.
More information: SAP Security @ http://www.sap.com/security

Public
38
Security patches
Keep up to date by installing the latest security patches
and monitoring SAP security notes
Security improvements/corrections ship with SAP HANA revisions
Current SAP HANA version: SAP HANA SPS11, revisions 11x
Installed using SAP HANAs lifecycle management tools
See also SAP Note 2021789 SAP HANA revision und maintenance strategy
SAP security notes contain further information

Affected SAP HANA application areas and specific measures that protect against the exploitation of potential
weaknesses
Released as part of the monthly SAP Security Patch Day
See also http://support.sap.com/securitynotes and SAP Security Notes Frequently asked questions
Operating system patches

Provided by the respective vendors SuSE/Redhat
Public
39
Security services by SAP

SAP offers a wide range of security tools and services to ensure the smooth operation of your
SAP solution by taking action proactively, before security issues occur
More information
SAP Support Portal - EarlyWatch Alert
SAP Security Optimization Services
Public
40
Summary
Summary
SAP HANA provides security functions, frameworks and
interfaces that enable customers to
meet security, legal, and regulatory compliance requirements

implement different security policies
integrate it into existing security infrastructures and processes
Authentication
Single sign-on
User/role
management
Transport/data
encryption
Audit logging
Secure
configuration
Secure
development
Remember
Scenario architecture determines security approach
Make sure you stay up-to-date!
Public
42
More information
Need more information on SAP HANA security?

Read the SAP HANA security
whitepaper!
Want to know more? Check out

the SAP HANA security page
http://hana.sap.com/security
Public
44
More information
Documentation on SAP Help Portal:
Security Guide, Master Guide, Developer Guide, SQL Reference Guide
Secure configuration guidelines:
SAP HANA security configuration checklist
SAP Security Baseline Template
DSAG Prfleitfaden ERP 6.0
Best practices: How to Define Standard Roles
Training: HA 240
SAP Notes
o
o
o
o
o
o
o
o
o
2159014 FAQ: SAP HANA Security

1514967 SAP HANA appliance
1730928 Using external software in a HANA appliance
1730929 Using external tools in an SAP HANA appliance
1730930 Using antivirus software in an SAP HANA appliance
784391 SAP support terms and 3rd-party Linux kernel drivers
1730999 Configuration changes in HANA appliance
863362 Security checks with SAP EarlyWatch Alert
2021789 SAP HANA revision and maintenance strategy
Public
45
Thank you
Contact information:
Andrea Kristen
(andrea.kristen@sap.com)
Holger Mack
(holger.mack@sap.com)

2016 04.ASUG HANA - Security.overview

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2016 04.ASUG HANA - Security.overview

Uploaded by

Copyright:

Available Formats

Public

secure information access

secure system setup

2016 SAP SE or an SAP affiliate company. All rights reserved.

2016 SAP SE or an SAP affiliate company. All rights reserved.

Manage secure data access and keep your systems protected

2016 SAP SE or an SAP affiliate company. All rights reserved.

SAP HANAs unified security architecture

SAP HANA Tools

Design Time Repository

SAP HANA scenarios

Traditional security architecture

Typical SAP HANA scenarios

Native 2-tier application

2016 SAP SE or an SAP affiliate company. All rights reserved.

Traditional 3-tier application Database migration to SAP HANA

End users in the application server layer

Application server connects with technical account to

SAP HANA security functions are used to manage

Examples: Business Warehouse on SAP HANA,

2016 SAP SE or an SAP affiliate company. All rights reserved.

Same security model as traditional ABAP

Application server connects with technical account to

2016 SAP SE or an SAP affiliate company. All rights reserved.

SAP HANA security functions are used to manage

S/4HANA OnPremise Fiori Launchpad

Fiori delivers state-of-the-art UX with security

Fiori role/authorization handling

2016 SAP SE or an SAP affiliate company. All rights reserved.

Integrated scenario Reporting on ERP data in SAP HANA

Direct user access to SAP HANA

SAP HANA Live

End users both in application server layer and

SAP HANA security functions are used to manage

Integrated scenario Reporting on BW data in SAP HANA

Direct user access to SAP HANA

End users both in application server layer and

SAP HANA security functions are used to manage

Integrated scenarios user generation from ABAP

User management transaction SU01

Since NW 7.40 SPS 6

2016 SAP SE or an SAP affiliate company. All rights reserved.

Data mart Customer-specific analytic reporting on SAP HANA

Direct user access to SAP HANA

End users in SAP HANA

2016 SAP SE or an SAP affiliate company. All rights reserved.

SAP HANA privileges need to be modelled for the

SAP HANA security functions are used to manage

Applications built on SAP HANA XS classic model

Control Flow Logic

Direct user access to SAP HANA

SAP HANA security functions are used to manage

Applications built on SAP HANA XS advanced model

New scalable, flexible application runtime option

Separate deployment (e.g. network zones) and scaling of

Isolation for applications

New user and role management for business users

Central user account and authentication server (UAA)

Multitenant database containers a new way to separate access

Strong isolation features

Secure information access

Manage and control compliant access to your critical data

2016 SAP SE or an SAP affiliate company. All rights reserved.