You are on page 1of 43

SEC100 SAP HANA Cloud Platform

A Security Overview

Martin Raepple / Area Product Owner Security for SAP HANA Cloud Platform

Public

Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

Agenda
Introduction to SAP HANA Cloud Platform
Federated Authentication in SAP HANA Cloud Platform Applications
Demo 1: Federated Authentication with a Corporate Identity Provider and SAP Cloud Identity
Demo 2: Analyzing SAML 2.0 Authentication
Demo 3: Protecting Web APIs with OAuth 2.0 for Secure Mobile Access

Authorization Management in SAP HANA Cloud Platform Applications


Demo 4: Federated Authorization with an HTML5 Application

Protecting against common Web Attacks


Secure Backend Connectivity
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

Introduction to
SAP HANA Cloud Platform

Cloud basics
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)

Virtualization

managed
2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.

Hosting

Public

Supported scenarios
New Cloud Apps

On-Premise Apps

BUILD

EXTEND

ON-PREMISE
SOLUTION
Data

2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.

Cloud Apps

CLOUD
SOLUTION
Data

Public

One Platform Many Runtimes


Build native SAP HANA applications on SAP HANA Cloud Platform
Eclipse-based tools for connecting to your SAP HANA instance on SAP
HANA Cloud Platform
Use of SAP HANA studio features for SAP HANA development
Develop, deploy and use Java applications in a cloud environment
Applications run on a runtime container where they can use the platform
services APIs and Java EE APIs according to standard patterns
Develop and run lightweight HTML5/SAPUI5 applications in a cloud
environment
HTML5 applications consist of static resources (HTML, JS, CSS, ...)
Connect to any existing on premise or on-demand REST services

2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.

Public

One Platform Many Services


Developer Experience
Application Services

Mobile

Portal

Analytics

Collaboration

Security & IAM

Connectivity

Spatial

Text Mining

DB Services

Transactions

Analytics

Streaming

Infrastructure
2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.

Predictive

Services
Public

Secure & Compliant Infrastructure


Certified operations

IT Operations

ISO 27001
CERTIFIED

World-class data centers

Quality Management

ISO 9001
CERTIFIED1

High Availability

BS25999
CERTIFIED1

Energy Efficiency

GREEN IT
CERTIFIED1

Advanced network security


Reliable data backup
Built-in compliance, integrity,
and confidentiality

2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.

International Account
Regulations

ISAE3402
TESTIFIED2
SSAE16
TESTIFIED

Certification for Germany-based SAP data center hosting SAP HANA Cloud Platform

Formerly SAS 70 Type II

Public

Try it out Today - With a free Developer License!


http://hanatrial.ondemand.com

2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.

Public

10

Federated Authentication in
SAP HANA Cloud Platform
Applications

Federated Authentication in SAP HANA Cloud Platform


Your SAP HANA Cloud
Application(s)
Web Browser

Access protected
Web Resources

HANA

XS
SAP HANA
Cloud Platform

User

Authenticate /
Single Sign-On

Delegate
Authentication &
Identity Management via
SAML 2.0
Identity Provider (IdP)

2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.

Public

12

Federated Authentication and SSO for Browser-based Applications


with SAML 2.0
Your SAP HANA
Cloud Application(s)

1.
1 User accesses protected web resource
on SP

2.
2 SAP HANA Cloud Application sends SAML
Authentication Request via HTTP redirect
to trusted IdP

HANA
Web Browser

User

XS

2 SAML Request
4 SAML Response

3.
3 IdP authenticates the user
(if not done already)
4.
4 Upon successful authentication, IdP sends
a HTML form with the SAML Response
message in a hidden field to the Web
Browser, that (auto)submits it using an
embedded (Java)Script

Access protected
1 Web resources

SAP HANA
Cloud Platform

3
Authenticate

SAML 2.0-compliant
Identity Provider (IdP)
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

13

Identity Provider Options on SAP HANA Cloud Platform

SAP ID Service

SAPs public IdP on the Internet


Free service, similar to social IdPs
Shared user base with SCN, SAP Service Marketplace and others (~4 Million identities)
Authentication only - no user lifecycle management

SAP Cloud Identity

Internet

SAP HANA
Cloud Platform

Corporate
Network

Your own Identity


Provider

2014 SAP SE or an SAP affiliate company. All rights reserved.

Cloud Solution for Identity Lifecycle Management


Pay-per-User
Isolated user base per tenant
User import and export
Rich customization and branding features
Main scenarios: B2C and B2B

Prerequisite: SAML 2.0 compliance


Main scenario: B2E

Public

14

Demo 1
Federated Authentication with a Corporate Identity
Provider (SAP SSO) and SAP Cloud Identity

Troubleshooting Hints for Authentication Problems


Server-side Analysis: Increase Log Level of saml2.sp
temporarily
Client-side Analysis: SSO Tracer
(Firefox Add-on) or similar tool

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

16

Demo 2
Analyzing SAML 2.0 Authentication

Different Clients Different Protection


Applications in the Cloud are
accessed from a variety of
clients, e.g. web browsers, mobile
apps, or desktop clients
To support different types of clients,
applications expose Web UIs and
Web APIs
Non-browser clients cannot use
SAML-based authentication

2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.

Mobile & Desktop Apps,


Embedded (Java)Script

Web Browser

SAML
Web UI

Web APIs
HANA

XS

Your SAP HANA


Cloud Application(s)
SAP HANA
Cloud Platform

Public

18

The Rise of Web APIs


Twitter, Facebook and others
started with opening their platforms
through APIs to 3rd party apps
ProgrammableWeb API directory
counts 11,910 APIs (Sept. 2014)
Representational State Transfer
(REST) is the dominant API protocol

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

19

The Password Antipattern

CloudBank
Username
Password
Log in

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

20

The Password Antipattern


Users have to share their password with
the Client which has to store it securely

Username

Clients get complete & uncontrolled access


to the users account and protected
resources

Password

Users cannot easily revoke access to an


Client except by changing their password

Log in

2014 SAP SE or an SAP affiliate company. All rights reserved.

Compromised Clients could expose the


users password
Public

21

OAuth 2.0 to the Rescue!


OAuth can grant a client access to protected resources
without sharing the credentials of the resource owner
OAuth 2.0 is specified in IETF RFC 6749
OAuth replaces the users username and
password with a token
Although the token is still vulnerable
to theft, it has a very narrow scope
compared to the users password

SAP HANA
Cloud Platform

It only allows a specific client to access a


specific resource
2014
2014 SAP
SAP SE
SE or
or an
an SAP
SAP affiliate
affiliate company.
company. All
All rights
rights reserved.
reserved.

Public

22

Demo 3
Protecting Web APIs with
OAuth 2.0 for Secure Mobile
Access

Authorization Management in
SAP HANA Cloud Platform
Applications

Authorization Models in SAP HANA Cloud Platform

Runtime

Authorization Objects

Java EE Roles
(web.xml)
Custom Roles
(Cloud Cockpit)

Privileges
(.xsprivileges)
Roles (.hdbrole)

Permissions
(neo-app.json)
Custom Roles
(Cloud Cockpit)

User-to-Role
Assignment

Static
Dynamic (Federated
Authorizations)

Static

Static
Dynamic (Federated
Authorizations)

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

25

Federated Authorization for Java & HTML5 Applications in


SAP HANA Cloud Platform

Identity Provider

Group of Users
sharing one or many
common attribute(s)

2014 SAP SE or an SAP affiliate company. All rights reserved.

Federated
Authorization

e.g. all Users with Role


Attribute Accountant
are assigned to Group
Finance

Group

Role(s)
SAP HANA
Cloud Platform

Public

26

Demo 4
Federated Authorization with an HTML5 Application

Protecting against common


Web Attacks

Protecting against Common Web Attacks


Cross-Site Scripting (XSS)
Vulnerable
Application

The two most important countermeasures to prevent


XSS attacks are to:
Constrain input
Encode output

Infects
1
with
malicious
script

Downloads
page with
2
malicious
script

XSS Output Encoding Library for Java-based HCP


applications
String encodedFirstname = null;
IXSSEncoder xssEncoder = XSSEncoder.getInstance();

try {

Attacker

Victim

executes script
in the context
of the Victims
session

encodedFirstname =
xssEncoder.encodeHTML(firstName).toString();
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
out.println("<br>Hello, " + encodedFirstname);

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

29

Protecting against Common Web Attacks


Cross-Site Request Forgery (XSRF) Attack
Attackers
Web-Site

Vulnerable
Application
HANA
www.webapp.com

JSESSIONID=abc123

1
<img src="http:
//www.webapp.com/
transferMoney?
account=hacker&
amount=1000">

2
http://www.webapp.
com/transferMoney?
account=hacker&
amount=1000

Attack depends on the predictability


of the request URL to the vulnerable
Application
A countermeasure to prevent XSRF
attacks is to generate and add a
token or nonce per request which is
checked on the server-side

Victims
Web Browser
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

30

XSRF Protection in SAP HANA Cloud Platform

Runtime
XSRF Protection Servlet Filter in
Mechanism the SDK
Declarative
configuration in
web.xml

2014 SAP SE or an SAP affiliate company. All rights reserved.

prevent_xsrf

keyword in
.xsaccess file

XSRF Protection
delegated to
backend
system(s)

{"prevent_xsrf":
true}

Public

31

Secure Backend Connectivity

SAP HANA Cloud Platform Connectivity Service

Customer

SAP
Business Suite

Non-SAP

SAP HANA

Establishes secure SSL VPN connection


between the SAP HANA Cloud and onpremise systems

SAP HANA Cloud


Connector

Connectivity created by on-premise agent


through reverse-invoke process
Firewall
Internet

SAP

Firewall

Supports pre-configured Destination API


and certificate inspection to safeguard
against forgeries
Complementary to SAP Gateway, HANA
Cloud Integration and 3rd party integration
suites both on-premise and in the cloud

SAP HANA
Cloud Platform
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

33

Summary

What you have learned in this Session


SAP HANA Cloud Platform is SAPs PaaS solution,
running on a certified infrastructure in datacenters
worldwide
SAP HANA Cloud Platform supports open Security
Standards such as SAML 2.0 and OAuth 2.0
This enables simple and secure integration in all of
your Cloud scenarios

Get started today!


2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

35

Further Information

Public Web
SAP HANA Cloud Platform: http://hcp.sap.com/
SAP HANA Cloud Platform Security Tutorial Series: http://scn.sap.com/docs/DOC-35464

openSAP Online Courses


Introduction to SAP HANA Cloud Platform: https://open.sap.com/courses/hanacloud1-1
Next Steps in SAP HANA Cloud Platform: https://open.sap.com/courses/hanacloud2

Customer Engagement Initiative: Secure Mobile Cloud Scenarios with SAP HANA
Cloud Platform
https://influence.sap.com/ct/s.bix?c={B9589756-22C1-486E-9FCF-E9E5221C29FD}

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

36

Recommended Lectures & Hands-On Sessions


ITM165 Secure Scenarios with Cloud Identity Services and SAP HANA Cloud Platform
SEC101 SAP Cloud Identity Provider Product Overview and Strategy
CR711

Secure Coding on the SAP HANA Cloud Platform

SEC833 Road Map Q&A: SAP Cloud Identity Provide


CJ608

Getting Started with SAP HANA Cloud Platform

CJ621

Develop and Deploy HTML5 Apps on SAP HANA Cloud Platform

SEC161 Simplify Access to SAP Fiori with SAP Single Sign-On

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

37

SAP d-code Virtual Hands-on Workshops and SAP d-code Online


Continue your SAP d-code education after the event!
SAP d-code Virtual Hands-on Workshops

SAP d-code Online

Access hands-on workshops post-event


Starting January 2015
Complementary with your SAP d-code registration

Access replays of keynotes, Demo Jam, SAP d-code


live interviews, select lecture sessions, and more!
Hands-on replays

http://sapdcodehandson.sap.com

2014 SAP SE or an SAP affiliate company. All rights reserved.

http://sapdcode.com/online

Public

38

Feedback
Please complete your session evaluation for

SEC100.

Thanks for attending this SAP TechEd && d-code session.


2014
2014SAP
SAPSE
SEororananSAP
SAPaffiliate
affiliatecompany.
company.AllAllrights
rightsreserved.
reserved.

Public

3939

Appendix

Security Testing in the


Development Process

Local Security Testing for Java-based SAP HANA Cloud Platform


Applications
Developer System
SAP HANA Cloud Eclipse Tools

Access protected
Web resources

Your SAP HANA


Cloud Application

Local Test
User
Local HANA
Cloud Server

Test User
Attributes

Local Test
Users

Test User
Accounts

Assigned Role(s) to
the Test User in the
local Server
2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

41

Security Testing in the Cloud with the Local Test Identity Provider
Developer System
Browser

Your SAP HANA


Cloud Application

Access protected
Web resources
SAP HANA
Cloud Platform

Local Test
User

The Local SAML 2.0 Test IdP is


packaged within the SAP
HANA Cloud Platform SDK.
When you start the local server, it
will start as well.

Access your application


deployed in the Cloud and test
it against the local Test IdP and
its local users.

Test User
Accounts

SAML 2.0
Test IdP

Local HANA Cloud


Server
2014 SAP SE or an SAP affiliate company. All rights reserved.

No need to create test users in


your productive IdP
No trust configuration required in
the productive IdP for testing
purposes

Public

42

2014 SAP SE or an SAP affiliate company. All rights reserved.


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark
information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing
herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or
release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for
any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2014 SAP SE or an SAP affiliate company. All rights reserved.

Public

43