Embed Size (px)
Citation preview
1© 2015 SAP SE or an SAP affiliate company. All rights reserved.
SAP HANA SPS 11 - What’s New? Security
SAP HANA Product Management December, 2015(Delta from SPS 10 to SPS 11)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 2Public
Summary
Monitor security KPIs using the new security dashboard in SAP HANA Cockpit Integration of SAP HANA into SAP Security Baseline, Early Watch Alert and Configuration Validation Automatic change of initial encryption keys Simplified certificate management using SAP HANA Cockpit Extended audit logging options Extended SQL injection prevention support
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 3Public
SAP DB Control CenterWeb-based tool for landscape monitoring of SAP databases
SAP HANA CockpitWeb-based tool to administrate
and monitor individual SAP HANA databases
Tools overview
SAP HANA Studio is the main administration tool for the SAP HANA database.
Web-based tools SAP DB Control Center and SAP HANA Cockpit. Cockpit follows an alert-driven guided-procedure approach, and is planned to replace Studio’s administration and monitoring capabilities for individual HANA databases in the future.
SAP HANA is fully integrated into SAP Solution Manager.
SAP HANA
SAP HANA StudioMain administration tool
for SAP HANA, based on Eclipse
SAP Solution Manager / DBA
CockpitCentral tool to manage the SAP landscape, based on
the SAP NetWeaver Application Server
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 4Public
SAP HANA Cockpit – security configuration
Installed with SAP HANA as automated content Configuration, administration and monitoring Default homepage of tiles is customizable Role-based concept for access to tiles applies on top of the usual privileges that are required in SAP HANA
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 5Public
What’s New in SAP HANA SPS11: SecurityMonitoring security KPIs in the new security dashboard
The security dashboard in SAP HANA Cockpit provides an overview of important security KPIs during operation of your system View security-related alerts View information about important
network security settings such as TLS/SSL View information about the crypto configuration
– Verify that initial keys have been changed
– Switch on data encryption View the audit logging status and
check which audit policies are active
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 6Public
What’s New in SAP HANA SPS11: SecurityViewing network security settings
Network communication can be protected using TLS/SSL
Tile General information
Network Security Information screen Internal and external network security
configuration Certificate/private key stores
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 7Public
What’s New in SAP HANA SPS11: SecurityViewing information on audit logging
Audit logging records critical user actions in the system
Tile Status of audit logging Overview information
Auditing screen Custom audit policies that have been
defined, contain e.g. audited actions and users
Audit trail configuration
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 8Public
What’s New in SAP HANA SPS11: SecurityViewing key change information and switching data encryption on
You can enable data volume encryption for additional protection of your data at rest
Tile Status of data volume encryption Information if and when the initial SSFS
master keys were changed
Data Volume Encryption screen Status of data volume encryption Switch data volume encryption on or off
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 9Public
What’s New in SAP HANA SPS11: SecurityAutomatic change of initial SSFS master keys
The initial SSFS master keys are now changed automatically after installation or upgradeThe SSFS master keys protect the secure stores in the file system (SSFS) used by SAP HANA.Prior to SPS11, the automatic master key change is available starting with SAP HANA revisions 85.05, 97.01 and 101. For earlier versions of SPS 8, 9, and 10, manual steps are required to change the master keys (see SAP Note 2183624).
What are the SSFS master keys?SAP HANA uses two secure stores (SSFSs) for encryption keys: Instance SSFS: contains the root keys of the data volume encryption and the secure internal encryption service
(used for storing credentials for access to other remote systems, XS application encryption, and TLS/SSL for external communication)
SystemPKI SSFS: contains the certificate authority of the SystemPKI (public key infrastructure used for TLS/SSL for internal connections)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 10Public
Secure configuration information
SAP HANA comes with secure defaults A security checklist of critical configuration settings is provided in the
SAP HANA Security Guide SAP HANA recommendations in SAP Security Baseline template
Recommendation Verify your system for critical configurations and latest security patches SAP HANA security patches are published as part of the SAP Security Patch
strategy (SAP Security Notes)
Monitoring Alerts in SAP HANA ( SAP HANA Studio, SAP HANA Cockpit) Integration with SAP Solution Manager, SAP Early Watch Alert and
Configuration Validation
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 11Public
Monitoring and managing SAP HANA security
For 1 HANA system Detailed information
Security monitoring Security alerting Security configuration and administration
SAP HANA Cockpit(or Studio)
EarlyWatch AlertSecurity Optimization Services
Configuration Validation
For whole system landscape Overview information
Security monitoring Security alerting Security assessment
Leverage the same system information consistent view regardless of tool
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 12Public
What’s New in SAP HANA SPS11: SecurityExample: SAP HANA alerts in EarlyWatch Alert Chapter “Security”
More information SAP Note 863362 - Security checks in SAP EarlyWatch Alert, EarlyWatch and GoingLive sessions
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 13Public
What’s New in SAP HANA SPS11: SecuritySimplified certificate management using SAP HANA Cockpit (I)
You can now use SAP HANA Cockpit to manage certificates in SAP HANAServer certificates for TLS/SSL (JDBC/ODBC connections)
Client certificates for Single sign-on (SAML, SAP Logon and
Assertion Tickets, X.509)
A separation of duties between theindividual certificate management stepsis possible using system privileges.
CERTIFICATE ADMIN
1. Import certsinto store
TRUST ADMIN
2a. Create collection
USER ADMIN or SSL ADMIN + REFERENCES on collection
3. Set collection purpose
2b. Add trustedcerts to collection
TRUST ADMIN
2c. Add server certto collectionTRUST ADMIN
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 14Public
What’s New in SAP HANA SPS11: SecuritySimplified client certificate management using SAP HANA Cockpit (II)
Importing a client certificate
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 15Public
What’s New in SAP HANA SPS11: SecuritySimplified client certificate management using SAP HANA Cockpit (III)
Creating a certificate collection and adding certificates
Certificate collections groupcertificates that are used for thesame purpose, e.g. TLS/SSL,SAML, X.509, or Logon andassertion tickets
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 16Public
Audit logging
Audit logging records critical system events User management: e.g. user changes, role granting System access and configuration: e.g. failed logons,
parameter changes Data access: e.g. read and write access to tables and
views, execution of procedures “Log all”: firefighter logging, e.g. for support cases
Audit policies Include events to be recorded If audit logging is enabled, some critical events are always logged
Audit trail Linux syslog or secure database table
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 17Public
What’s New in SAP HANA SPS11: SecurityEmpty the audit table if it grows too large
If the audit trail is written to an internal SAP HANA table, you need to manage the size of this tableSAP HANA alerts you if your audit table grows too large. You can delete old audit entries from the audit table using SAP HANA Studio.
If however the table has grown so large that there is not enough memory for deleting old entries, you can now use the following SQL command to completely empty the table:ALTER SYSTEM CLEAR AUDIT LOG ALL
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 18Public
What’s New in SAP HANA SPS11: SecurityExtended SQL injection prevention support
New SQL functions for preventing SQL injection attacks are available for DDL (data definition language)This enables application developers to secure statements such as CREATE USER or CREATE TABLE
New SQL functions ESCAPE_DOUBLE_QUOTES ESCAPE_SINGLE_QUOTES IS_SQL_INJECTION_SAFE
Note: For DML (data manipulation language) statements, the standard mechanism for preventing SQL injection is to use prepared statements
More information
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 20Public
Release notes for SAP HANA SPS11
For more information on new features in SPS11, please refer to the release notes: What’s New in the SAP HANA Platform
A detailed description of the features is availablein the SAP HANA documentation
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 21Public
More information
Documentation on SAP Help Portal: Security Guide, Master Guide, Developer Guide, SQL Reference Guide Secure configuration guidelines: SAP HANA security configuration checklist, SAP Security Baseline Template,
DSAG Prüfleitfaden ERP 6.0 Whitepaper: SAP HANA Security Whitepaper Best practices: How to Define Standard Roles
Training: HA 240
SAP Noteso 2159014 FAQ: SAP HANA Securityo 1514967 SAP HANA applianceo 1730928 Using external software in a HANA applianceo 1730929 Using external tools in an SAP HANA applianceo 1730930 Using antivirus software in an SAP HANA applianceo 784391 SAP support terms and 3rd-party Linux kernel driverso 1730999 Configuration changes in HANA applianceo 863362 Security checks with SAP EarlyWatch Alerto 2021789 SAP HANA revision and maintenance strategy
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 22Public
SAP HANA – security patches
Operating system security patches Support operating systems: SUSE Linux Enterprise and RedHat Enterprise Operating system security patches are provided and published by the operating system vendors
SAP HANA security patches SAP HANA security patches are published as part of the SAP Security Patch strategy (SAP Security Notes)
– Security notes for all SAP products are available at: https://support.sap.com/securitynotes – For SAP HANA, filter for component HAN*
Patches are delivered as SAP HANA revisions More information:
– SAP HANA revision und maintenance strategy: SAP Note 2021789– Security Patch Process– SAP Security Notes – Frequently asked questions
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 23Public
SAP – security approach
Security is an important and integral part of every step of the SAP Development Lifecycle which applies to all products. This includes security testing as well as a defined and established process to report and deal with potential security issues.
Protect your data – and your business – with SAP and its security solutionshttp://www.sap.com/security
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 24Public
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP.
SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP’s strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice.
This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Thank you
Contact information
Andrea KristenSAP HANA Product [email protected]
