Professional Documents
Culture Documents
ASUG Webinar
SAP HANA Security Overview
Andrea Kristen, Holger Mack, SAP SE
April 2016
secure software
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.
Public
Agenda
SAP HANA scenarios
Secure information access
Secure system setup, administration and operation
Secure software and patching
Public
Public
JDBC/ODBC
HTTP(S)
Cockpit
Database
XS Classic
Encryption
Authentication/SSO
Authorization
Users/Roles
Application
Audit Logging
SAP HANA
Public
Application
Application
Application
end users
Application server
administrators
Application Server
Technical
account
2016 SAP SE or an SAP affiliate company. All rights reserved.
Database
Database
administrators
Public
Client
ABAP application
permissions
Client
BI application
permissions
Application Server
BI Server
Database
permissions
SAP HANA
Source
SAP HANA
XS application
and database
permissions
XS
Replication
SAP HANA
Public
Client
ERP
BW
Application Server
Public
S4HANA On Premise
Clients
Fiori
Web UI
SAPGUI
S4HANA
Application Server
Frontend/client security
Input validation, encrypted communication
Public
10
Public
11
Client
BI Client
Browser
ERP
Application
Server
Read only
Authorization checks using SAP HANA privileges
SAP HANA
Public
12
Client
BI Client
Browser
BW
Application
Server
Read only
Authorization checks using SAP HANA privileges
Info provider
SAP HANA
Public
13
Application
Server
Public
14
Client
Client
SAP BusinessObjects
Business Intelligence
15
Client
HTTP(S)
Presentation Logic
XS
DB
Calculation Logic
SAP HANA
Public
16
HTTP(S)
Client
Security aspects
Support for decoupling application layer and data layer
UAA
node.js
Development
Tools
XS Advanced Model
Java
XSJS
App. Coding
JDBC
Identity
Provider (IDP)
Calculation
Logic
Container
SAP HANA
2016 SAP SE or an SAP affiliate company. All rights reserved.
17
Application 1
Application 2
Application N
Tenant
database 1
Tenant
database 2
Tenant
database N
More information
SAP Note 2096000
2016 SAP SE or an SAP affiliate company. All rights reserved.
System
database
SAP HANA system
Public
18
Public
20
Developers
Role
Role
Transport
Administrators
Grant
Repository
DEV
PROD
Public
21
Single sign-on
Kerberos/SPNEGO
SAML
SAP logon and assertion tickets
X.509 (only XS classic)
Public
22
Public
23
Audit logging
SAP HANA offers highly configurable, policy-based audit logging for critical system events
Audit policies
Include events to be recorded
If audit logging is enabled, some critical events are
always logged, e.g. disabling of audit logging
Audit trail
Linux syslog or secure database table
Public
24
Public
26
SAP Solution
Manager / DBA
Cockpit
SAP
HANA
Public
27
Public
28
Public
29
EarlyWatch Alert
Security Optimization Services
Configuration Validation
Security monitoring
Security alerting
Security configuration and administration
Security monitoring
Security alerting
Security assessment
Public
30
Monitoring
Alerts in SAP HANA ( SAP HANA Studio, SAP HANA Cockpit)
Integration with SAP Solution Manager, SAP Early Watch Alert and
Configuration Validation
2016 SAP SE or an SAP affiliate company. All rights reserved.
Public
31
Secure communication
SAP HANA supports TLS/SSL connection encryption for network communication channels
Encryption of client-server communication (external channels) can be enforced
Automatic setup of key management infrastructure (PKI) for internal communication channels
Documented network communication channels, recommendations on the use of firewalls and network zones
External channels
Client - server
Internal channels
Scale-out system
System replication
Client
SAP HANA
SAP HANA
SAP HANA
SAP HANA
Host1
Host2
SAP HANA
Primary
System
Secondary
System
Data Center 1
Data Center 2
Hot
store
Warm
store
Public
32
Data encryption
Authorization is the primary means for fine-granular access control
Encryption addresses potential authorization bypass on lower architecture layers or by highly
privileges users
SAP HANA supports SAPs standard cryptographic library, which is FIPS-certified
Data at rest encryption (data volume encryption)
Encryption of SAP HANAs data files
Page content is encrypted using the AES-256-CBC algorithm
Encryption does not increase the data size
Application encryption
Encryption APIs are available for applications based on SAP HANA
extended application services (XS) for storing values in encrypted form
Backup encryption
Backup encryption is provided by a wide variety of 3rd party backup tool
are company.
certified
for
SAP HANAs Backint interface
vendors
2016 SAP SE or who
an SAP affiliate
All rights
reserved.
Public
33
Backup Tool
On Intel Architecture
On POWER Architecture
Allen Systems
ASG-Time Navigator
Yes
No
Commvault
Yes
No
EMC
Yes
No
HP
Yes
No
IBM
Yes
No
IBM
No
Yes
Libelle
BusinessShadow
Yes
No
SEP
Sesam
Yes
No
Symantec
NetBackup*
Yes
No
Public
34
Compliance
Connector for SAP Access Control
E.g. for Microsoft Active Directory
Logging
Standard logging infrastructures (Linux syslog)
Threat detection
SAP Enterprise Threat Detection support
Antivirus
XS antivirus interface
2016 SAP SE or an SAP affiliate company. All rights reserved.
Data Center
Single Sign-On
Identity Management
SQL
Compliance
SQL
Single Sign-On
Kerberos
SAML
Logging
syslog
Threat Detection
Log data
Antivirus
NW-VSI
compatible
XS
SAP HANA
Public
35
Public
37
Public
38
Security patches
Keep up to date by installing the latest security patches
and monitoring SAP security notes
Security improvements/corrections ship with SAP HANA revisions
Current SAP HANA version: SAP HANA SPS11, revisions 11x
Installed using SAP HANAs lifecycle management tools
See also SAP Note 2021789 SAP HANA revision und maintenance strategy
Public
39
Public
40
Summary
Summary
SAP HANA provides security functions, frameworks and
interfaces that enable customers to
Authentication
Single sign-on
User/role
management
Transport/data
encryption
Audit logging
Secure
configuration
Secure
development
Remember
Public
42
More information
Public
44
More information
Documentation on SAP Help Portal:
Security Guide, Master Guide, Developer Guide, SQL Reference Guide
Secure configuration guidelines:
SAP HANA security configuration checklist
SAP Security Baseline Template
DSAG Prfleitfaden ERP 6.0
Best practices: How to Define Standard Roles
Training: HA 240
SAP Notes
o
o
o
o
o
o
o
o
o
Public
45
Thank you
Contact information:
Andrea Kristen
(andrea.kristen@sap.com)
Holger Mack
(holger.mack@sap.com)