Safeguarding Data and Access in SAP HANA

Safeguarding Data and Access in SAP HANA
SEC104
PUBLIC
Speakers
Las Vegas
September 24–27, 2019
Stephan Kessler
Barcelona
October 8-10, 2019
Stephan Kessler
Bangalore
November 13-15, 2019
Prakash Bhanu
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Take the session survey.
We want to hear from you!
Complete the session evaluation for this session

SEC104 on the SAP TechEd mobile app.
Download the app from

iPhone App Store or Google Play.

Disclaimer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP.
Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or any other service
or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or any related
document, or to develop or release any functionality mentioned therein.
This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms directions and
functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this
presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality. This presentation is provided
without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. This presentation is for informational purposes and may not be incorporated into a contract. SAP
assumes no responsibility for errors or omissions in this presentation, except if such damages were caused by SAP’s intentional or gross
negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from
expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates,
and they should not be relied upon in making purchasing decisions.

Agenda
Security approach
Secure data and applications
Anonymization and masking
Secure setup
Secure software

SAP HANA: Most comprehensive advanced analytic processing on any data
SAP HANA
Location-based intelligence and Rapid lifecycle and real-time ML
highly connected data processing with pre-built optimized algorithms
Transactions + Analytics
Spatial / Graph Machine Learning
Natural language processing and Text / Search Document Store ACID-compliant, flexible
advanced text mining management of JSON objects
Time Series Streaming
Trend detection and forecast Real-time analysis and anomaly

over recurring time intervals detection on streaming data
Any data source
DBMS – Experience – Cloud -Hadoop - Streams
Game-changing way to build intelligent applications on one platform and one data set

SAP HANA: Deployment options
Cloud Deployment Options On-Premises Deployment Options
MANAGED
SAP HANA Enterprise Cloud Use turnkey, all-inclusive certified solutions

Platform as a Service (PaaS) available Private Hosted Managed Cloud for any
on major public clouds SAP application landscapes APPLIANCE
BYOL on IaaS Leverage existing/preferred components
TAILORED DATA CENTER

INTEGRATION
Take advantage of software managed

virtual compute, storage, and network
resources on-demand
HYPER-CONVERGED
INFRASTRUCTURE
Click here for Certified IaaS Platform Configurations (BYOL) Click here for Certified SAP HANA Appliance Directory
Click here to learn more about SAP HANA Cloud Deployments Click here for Certified Hyper-converged infrastructure solutions
SAP HANA’s comprehensive security approach
Enablers for innovative business models

 Real-time data anonymization
 Best-in-class integration for new applications on
SAP business data
SAP
HANA
Comprehensive security model Resilient against attacks

 Unified access to all functionality  Secure dev lifecycle
 Integrated application security  Threat modeling
 Security and penetration testing
Simplified operations
 Security by default, e.g. multitenancy isolation
 Tooling and infrastructure integration
SAP HANA (on prem) vs. SAP HANA (cloud): What is the difference?
SAP HANA SAP HANA

(on prem) (cloud)
Application Application
Data Layer Data Layer
HANA • Provision capacity

• Install DBMS software Select service options
• Update/patch service •
• Backup, tune HANA

• Monitor, restart
• Select OS
• Configure OS OS Managed
• Update OS service
• Select, purchase, provision

individual machines and Hardware
storage

Typical operations model for SAP HANA (cloud)
Shared responsibilities between customer and SAP

Customer
Customer Customer DB
 Owns customer database

 Can use SAP HANA security features
SAP
 Provision system and configure security
 Secure default setup Customer content/users,
– Encryption at rest and in motion managed by customer
– Infrastructure security logging

– Disable capabilities not supported for customer use SAP System DB
(e.g. manual backup by customer)
 Secure operations
– Access control for SAP operators, SoD
System config/monitoring,
– Security monitoring and logging managed by SAP
– Automatic backups
Confidence in SAP Cloud Secure service through transparency
Comprehensive Contracts Independent Audits Cyber Defense

Privacy, security framework, and Service Organization Control reports Multiple layers of defense
applicable local regulations certifications Holistic: Prevent, detect, and react
Secure Cloud Model

Holistic approach
Secure architecture

Agenda
Security approach
Secure setup
Secure software

SAP HANA’s holistic security framework
User Management & Authentication
 User and identity management
 GRC and IDM integration
 Single sign-on (Kerberos, SAML, ...)
 LDAP integration
 Password policies per user group
Authorization
 Role management framework
 Best practice guide for role
building
 Privileges for all user types
 Row-level access control via analytic
privileges
 Integrated application authorizations
 Authorization troubleshooting* SAP
HANA
* New or extended in SAP HANA 2.0 SPS 04

What’s new
Simplified authorization troubleshooting – collect authorization errors
Collect all authorization errors over a

configurable amount of time. Insufficient privilege: Detailed info for this error can be
found with guid
3DFFF7DOCA291F4CA69B327067947BEE
Authorization errors are stored in a
system table with no need to enable
Administrator
additional tracing. They are accessible
using the built-in procedure
SYS.GET_INSUFFICIENT_PRIVILEGE_
ERROR_DETAILS. sends
GUID
When a user gets an "insufficient End-user
privilege" error, they receive a GUID. Use
the GUID in the procedure to retrieve
information about the missing privilege. call SYS.GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS
(‘3DFFF7DOCA291F4CA69B327067947BEE', ?)

What’s new
Simplified authorization troubleshooting – Authorization Dependency Viewer
Visualize the privilege structure and

troubleshoot missing privileges
The Authorization Dependency Viewer can be

used to identify missing privileges in a complex
tree of dependent database objects
It can also be used to generally view the object

hierarchy of a database object. You can check the
relationship between database objects to avoid
invalidating an object, by accident
To see the Authorization Dependency Viewer, you

require the CATALOG READ privilege

Authorization
building
 Row-level access control
 Authorization troubleshooting*
SAP
HANA
Encryption
 At rest (data & log volume) and
in motion
 Backup encryption
 Application encryption
 Key management
 Column encryption*
 FIPS-certified crypto library
 Best practice guide for
TLS/SSL setup*
*©New or extended in SAP HANA 2.0 SPS 04

2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 16
What’s new
Column encryption extensions
Column encryption is a granular encryption option where the data is always encrypted on the SAP
HANA server at rest and in-memory
 Key rotation now supported
– SAP HANA column encryption now supports key rotation for column encryption keys (CEKs) that encrypt
table columns and client key pairs (CKPs) that encrypt the CEKs
– Note: To use key versioning, update the client drivers to version SAP HANA 2.0 SPS 04
Column encryption offers two encryption options: deterministic and non-deterministic (randomized)
 Additional operations supported for deterministic encryption
– Joins, encrypted with the same key
– Indexes/primary key
– Referential constraints on column tables
– GROUP BY or HAVING Clause
– Set operators (UNION/INTERSECT/EXCEPT)

What’s new
How-to guide for configuring TLS/SSL
Learn how to configure TLS/SSL in typical installation scenarios

 New how-to guide
TLS/SSL is available for SAP HANA communication channels.

 Can be enforced for client-server communication
 Automatic setup of key management infrastructure (PKI) for internal
channels

Authorization
building
SAP
HANA
Encryption
 At rest and in motion
 Backup encryption
 Application encryption
 Key management
 Column encryption*
 FIPS-certified crypto library
 Best practice guide for TLS/SSL setup*
Auditing
 Security logging and analysis for all system events, with customizable policies
 Log read and write access to critical data
 Firefighter logging
* New or extended in SAP HANA 2.0 SPS 04
 Audit retention policies, audit policy wizard*
What’s new
Audit policy wizard
SAP HANA Cockpit now guides you through the creation of audit policies

What’s new
Audit retention policies
You can now specify a retention period after which audit log entries will be automatically deleted
Until now, you could only delete all audit entries that were older than a specified date. By specifying retention
periods per audit policy, you can now fine-tune your retention management.
Reasons why you might need to delete audit log entries

 No longer needed
 Compliance requirements
 Free up database space
To define retention periods, use SAP HANA Cockpit

 Open the Auditing app and create or edit an audit policy
 Choose audit trail target DATABASE TABLE
 Note that if you add a retention period to an existing audit policy,
all existing audit log entries that exceed the retention period
will be deleted

Agenda
Security approach
Secure setup
Secure software

Authorization Masking
 Role management framework  Dynamic data masking
 Best practice guide for role  For tables and views
building  Custom mask expressions
SAP
HANA
Encryption Anonymization
 At rest and in motion  Real-time data anonymization
 Backup encryption  k-anonymity (incl. l-diversity), differential
 Application encryption privacy
 Key management  Custom definition of anonymization
 Column encryption* views (calculation and SQL views)
 FIPS-certified crypto library  Fully integrated with authorization
 Best practice guide for TLS/SSL setup* framework
Auditing
 Reporting
 Security logging and analysis for all system events,
with customizable policies  Data anonymization KPIs
* New or extended in SAP HANA 2.0 SPS 04  Log read and write access to critical data
 Firefighter logging
 Audit retention policies, audit policy wizard*
Dynamic data masking
Selectively or completely hide sensitive information in tables and views

Use cases
 Hide sensitive information from DBAs and other power users with broad access rights
 Display/hide sensitive information depending on the user role, e.g. for call center employees
UNMASKED privilege No UNMASKED privilege

 Full integration into the security framework
 Dynamically applied during access  original data stays unchanged
 Customizable mask expressions
 Masking available on tables and views
Real-time data anonymization
Anonymization is a structured approach to protect the privacy of individuals while still enabling
analytics on complex data sets
Use cases
 Gain insights from data that could not be leveraged before due to regulations
 Maximize the value of business data
 Special data protection officer view for analysis
 Full integration into SAP HANA’s security framework

 Real-time access to anonymized data while original data stays unchanged
 Customizable views with state-of-the art methods k-anonymity and differential privacy
Data anonymization methods
k-anonymity Differential privacy

 Hiding individuals in groups  Applying noise to hide sensitive information
Medical researcher: Link between weight and cancer? Benchmarking: Average salary in Berlin?
 EU Opinion 05/2014 on Anonymization Techniques proposes k-anonymity (and derivates) and differential privacy
(http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf)
What’s new
Data anonymization KPIs
KPIs are now available to help configure anonymization and assess the quality of the anonymized data
KPIs let you gain a better understanding of the effects of the applied anonymization methods and their
respective parameters. This helps to achieve a balance between the goals of protecting data privacy while at
the same time ensures that the anonymized data remains useful. Use the Anonymization Report in the Cockpit.

What’s new
SQL view support
You can now use SQL views for defining anonymization views
Previously only calculation views were supported
Dynamically react to data changes
When using SQL views, you can now also define what the system should do when there are
changes in the data set
Example: You can choose to ignore new data that comes into a source table if it does not fit with the
rest

What’s new
k-anonymity extensions: Simplified configuration of hierarchy definitions
The definition of anonymization hierarchy definitions can now be automated
SAP HANA needs hierarchy definitions to generalize attributes when building groups for
k anonymity and l diversity
Supported hierarchy types

 External hierarchy: To create the hierarchy, you explicitly specify the values of each level of the hierarchy in a
data source table. The HIERARCHY generator function is then used to generate a hierarchy view based on
this table
 Hierarchy function: The hierarchy is created at runtime based on the algorithm defined in the hierarchy
function and the content of the specified column
 Embedded hierarchy: The hierarchy is part of the definition of the anonymization view

What’s new
k-anonymity extensions: l-diversity
L-diversity provides additional protection for homogenous data sets
You can now specify that a sensitive attribute must have a minimum number of distinct values within each
class. l-diversity is considered as an addition to k-anonymity. Conversely, k-anonymity can be seen as a
special case of l-diversity where l=1.
Example
 Suppose that all women in the age group 35-44 and living in a particular district fall within the same income bracket. If you
live in that district and you have a female neighbor who is 44, then you can deduce what she earns. The sensitive
information has been leaked.
 Using the l-diversity parameter, you can reduce the risk of identification by specifying that a sensitive attribute must have a
minimum number of distinct values within each equivalence class. An equivalence class is a set of identical quasi-
identifying attributes resulting from k-anonymity.

End-to-end business solution for anonymization
Data controller Data consumer

Data controller Data consumer
 E.g. hospital  End users
 Responsible for providing  Access anonymized data
GDPR-compliant access to via anonymization view
personal data e.g. in an application
 Prove compliance to auditor
Data Data protection
End user
 Data scientist – configures scientist officer
technical anonymization
scenario and parameters
Define and Use
 Data protection officer – control anonymized
controls and approves scenario data
anonymization scenario
Customizable
anonymization views
Sensitive/confidential data
SAP HANA
Demo
Real-time data anonymization
Agenda
Security approach
Secure setup
Secure software

Secure system setup
SAP HANA is designed to run securely in different environments

 Incorrect security settings are one of the most common causes of security problems!
 SAP offers tools and information that help you run SAP HANA securely
 SAP HANA security guide (incl. chapter on data protection), SAP HANA security checklists

What’s new
Security checklist in SAP HANA Cockpit
You can now review and change the most important security settings in a checklist
The checklist in SAP HANA Cockpit is based on the SAP HANA security checklists documentation

Integration with SAP security tools and services
Security Optimization Security in the

EarlyWatch Alert System Configuration
Service Monitoring and
Security Chapter Recommendations Validation on Security
(SOS) Alerting Infrastructure
Checks on the most critical Detailed assessment on Support for the selection Verifying SAP landscapes Monitoring and Alerting on
security requirements. secure configuration and and implementation of for compliance to Security security-critical events and
operation topics. SAP Security Notes. Baselines and Policies. properties.
SAP HANA
    
Agenda
Security approach
Secure setup
Secure software

SAP secure software development lifecycle
Framework of processes, guidelines, tools and training

 Risk-based, with mandatory threat modeling and data protection assessments
 Comprehensive testing incl. external researchers and penetration testing
See SAP Security @ http://www.sap.com/security

Keep up to date – install the latest security patches
Monthly SAP Security Patch Day

 http://support.sap.com/securitynotes
Security improvements/corrections ship with SAP HANA revisions

 Installed using SAP HANA lifecycle management tools
 Features to support easy upgrades
Operating system patches

 Provided by the respective vendors SuSE/Redhat
SAP HANA – the business data platform for the intelligent enterprise
Your questions?

Continue your SAP TechEd 2019 Learning Experience
Join the digital SAP TechEd Learning Room 2019 in SAP Learning Hub
 Access SAP TechEd Learning Journeys

 Discover related learning content
 Watch webinars of SAP TechEd lectures
 Learn about SAP’s latest innovations with openSAP
 Collaborate with SAP experts
 Self-test your knowledge
 Earn a SAP TechEd knowledge badge

Engage with the SAP TechEd Community
Access replays and continue your SAP TechEd discussion after the event
within the SAP Community
Access replays Continue the conversation Check out the latest blogs
 Keynotes  Read and reply to blog posts  See all SAP TechEd blog posts
 Live interviews  Ask questions  Learn from peers and experts
 Select lecture sessions  Join discussions
http://sapteched.com/online sap.com/community SAP TechEd blog posts

More information
Related SAP TechEd Learning Journeys

 SEC3 - Securely Build, Extend and Integrate Your Business Applications in the Cloud
 DAT4 - Develop Next Generation Cloud Native Applications with SAP HANA
 DAT5 - Model and View Data in SAP HANA On-premise and in the Cloud
 DAT6 - Administrate and Operate SAP HANA On-Premise and in the Cloud
Related SAP TechEd sessions

 DAT369 – Knowing Without Seeing: Data Masking and Anonymization in SAP HANA
 DAT368 – Administrating and Operating SAP HANA
 DAT813 – Road Map for SAP HANA and SAP HANA Cloud
 SEC302 – Enabling Privacy-Preserving Enterprise Applications
Public SAP Web sites

SAP HANA security: www.sap.com/hanasecurity
SAP HANA data anonymization: www.sap.com/data-anonymization
SAP HANA release notes: What’s New in the SAP HANA Platform
SAP HANA 2.0 SPS 04 new features: Blog: Address business challenges in security and privacy with SAP HANA 2.0 SPS 04
SAP Community: www.sap.com/community
SAP products: www.sap.com/products

Thanks for attending this session.
Feedback Contact for further topic inquiries

Please complete your session evaluation Andrea Kristen
for SEC104 Senior Director Product Management
andrea.kristen@sap.com
Follow us
www.sap.com/contactsap
© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.

Safeguarding Data and Access in SAP HANA

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safeguarding Data and Access in SAP HANA

Uploaded by

Copyright:

Available Formats

Safeguarding Data and Access in SAP HANA

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Complete the session evaluation for this session

Download the app from

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Secure data and applications

Anonymization and masking

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5

Spatial / Graph Machine Learning

Trend detection and forecast Real-time analysis and anomaly

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6

Cloud Deployment Options On-Premises Deployment Options

SAP HANA Enterprise Cloud Use turnkey, all-inclusive certified solutions

BYOL on IaaS Leverage existing/preferred components

TAILORED DATA CENTER

Take advantage of software managed

Enablers for innovative business models

Comprehensive security model Resilient against attacks

SAP HANA SAP HANA

Data Layer Data Layer

HANA • Provision capacity

• Backup, tune HANA

• Select, purchase, provision

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9

Shared responsibilities between customer and SAP

 Owns customer database

– Infrastructure security logging

Comprehensive Contracts Independent Audits Cyber Defense

Secure Cloud Model

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 11

Secure data and applications

Anonymization and masking

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 12

* New or extended in SAP HANA 2.0 SPS 04

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13

Collect all authorization errors over a

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14

Visualize the privilege structure and

The Authorization Dependency Viewer can be

It can also be used to generally view the object

To see the Authorization Dependency Viewer, you

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 15

*©New or extended in SAP HANA 2.0 SPS 04

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 17

Learn how to configure TLS/SSL in typical installation scenarios

TLS/SSL is available for SAP HANA communication channels.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 18

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 20

Reasons why you might need to delete audit log entries

To define retention periods, use SAP HANA Cockpit

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 21

Secure data and applications

Anonymization and masking

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 22

Selectively or completely hide sensitive information in tables and views

UNMASKED privilege No UNMASKED privilege

 Full integration into SAP HANA’s security framework

k-anonymity Differential privacy

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 27

Previously only calculation views were supported

Dynamically react to data changes

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 28

The definition of anonymization hierarchy definitions can now be automated