SEC200_15651_KristenA_1

Public

Andrea Kristen, SAP HANA Product Management

SEC200 Security in Different SAP HANA Scenarios

2014 SAP SE or an SAP affiliate company. All rights reserved. 2 Public

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision. This presentation is not subject to your license agreement or any other agreement

with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to

develop or release any functionality mentioned in this presentation. This presentation and SAP's

strategy and possible future developments are subject to change and may be changed by SAP at any

time for any reason without notice. This document is provided without a warranty of any kind, either

express or implied, including but not limited to, the implied warranties of merchantability, fitness for a

particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this

document, except if such damages were caused by SAP intentionally or grossly negligent.


Agenda

SAP HANA scenarios

SAP HANA security functions

Security in different SAP HANA scenarios

Data center integration

SAP HANA scenarios


SAP HANA whats in a name...

Applications

Powered by SAP HANA

Administration/Dev Tools (IDE)

SAP HANA studio

XS administration tool

WebIDE

On-Premise

Range of options

(SAP HANA appliance, tailored

data center)

Database

SAP HANA database

Cloud

Range of options

(from fully managed to

infrastructure subscription)

Platform

SAP HANA Extended

Application Services (XS)

Development Environment

Repository


SAP HANA deployment options in the cloud and on premise

http://www.saphana.com/community/cloud http://www.saphana.com/community/about-hana/on-

premise-options


Traditional security architecture

Database

Client

Application Server

Application Application

Authentication/SSO

Authorization

Encryption

Audit Logging Identity Store


SAP HANA scenarios overview of different scenario types

Traditional 3-tier application

Data mart (3-tier or 2-tier application)

Native 2-tier application


SAP HANA scenarios overview of integrated scenarios

Integrated 3-tier and 2-tier scenarios

Client

SAP HANA

Application

Server

Client Client

SAP BusinessObjects

Business Intelligence

XS

SAP HANA security functions


SAP HANA unified security architecture

SAP HANA

XS

HTTP(S)

Browser

JD

BC

OD

BC

Application Server

Client

Authentication/SSO

Authorization

Encryption


JDBC/ODBC

SAP HANA Tools

Admin/Dev

Application

Design Time Repository

Database

Admin/Dev


SAP HANA authentication and single sign-on

SAP HANA

Authentication/SSO

Authorization

Encryption


JDBC/ODBC access User name and password

(incl. password policy)

Kerberos

SAML (bearer token)

SAP logon and assertion tickets

HTTP access (SAP HANA XS) User name and password (basic authentication,

form-based login; incl. password policy)

SPNEGO

SAML

SAP logon and assertion tickets

X.509


SAP HANA

Authentication/SSO

Authorization

Encryption


SAP HANA user and role management

For logon, users must exist in the identity store of the SAP HANA database

Roles (and privileges) can be assigned to users

Roles are used to bundle privileges create roles for specific groups of users

Role transport, can be integrated into development/production system landscape

Catalog and repository roles


SAP HANA catalog vs. repository roles

Catalog roles Repository roles

Properties Not transportable

Not versioned

Created in runtime (production system), system privilege ROLE ADMIN required

User must have a privilege to include it in a role

Creator can always grant/revoke role, other administrators need system privilege ROLE ADMIN

Only grantor can revoke role

If a privilege is revoked from the user who granted it to a role (not necessarily the creator of the role),

it is also revoked from the role

Transportable, applications can ship roles

Versioned

Created in design time (development system), transported and activated to runtime (production

system)

Any administrator with EXECUTE privilege on built-in grant/revoke procedures can grant/revoke roles

Activation and granting/revoking can be separated

Main

advantages

Easy to create via SQL

Typical SQL behavior

Intuitive UI for editing roles in SAP HANA Studio

Grantor does not need privileges included in role

Transportable

Decouples role creation from role granting/revoking


PROD DEV

Repository

package1

subpackage1

.hdbroles

Repository

package1

subpackage1

.hdbroles

Database

role

SAP HANA role lifecycle

Developers Administrators

Design time Runtime

Studio Web IDE

Export/import:

Delivery Unit (DU)

Transport:

HANA Application

Lifecycle Manager

Studio

Activation

via

_SYS_REPO

Grant/revoke


SAP HANA

Authentication/SSO

Authorization

Encryption


SAP HANA authorization

Database access privileges (see next slide)

Application privileges

Repository privileges


SAP HANA

SAP HANA database access privileges in detail

Technical

account

Individual

end users

SQL (object) privileges

Authorize access to data and operations on database objects

(tables, views, procedures etc.)

Analytic privileges

Authorize read access on analytic views

Provide row-level access control based on dimensions

Database

administrators

System privileges

Authorize execution of administrative actions for the

entire SAP HANA database

E.g. privilege for backup


SAP HANA

Authentication/SSO

Authorization

Encryption


SAP HANA encryption

Communication encryption: SSL (can be enforced for client connections)

Data encryption: Data volumes on disk

Backup encryption:

Recommended to use a suitable 3rd party backup tool

Currently certified: Symantec NetBackup, IBM Tivoli Storage Manager, Commvault Simpana, HP Data Protector, EMC Data Domain Boost, EMC Networker, SEP Sesam. See Application Partner Directory (search for HANA-BRINT 1.1)


SAP HANA

Authentication/SSO

Authorization

Encryption


SAP HANA audit logging

Logging of critical events for security and compliance, e.g.

User, role and privilege changes, configuration changes

Data access logging

Read and write access (tables, views), execution of procedures

Firefighter logging, e.g. for support cases

Audit trail written to Linux syslog or to database table within SAP HANA

Security in SAP HANA

scenarios


Traditional 3-tier application Database migration to SAP HANA

Database migration to SAP HANA

no change to the security model

Security functions of SAP application server apply Application server connects with technical account to SAP

HANA

Authorization management as before with existing methods

User management in the application server

SAP HANA security functions are used to manage administrative access to SAP HANA

Example: Business Warehouse on SAP HANA, Business Suite on SAP HANA

Client

SAP Application Server

BW ERP

SAP HANA


Integrated scenario Reporting on ERP data in SAP HANA

Direct user access to SAP HANA

modified security model

SAP HANA Live for SAP Business Suite supports direct

access to ERP data in SAP HANA

ERP data is exposed via virtual data models (analytic views in SAP HANA) Read only Can be adapted by customers

Integrated approach, but can also be used in a sidecar scenario (replicated data)

Authorization checks using SAP HANA privileges

Tool support for generation of SAP HANA privileges from ABAP PFCG roles (SAP HANA Studio plugin)

Requires users to exist as SAP HANA users

SAP HANA

Client

SAP

Application

Server

Browser BI Client

SAP HANA Live

XS


Integrated scenario Reporting on BW data in SAP HANA


modified security model

SAP Business Warehouse supports direct access to BW

data in SAP HANA

BW data is exposed via special info providers (analytic views in SAP HANA)

Read only


Automatic generation of SAP HANA privileges and roles, automatic role assignment

Requires users to exist as SAP HANA users SAP HANA

Client

SAP

NetWeaver AS

Browser BI Client

Info provider

XS


Integrated scenarios user generation from ABAP

For scenarios where ABAP is the leading system:

SAP HANA users can be generated from ABAP users

Since NW 7.40 SPS 3

User management transaction SU01

Create SAP HANA user from ABAP user with initial password. The user mapping is stored in a mapping table.

Assign and un-assign SAP HANA roles

Lock and unlock SAP HANA user when ABAP user is locked/unlocked

Control report RSUSR_DBMS_USERS_CHECK for inconsistent mappings

More information: SAP Help Portal: DBMS User Management, SAP Note 1836006

Since NW 7.40 SPS 6

Report for mass synchronization: RSUSR_DBMS_USERS

More information: SAP Note 1927767

User copy supported in SU01


SAP HANA

Data mart Customer-specific analytic reporting on SAP HANA


based on SAP HANA native security model

Custom reports and dashboards for direct access

to data in SAP HANA

Data is exposed via SAP HANA analytic views

Read only

Often on replicated/aggregated data


Need to be modelled for the individual project

Requires users to exist as SAP HANA users

Examples: BI tools

Client

Source

Replication

Client

SAP BusinessObjects

Business Intelligence


Native applications built on SAP HANA XS


integrated security model

Integrated security model for direct access to data

in SAP HANA via XS applications:

User and role management

Authorization framework Additional privilege type: application privileges

Authentication and single sign-on User name and password, SAML, SPNego/Kerberos, SAP

logon and assertion tickets, X.509

Communication and data encryption

Audit logging

Additional web-specific protection mechanisms Protection against XSRF, SQL injection, XSS

SAP HANA

XS Control Flow Logic

Client

HT

TP

(S)

DB Calculation Logic

Presentation Logic

Data center integration


Secu

rity

In

frastr

uctu

re

SAP HANA integration via standard and documented interfaces

User and role provisioning

Out-of-the-box connector for SAP NetWeaver Identity Management

SQL interface for integration with other identity management solutions

Compliance infrastructure

Out-of-the-box connector for SAP Access Control 10.1

Standards-based SSO infrastructure

E.g. Microsoft Active Directory

Logging infrastructure

Database audit trail written via Linux syslog

Logging

Infrastructure

syslog

Single Sign-On

Infrastructure

Kerberos

SAML

Identity

Management

Infrastructure

SQL

SAP HANA

Compliance

Infrastructure

SQL


SAP HANA operating system and patching

Operating system

SUSE Linux Enterprise and RedHat Enterprise

Operating system security patches are provided and published by SUSE/RedHat

SAP HANA security patches

SAP HANA security patches are published as part of the SAP Security Patch strategy (SAP Security Notes)

Security notes for all SAP products are available at: http://service.sap.com/securitynotes

For SAP HANA, filter for component HAN*

For more information on SAP security approach, see on http://www.sap.com/security

Patches are delivered as SAP HANA revisions


SAP HANA network security

Network communication documented in the SAP HANA Security Guide and Master Guide

Recommendations for use of network zones

Separation of external and internal communication

Certified SAP HANA hosts use a separate network adapter with a separate IP address for

each of the different networks

SSL support

Between SAP HANA and clients

Between nodes in a scale-out SAP HANA system

Between data centers in system replication scenarios

Summary


Summary

SAP HANA provides security functions, frameworks and interfaces that enable customers to

meet security, legal, and regulatory compliance requirements implement different security policies integrate it into existing security infrastructures and processes

SAP HANA is used in different scenarios

scenario determines the security approach


Further Information

Important SAP notes

1598623: SAP HANA appliance: Security

1514967: SAP HANA appliance

1730928: Using external software in a HANA appliance

1730929: Using external tools in an SAP HANA appliance

1730930: Using antivirus software in an SAP HANA appliance

1730999: Configuration changes in HANA appliance

Whitepapers and how-to

Whitepaper: http://www.saphana.com/docs/DOC-3751

How to Define Standard Roles for SAP HANA Systems: https://scn.sap.com/docs/DOC-53974

SAP HANA documentation

http://help.sap.com/hana_platform - SAP Help Portal: Security Guide, Master Guide (network topics), Developer Guide, SQL Reference Guide


SAP d-code Virtual Hands-on Workshops and SAP d-code Online Continue your SAP d-code education after the event!

SAP d-code Online

Access replays of keynotes, Demo Jam, SAP d-code live interviews, select lecture sessions, and more!

Hands-on replays

http://sapdcode.com/online

SAP d-code Virtual Hands-on Workshops

Access hands-on workshops post-event

Starting January 2015

Complementary with your SAP d-code registration

http://sapdcodehandson.sap.com

35 2014 SAP SE or an SAP affiliate company. All rights reserved.

Feedback Please complete your session evaluation for

SEC200

Thanks for attending this SAP TechEd && d-code session.


Contact information:

Andrea Kristen ([email protected])


2014 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an

SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE

(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark

information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its

affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or

SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing

herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or

release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for

any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-

looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place

undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

Documents

SEC200_15651_KristenA_1