2016 04.asug hana.security.overview

8/17/2019 2016 04.ASUG HANA.security.overview

1/46

Andrea Kristen, Holger Mack, SAP SE

April 2016

ASUG Webinar

SAP HANA Security Overview

secure information access secure system setup s


2/46

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

Disclaimer

This presentation outlines our general product direction and should not be relied on

purchase decision. This presentation is not subject to your license agreement or anywith SAP. SAP has no obligation to pursue any course of business outlined in this pr

develop or release any functionality mentioned in this presentation. This presentation

strategy and possible future developments are subject to change and may be chang

time for any reason without notice. This document is provided without a warranty of a

express or implied, including but not limited to, the implied warranties of merchantab

particular purpose, or non-infringement. SAP assumes no responsibility for errors or

document, except if such damages were caused by SAP intentionally or grossly neg


3/46


Agenda

SAP HANA scenarios

Secure information access

Secure system setup, administration and operation

Secure software and patching


4/46


Manage secure data access and keep your systems pro

SAP HANA provides a comprehensive security framewo

✔ Securely run SAP HANA in a variety of environments

✔ Meet increasing regulatory and compliance requirements

✔ Easily configure, manage and monitor security

✔ Keep up to date with relevant security updates


5/46© 2016 SAP SE or an SAP affiliate company. All rights reserved.

SAP HANA’s unified security architecture

SAP HAN

XS Classic

Browser Application Server

Client

Authentication/SSO

Authorization

Encryption

Audit LoggingUsers/Roles

SAP HANA Tools

Studio

Application

Design Time Repository

Database

Cockpit

JDBC/ODBC HTTP(S)


6/46



Traditional security architecture

Database

Client

Application Server

Application Application

Application

end users Application server

administrators

Database

administrators

Technical

account



Typical SAP HANA scenarios

Client

Application Server

SAP HANA

Traditional 3-tier application

ABAP application

permissions

SAP HANA

Client

SourceRepl icat ion

Client

BI Server

Data mart (3-tier or 2-tier)

BI application

permissions

Databasepermissions

C

Native



Traditional 3-tier application – Database migration to SA

Database migration to SAP HA

no change to the security m

End users in the application ser – Security functions of the application

– No change to authentication/autho

Application server connects with te

SAP HANA

SAP HANA security functions are

administrative access to SAP HAN

Examples: Business Warehouse o

Business Suite on SAP HANA

Client

Application Server

BWERP

SAP HANA


10/46


S4HANA On Premise

Same security model as tradit

applications

End users in S/4HANA AppServ – NetWeaver security functions apply

and authorization

Frontend/client security – Input validation, encrypted commun

Application server connects with te

SAP HANA



Clients

Application Server

S4HANA

SAP HANA

Fiori Web UI SAPGUI


11/46


Fiori delivers state-of-the-art Ubenefits

Fiori delivers state-of-the-art HTM

SAP adheres to a safe and proven

Standard ODATA protocol used fo

Fiori role/authorization handlin Fiori Launchpad provides a role-sp

individualized subset of the availab

Privileges are assigned to the en

roles

S/4HANA OnPremise – Fiori Launchpad


12/46


Integrated scenario – Reporting on ERP data in SAP HA

Direct user access to SAP HAN

modified security model

SAP HANA Live for SAP Business S

access to ERP data in SAP HANA

ERP data is exposed via SAP HAN – Read only

– Authorization checks using SAP

End users both in application sein SAP HANA – Tool support for generation of SAP

ABAP PFCG roles



SAP HANA

Client

Application

Server

Browser

BI Client

SAP HANA Live

XS

ERP


13/46


Integrated scenario – Reporting on BW data in SAP HAN


modified security model

SAP Business Warehouse supports

data in SAP HANA

BW data is exposed via SAP HAN – Read only


End users both in application sein SAP HANA – Automatic generation of SAP HANA

roles based on BW privileges, auto



SAP HANA

Client

Application

Server

Browser

BI Client

Info provider

BW


14/46


Integrated scenarios – user generation from ABAP

SAP HANA users can be generated from ABAP users

Since NW 7.40 SPS 3

User management transaction SU01

Since NW 7.40 SPS 6

Report for mass synchronization: RSUSR_DBMS_USERS

User copy supported in SU01


15/46


SAP HANA

Data mart – Customer-specific analytic reporting on SAP

Client

Source

Replication

Client

SAP BusinessObjects

Business Intelligence

Direct user access to SAP HA

based on SAP HANA native

Custom reports and dashboards

access to data in SAP HANA us

Data is exposed via SAP HANA a – Read only

– Often on replicated/aggregated da


End users in SAP HANA SAP HANA privileges need to be

individual project


administrative access to SAP HA


16/46


Applications built on SAP HANA XS classic model


integrated security model

SAP HANA supports direct acce

based native applications based

End users in SAP HANA

Security functions of SAP HANA a

authentication/SSO, encryption, au

Additional security functions for XS

applications: – Application-specific authorization c

modelled for the individual XS cl

– Protection against XSRF, SQL injec

– For outgoing connections: OAuth c


administrative access to SAP HA

SAP HANA

XS

Client

H T T P ( S )

DB Calculat ion Lo gic

Presentat ion Log ic

Control Flow Logic


17/46


Applications built on SAP HANA XS advanced model

New scalable, flexible application ru

(introduced with SAP HANA SPS11)

Security aspects

Support for decoupling application lay – Separate deployment (e.g. network zones

application layer

Isolation for applications – data layer: separate containers per applica

– application layer: separate OS users per a

New user and role management for bu – business users managed via identity prov

compliant identity provider or HANA as na

– business user authorized based on scope

authorizations (e.g. view cost center data)

instance based authorizations (e.g. cost c

Central user account and authenticatiSAP HANA

Client

H T T P ( S )

Container

Calculation

Logic

Presentat ion

Log ic

XS Advanced ModelApp. Coding

J D B C

UAA

Identity

Provider (IDP)

XSJSDevelopment

Tools

Java

node.js


18/46


Multitenant database containers – a new way to separat

Run multiple applications on one HANA system

1 system database and multiple tenant databases Shared software installation

Strong isolation features

Users, database catalog, repository, persistence, backups,

traces and diagnosis files per database

Isolation level “high”: dedicated OS user/group per tenant

Overall system administration from system database.

But: No direct access to tenant database schemas from the

system database

Security-relevant features configurable per database

More information

SAP Note 2096000

Application 1 Application

Tenant

database 1

Tenant

database 2

System

database

https://service.sap.com/sap/support/notes/2096000https://service.sap.com/sap/support/notes/2096000


19/46

Secure information access


20/46


Manage and control compliant access to your critical da

Comprehensive role and privilege framework

Authentication and single sign-on

User and identity management

Audit logging


21/46


Comprehensive role and privilege framework

SAP HANA’s comprehensive authorization framework

provides highly granular access controlRoles are used to bundle and structure privileges for

dedicated groups of users

Role transport available for DEV/QA/PROD system landscapes

Privileges define what users can see and do

Based on standard SQL object privileges, HANA-specific

extensions for business applications

End user privileges: Access to database content (e.g. SELECT on

table) SQL privileges, analytic privileges; execution of

application functions XS application privileges

Administrator privileges: execution of administration tasks (e.g.

backups, user management) System privileges

Developer privileges: Access to development artifacts in the

repository Package privileges

DEV

Developers

Repository

Role

Transport


22/46


Authentication and single sign-on

Access to SAP HANA data, functions and applications requires authentication

Authentication options configurable per user

Password login

Password policy: change frequency, strength, password blacklist etc.

No default passwords, mandatory password change after first logonfor end users

Single sign-on

Kerberos/SPNEGO

SAML

SAP logon and assertion tickets

X.509 (only XS classic)


23/46


User and identity management

SAP HANA users

For logon a user in SAP HANA‘s user store is required Bootstrapping user SYSTEM created during installation.

Recommendation: create dedicated administrators and lockSYSTEM user

Automatic locking of users in certain situations (e.g. if theirvalidity expired or they entered a wrong password severaltimes), manual locking also possible

User administration and role assignment

SAP HANA Studio/Cockpit for user/role management

Self services for web-based password reset and requestingnew user account

Connectors for SAP Identity Management, SAP Access Control

SQL interface for connecting custom solutions

http://go.sap.com/product/technology-platform/identity-management.htmlhttp://go.sap.com/product/analytics/access-control.htmlhttp://go.sap.com/product/analytics/access-control.htmlhttp://go.sap.com/product/technology-platform/identity-management.html


24/46


Audit logging

SAP HANA offers highly configurable, policy-based audit logging for critical sy

User management: e.g. user changes, role granting System access and configuration: e.g. failed logons, parameter changes

Data access: e.g. read and write access to tables and views, execution of procedures

“Log all”: firefighter logging, e.g. for support cases

Audit policies

Include events to be recorded

If audit logging is enabled, some critical events are

always logged, e.g. disabling of audit logging

Audit trail

Linux syslog or secure database table


25/46

Secure system setup,

administration and operat


26/46


Run your system securely

Security administration, configuration and monitoring

Secure network communication

Data encryption

Security infrastructure integration


27/46


SAP DB Control Center

Web-based tool for landscape

monitoring of SAP databases

SAP HANA

Web-based tool to and monitor individu

databas

SAP tools for administration, configuration and monitor

SAP HANA Studio is the

main administration tool for

the SAP HANA database.

SAP HANA is fully integrated

into SAP Solution Manager .

Web-based tools SAP DB

Control Center and SAP

HANA Cockpit. Cockpit is

planned to replace Studio’sadministration and monitoring

capabilities for SAP HANA

databases in the future.SAP

HANA

SAP HANA Studio

Main administration toolfor SAP HANA, based on

Eclipse

M

CenSAP

t

Security administration configuration and monitoring


28/46


Security administration, configuration and monitoring

using SAP HANA Cockpit

SAP HANA Cockpit is installed with SAP HANA as

automated content

Role-based access to tiles

applies on top of the usual SAP HANA privileges

Default homepage of tiles is customizable


29/46


The security dashboard in SAP HANA Cockpit

The security dashboard in SAP HANA Cockpit provides an overview of importa

Get alerts about security issues

View information about important security settings

– Network communication channels, TLS/SSL

– Encryption and keys

– Authentication methods and password policy

– Audit logging policies

Drill-down to related tasks and further information


30/46


When to use which tool?

Detailed information on SAP HANA systems

Security monitoring

Security alerting

Security configuration and administration

SAP HANA Cockpit

EarlyWatch Alert

Security Optimization ServConfiguration Validation

Overview information on SAP

Security monitoring

Security alerting

Security assessment

Leverage the same system information

consistent view regardless of tool


31/46


Secure system set-up

SAP HANA is designed to run in different environments in a secure fashion

Incorrectly configured security settings are one of the most commoncauses of security problems SAP offers supports tools, settings,

and information to help you to run SAP HANA securely

A security checklist of critical configuration settings is provided in the

SAP HANA Security Guide

SAP HANA recommendations in SAP Security Baseline template

DSAG Prüfleitfaden ERP 6.0

Monitoring

Alerts in SAP HANA ( SAP HANA Studio, SAP HANA Cockpit)

Integration with SAP Solution Manager, SAP Early Watch Alert and

Configuration Validation

http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdfhttp://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf


32/46


SAP HANA supports TLS/SSL connection encryption for network communicat

Encryption of client-server communication (external channels) can be enforced Automatic setup of key management infrastructure (PKI) for internal communication channe

Documented network communication channels, recommendations on the use of firewalls an

Secure communication

Client - server

SAP HANA

Scale-out system

Host1 Host2

Data Center 1 Data Center 2

System replication

SAP HANA

Primary

System

SAP HANA

Secondary

System

Internal channels

Client

SAP HANA

External channels


33/46


Data encryption

Authorization is the primary means for fine-granular access control

Encryption addresses potential authorization bypass on lower architecture layprivileges users

SAP HANA supports SAP’s standard cryptographic library, which is FIPS-certified

Data at rest encryption (data volume encryption)

Encryption of SAP HANA’s data files

Page content is encrypted using the AES-256-CBC algorithm Encryption does not increase the data size

Application encryption

Encryption APIs are available for applications based on SAP HANA

extended application services (XS) for storing values in encrypted form

Backup encryption

Backup encryption is provided by a wide variety of 3rd party backup tool

vendors who are certified for SAP HANA’s Backint interface

http://scn.sap.com/community/security/blog/2015/01/21/sap-s-crypto-kernel-receives-fips-140-2-certificatehttp://scn.sap.com/community/security/blog/2015/01/21/sap-s-crypto-kernel-receives-fips-140-2-certificate


34/46


Backup tools certified for SAP HANA

Certification is an installation prerequisite for tools using the “Backint for SAP

See SAP Note 1730932 (Using backup tools with Backint)

Certified tools (as of 2016-01-13)

Online listing of certified tools: Application Development Partner Directory

Enter the search term HANA-BRINT and click on a partner name ”SAP Certified Solutions” for furth

Vendor Backup Tool On Intel Architecture

Allen Systems ASG-Time Navigator Yes

Commvault Simpana, Hitachi Data Protection Suite (via Simpana Backint interface) Yes

EMC Networker, EMC Interface for Data Domain Boost Yes

HP Data Protector, HP StoreOnce Plug-in for SAP HANA Yes

IBM Tivoli Storage Manager for Enterprise YesIBM Spectrum Protect for Enterprise Resource Planning No

Libelle BusinessShadow Yes

SEP Sesam Yes

Symantec NetBackup* Yes

https://service.sap.com/sap/support/notes/1730932http://global.sap.com/community/ebook/2013_09_adpd/enEN/search.htmlhttp://global.sap.com/community/ebook/2013_09_adpd/enEN/search.htmlhttps://service.sap.com/sap/support/notes/1730932


35/46


36/46

Secure software and patch

M i t i it f SAP HANA t d t


37/46


Maintain security of your SAP HANA systems and stay u

Prevent – Detect – React

SAP secure development lifecycle

Security patches and updates

Security services by SAP

SAP ft d l t lif l


38/46


SAP secure software development lifecycle

At the core of SAP’s development processes is a comprehensive security stra

three pillars: Prevent – Detect – React

The secure software development lifecycle (secure SDL)

Provides a comprehensive framework of processes, guidelines, tools and staff training

Ensures that security is an integral component of the architecture, design, and implementat

Is a risk-based approach, which uses threat-modeling and security risk assessment method

security controls enforced during software provisioning and operations, including comprehen

with automated and manual tests.

More information: SAP Security @ http://www.sap.com/security

S it t h

http://www.sap.com/securityhttp://www.sap.com/security


39/46


Security patches

Keep up to date by installing the latest security patches

and monitoring SAP security notes

Security improvements/corrections ship with SAP HANA revisions

Current SAP HANA version: SAP HANA SPS11, revisions 11x

Installed using SAP HANA’s lifecycle management tools

See also SAP Note 2021789 – SAP HANA revision und maintenance strategy

SAP security notes contain further information

Affected SAP HANA application areas and specific measures that protect against the exploi

weaknesses

Released as part of the monthly SAP Security Patch Day

See also http://support.sap.com/securitynotes and SAP Security Notes – Frequently asked q

Operating system patches Provided by the respective vendors SuSE/Redhat


https://websmp130.sap-ag.de/sap/support/notes/2021789https://websmp130.sap-ag.de/sap/support/notes/2021789https://websmp130.sap-ag.de/sap/support/notes/2021789http://support.sap.com/securitynoteshttp://support.sap.com/securitynoteshttps://support.sap.com/kb-incidents/notifications/security-notes/faq.htmlhttps://support.sap.com/kb-incidents/notifications/security-notes/faq.htmlhttps://support.sap.com/kb-incidents/notifications/security-notes/faq.htmlhttps://support.sap.com/kb-incidents/notifications/security-notes/faq.htmlhttp://support.sap.com/securitynoteshttps://websmp130.sap-ag.de/sap/support/notes/2021789


40/46



SAP offers a wide range of security tools and services to ensure the smooth o

SAP solution by taking action proactively, before security issues occur

More information

SAP Support Portal - EarlyWatch Alert

SAP Security Optimization Services

https://support.sap.com/support-programs-services/services/earlywatch-alert.htmlhttps://support.sap.com/support-programs-services/services/earlywatch-alert.htmlhttps://support.sap.com/support-programs-services/services/security-optimization-services.htmlhttps://support.sap.com/support-programs-services/services/security-optimization-services.htmlhttps://support.sap.com/support-programs-services/services/security-optimization-services.htmlhttps://support.sap.com/support-programs-services/services/earlywatch-alert.html


41/46

Summary

Summary


42/46


Summary

SAP HANA provides security functions, frameworks and

interfaces that enable customers to

meet security, legal, and regulatory compliance requirements

implement different security policies

integrate it into existing security infrastructures and processes

Remember

Scenario architecture determines security approach

Make sure you stay up-to-date!

User

manag

Sec

config

Authentication

Single sign-on

Audit logging


43/46

More information

Need more information on SAP HANA security?


44/46


Need more information on SAP HANA security?

Read the SAP HANA security

whitepaper !

Want to know more?

the SAP HANA securhttp://hana.sap.com/se

More information

https://hana.sap.com/content/dam/website/saphana/en_us/PDFs/hana-security/SAP_HANA_Security_Whitepaper_SPS11.pdfhttps://hana.sap.com/content/dam/website/saphana/en_us/PDFs/hana-security/SAP_HANA_Security_Whitepaper_SPS11.pdfhttps://hana.sap.com/content/dam/website/saphana/en_us/PDFs/hana-security/SAP_HANA_Security_Whitepaper_SPS11.pdfhttps://hana.sap.com/content/dam/website/saphana/en_us/PDFs/hana-security/SAP_HANA_Security_Whitepaper_SPS11.pdfhttp://hana.sap.com/securityhttp://hana.sap.com/securityhttp://hana.sap.com/securityhttps://hana.sap.com/content/dam/website/saphana/en_us/PDFs/hana-security/SAP_HANA_Security_Whitepaper_SPS11.pdf


45/46


More information

Documentation on SAP Help Portal:

– Security Guide, Master Guide, Developer Guide, SQL Reference Guide

Secure configuration guidelines: – SAP HANA security configuration checklist

– SAP Security Baseline Template

– DSAG Prüfleitfaden ERP 6.0

Best practices: How to Define Standard Roles

Training: HA 240

SAP Notes

o 2159014 FAQ: SAP HANA Securityo 1514967 SAP HANA appliance

o 1730928 Using external software in a HANA appliance

o 1730929 Using external tools in an SAP HANA appliance

o 1730930 Using antivirus software in an SAP HANA appliance

o 784391 SAP support terms and 3rd-party Linux kernel drivers

o 1730999 Configuration changes in HANA appliance

o 863362 Security checks with SAP EarlyWatch Alert

o 2021789 SAP HANA revision and maintenance strategy

http://help.sap.com/hana_platformhttp://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdfhttp://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdfhttps://support.sap.com/dam/library/SAP%20Support%20Portal/support-programs-services/support-services/security-optimization-service/media/Security_Baseline_Template.ziphttps://support.sap.com/dam/library/SAP%20Support%20Portal/support-programs-services/support-services/security-optimization-service/media/Security_Baseline_Template.ziphttps://www.dsag.de/fileadmin/media/150504_Leitfaden_Best-Practice-SAP-ERP/https://www.dsag.de/fileadmin/media/150504_Leitfaden_Best-Practice-SAP-ERP/https://scn.sap.com/docs/DOC-53974https://training.sap.com/shop/course/ha240-authorization-security-and-scenarios-classroom-009-g-en/http://service.sap.com/sap/support/notes/2159014http://service.sap.com/sap/support/notes/2159014https://service.sap.com/sap/support/notes/1514967https://service.sap.com/sap/support/notes/1514967https://service.sap.com/sap/support/notes/1730928https://service.sap.com/sap/support/notes/1730928https://service.sap.com/sap/support/notes/1730929https://service.sap.com/sap/support/notes/1730929https://service.sap.com/sap/support/notes/1730930https://service.sap.com/sap/support/notes/1730930http://service.sap.com/sap/support/notes/784391http://service.sap.com/sap/support/notes/784391https://service.sap.com/sap/support/notes/1730999https://service.sap.com/sap/support/notes/1730999https://css.wdf.sap.corp/sap/support/notes/863362https://css.wdf.sap.corp/sap/support/notes/863362https://websmp130.sap-ag.de/sap/support/notes/2021789https://websmp130.sap-ag.de/sap/support/notes/2021789https://websmp130.sap-ag.de/sap/support/notes/2021789https://css.wdf.sap.corp/sap/support/notes/863362https://service.sap.com/sap/support/notes/1730999http://service.sap.com/sap/support/notes/784391https://service.sap.com/sap/support/notes/1730930https://service.sap.com/sap/support/notes/1730929https://service.sap.com/sap/support/notes/1730928https://service.sap.com/sap/support/notes/1514967http://service.sap.com/sap/support/notes/2159014https://training.sap.com/shop/course/ha240-authorization-security-and-scenarios-classroom-009-g-en/https://scn.sap.com/docs/DOC-53974https://www.dsag.de/fileadmin/media/150504_Leitfaden_Best-Practice-SAP-ERP/https://support.sap.com/dam/library/SAP%20Support%20Portal/support-programs-services/support-services/security-optimization-service/media/Security_Baseline_Template.ziphttp://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdfhttp://help.sap.com/hana_platform


46/46

Contact

Andrea K

(andrea.

Holger M

(holger.m

Thank you
mailto:[email protected]:[email protected]:[email protected]:[email protected]

2016 04.asug hana.security.overview

Documents