Top 5 SAP HANA Security Features
What is SAP HANA Security?
SAP HANA is an in-memory database for real-time processing and querying high volumes of data. HANA’s in-memory computing database infrastructure eliminates the need to load or write data back. It is a popular database that often stores sensitive corporate information that requires protection and compliance controls. Securing HANA is a critical part of an SAP security strategy.
SAP HANA offers security features, such as authentication and single sign-on (SSO), authorization and role management, encryption, data privacy, and auditing. We’ll review these features and provide essential best practices that can help you secure your HANA deployment.
Top SAP HANA Security Features
1. SAP HANA Authentication and SSO
SAP HANA database supports several authentication mechanisms, including SAML bearer tokens, username/password, Kerberos, and JSON Web tokens. A per-database configuration is not always possible—it depends on the user client and authentication mechanism. Here is how it works:
- Basic authentication—username/password authentication allows database-specific configuration.
- Kerberos-based authentication—this mechanism does not allow per-database configuration. It requires mapping database users across all databases to users in the same Key Distribution Center.
- SAML and JWT-based authentication—these mechanisms allow per-database configuration for JDBC/ODBC client access. It lets you configure different trust stores (with different certificates) for individual databases.
- Database-specific trust stores—these stores do not allow configuration for HTTP client access through SAP HANA XS classic or SAP HANA Extended Services. When setting up user authentication based on X.509 certificates and SAML assertions, you cannot configure it to be database specific.
Related content: Read our guide to SAP Access
2. SAP HANA Authorization and Role Management
SAP HANA and SAP HANA Cloud offer a comprehensive authorization framework for highly granular access control. It allows users to access an SAP HANA database only through defined client interfaces and perform operations on database objects according to their allocated privileges and roles.
Roles help bundle and structure privileges for specific user functions or tasks, and privileges are based on standard SQL object privileges. SAP HANA-specific extensions are used for the privileges of business applications.
3. SAP HANA Encryption
SAP HANA offers various encryption capabilities for each deployment type. Here are key options:
- SAP HANA Cloud—includes communication encryption, backup encryption, data-at-rest encryption, and more.
- On-premise SAP HANA—the same encryption options available for SAP HANA Cloud and more.
Both deployment types can integrate with SAP Data Custodian KMS for full control over encryption keys.
4. SAP HANA Data Privacy
Here are key SAP HANA data privacy mechanisms:
- Data anonymization—SAP HANA offers real-time SAP HANA data anonymization at the view level to ensure the data at the table level does not change. You can choose between two anonymization methods—differential privacy and k-anonymity. You can also add a custom definition of anonymization views and access reporting views.
- Data masking—SAP HANA and SAP HANA Cloud offer native SAP HANA dynamic data masking. It helps protect data at the row level through data masking in tables and views. This mechanism does not replicate data—it masks it on-the-fly when unauthorized users access it.
5. SAP HANA Auditing
Auditing can help you monitor and record actions performed in SAP HANA databases, SAP HANA Cloud, and SAP HANA Platform. You can leverage audits to improve the security of your database, for example, by detecting security vulnerabilities. It can help you learn whether certain users have too many privileges, uncover security breach attempts, and protect against security violations and data misuse.
SAP HANA provides configurable and policy-based audit logging for critical system events, such as changes to the database configuration. It can record access to sensitive data, such as executed procedures, or write and read access to objects like views and tables. SAP HANA also offers firefighter logging—when enabled, this feature offers temporary, highly privileged access to critical systems.
Related content: Read our guide to SAP Audits
Best Practices for Securing SAP HANA
Limit Permissions to Prevent Insider Threats
SAP HANA allows you to define role-based permissions using privilege groups. You can create privilege groups at the system, object, analytics, package, and application level. Role-based configuration of privileges helps limit the damage that can be caused by internal threats or external attackers who compromise SAP HANA user accounts. When setting up permissions and groups, use the least privilege principle to limit roles to the minimum level of control required for each user.
Keep Systems Up-to-Date
SAP provides regular system updates to patch vulnerabilities and fix security issues. To keep SAP HANA secure, patches must be updated as soon as they are released. Be sure to check the latest SAP Security Notes, released on the second Tuesday of every month. This note provides security information about known vulnerabilities and how to prevent exploits.
Use Vendor Installed Systems
Vendor-installed systems help simplify the deployment and configuration of SAP HANA. If you are deploying SAP HANA on a self-managed system, take these steps to secure your deployment:
- Change all passwords, especially the <sid>adm, root, and sapadm passwords, which provide administrative access.
- Review all existing users and delete redundant users. Deactivate the SYSTEM user because it is a superuser with privileges to create databases.
- Rotate master encryption keys and regenerate the public key infrastructure. You should continuously rotate and regenerate these configurations to ensure encryption is secure.
SAP Security with Pathlock
Managing security across multiple SAP instances can be a challenging, time-consuming, and manual process. Without proper security protection in place, companies expose themselves to threats that may lead to system outages, data loss, or financial fraud.
With Pathlock, organizations using SAP can automate many of their SAP security processes to provide 360-degree protection across the SAP system landscape. The Pathlock platform can provide proactive protection, including:
- Vulnerability scanning: run periodic scheduled or ad hoc scans of 1,000’s of rules across SAP instances to identify any known misconfigurations, missing patches, or other risks to be addressed by the business
- Threat detection and response: identify and respond to unusual behavior to remediate threats and reduce risk exposure in real-time
- Code scanning: inspect custom code and transports for any potential performance issues or malicious code that could cause data loss or negative impacts on system performance
- Compliance Reporting: continuously monitor and report on key controls related to application configuration, IT general controls, and other compliance mandates
Interested to find out how Pathlock can help to automate your SAP Security program while keeping your landscape secure and compliant? Request a demo of Pathlock today!