Upload
konduru25
View
10
Download
4
Embed Size (px)
DESCRIPTION
200
Citation preview
Public
Andrea Kristen, SAP HANA Product Management
SEC200 Security in Different SAP HANA Scenarios
2014 SAP SE or an SAP affiliate company. All rights reserved. 2 Public
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.
2014 SAP SE or an SAP affiliate company. All rights reserved. 3 Public
Agenda
SAP HANA scenarios
SAP HANA security functions
Security in different SAP HANA scenarios
Data center integration
SAP HANA scenarios
2014 SAP SE or an SAP affiliate company. All rights reserved. 5 Public
SAP HANA whats in a name...
Applications
Powered by SAP HANA
Administration/Dev Tools (IDE)
SAP HANA studio
XS administration tool
WebIDE
On-Premise
Range of options
(SAP HANA appliance, tailored
data center)
Database
SAP HANA database
Cloud
Range of options
(from fully managed to
infrastructure subscription)
Platform
SAP HANA Extended
Application Services (XS)
Development Environment
Repository
2014 SAP SE or an SAP affiliate company. All rights reserved. 6 Public
SAP HANA deployment options in the cloud and on premise
http://www.saphana.com/community/cloud http://www.saphana.com/community/about-hana/on-
premise-options
2014 SAP SE or an SAP affiliate company. All rights reserved. 7 Public
Traditional security architecture
Database
Client
Application Server
Application Application
Authentication/SSO
Authorization
Encryption
Audit Logging Identity Store
2014 SAP SE or an SAP affiliate company. All rights reserved. 8 Public
SAP HANA scenarios overview of different scenario types
Traditional 3-tier application
Data mart (3-tier or 2-tier application)
Native 2-tier application
2014 SAP SE or an SAP affiliate company. All rights reserved. 9 Public
SAP HANA scenarios overview of integrated scenarios
Integrated 3-tier and 2-tier scenarios
Client
SAP HANA
Application
Server
Client Client
SAP BusinessObjects
Business Intelligence
XS
SAP HANA security functions
2014 SAP SE or an SAP affiliate company. All rights reserved. 11 Public
SAP HANA unified security architecture
SAP HANA
XS
HTTP(S)
Browser
JD
BC
OD
BC
Application Server
Client
Authentication/SSO
Authorization
Encryption
Audit Logging Identity Store
JDBC/ODBC
SAP HANA Tools
Admin/Dev
Application
Design Time Repository
Database
Admin/Dev
2014 SAP SE or an SAP affiliate company. All rights reserved. 12 Public
SAP HANA authentication and single sign-on
SAP HANA
Authentication/SSO
Authorization
Encryption
Audit Logging Identity Store
JDBC/ODBC access User name and password
(incl. password policy)
Kerberos
SAML (bearer token)
SAP logon and assertion tickets
HTTP access (SAP HANA XS) User name and password (basic authentication,
form-based login; incl. password policy)
SPNEGO
SAML
SAP logon and assertion tickets
X.509
2014 SAP SE or an SAP affiliate company. All rights reserved. 13 Public
SAP HANA
Authentication/SSO
Authorization
Encryption
Audit Logging Identity Store
SAP HANA user and role management
For logon, users must exist in the identity store of the SAP HANA database
Roles (and privileges) can be assigned to users
Roles are used to bundle privileges create roles for specific groups of users
Role transport, can be integrated into development/production system landscape
Catalog and repository roles
2014 SAP SE or an SAP affiliate company. All rights reserved. 14 Public
SAP HANA catalog vs. repository roles
Catalog roles Repository roles
Properties Not transportable
Not versioned
Created in runtime (production system), system privilege ROLE ADMIN required
User must have a privilege to include it in a role
Creator can always grant/revoke role, other administrators need system privilege ROLE ADMIN
Only grantor can revoke role
If a privilege is revoked from the user who granted it to a role (not necessarily the creator of the role),
it is also revoked from the role
Transportable, applications can ship roles
Versioned
Created in design time (development system), transported and activated to runtime (production
system)
Any administrator with EXECUTE privilege on built-in grant/revoke procedures can grant/revoke roles
Activation and granting/revoking can be separated
Main
advantages
Easy to create via SQL
Typical SQL behavior
Intuitive UI for editing roles in SAP HANA Studio
Grantor does not need privileges included in role
Transportable
Decouples role creation from role granting/revoking
2014 SAP SE or an SAP affiliate company. All rights reserved. 15 Public
PROD DEV
Repository
package1
subpackage1
.hdbroles
Repository
package1
subpackage1
.hdbroles
Database
role
SAP HANA role lifecycle
Developers Administrators
Design time Runtime
Studio Web IDE
Export/import:
Delivery Unit (DU)
Transport:
HANA Application
Lifecycle Manager
Studio
Activation
via
_SYS_REPO
Grant/revoke
2014 SAP SE or an SAP affiliate company. All rights reserved. 16 Public
SAP HANA
Authentication/SSO
Authorization
Encryption
Audit Logging Identity Store
SAP HANA authorization
Database access privileges (see next slide)
Application privileges
Repository privileges
2014 SAP SE or an SAP affiliate company. All rights reserved. 17 Public
SAP HANA
SAP HANA database access privileges in detail
Technical
account
Individual
end users
SQL (object) privileges
Authorize access to data and operations on database objects
(tables, views, procedures etc.)
Analytic privileges
Authorize read access on analytic views
Provide row-level access control based on dimensions
Database
administrators
System privileges
Authorize execution of administrative actions for the
entire SAP HANA database
E.g. privilege for backup
2014 SAP SE or an SAP affiliate company. All rights reserved. 18 Public
SAP HANA
Authentication/SSO
Authorization
Encryption
Audit Logging Identity Store
SAP HANA encryption
Communication encryption: SSL (can be enforced for client connections)
Data encryption: Data volumes on disk
Backup encryption:
Recommended to use a suitable 3rd party backup tool
Currently certified: Symantec NetBackup, IBM Tivoli Storage Manager, Commvault Simpana, HP Data Protector, EMC Data Domain Boost, EMC Networker, SEP Sesam. See Application Partner Directory (search for HANA-BRINT 1.1)
2014 SAP SE or an SAP affiliate company. All rights reserved. 19 Public
SAP HANA
Authentication/SSO
Authorization
Encryption
Audit Logging Identity Store
SAP HANA audit logging
Logging of critical events for security and compliance, e.g.
User, role and privilege changes, configuration changes
Data access logging
Read and write access (tables, views), execution of procedures
Firefighter logging, e.g. for support cases
Audit trail written to Linux syslog or to database table within SAP HANA
Security in SAP HANA
scenarios
2014 SAP SE or an SAP affiliate company. All rights reserved. 21 Public
Traditional 3-tier application Database migration to SAP HANA
Database migration to SAP HANA
no change to the security model
Security functions of SAP application server apply Application server connects with technical account to SAP
HANA
Authorization management as before with existing methods
User management in the application server
SAP HANA security functions are used to manage administrative access to SAP HANA
Example: Business Warehouse on SAP HANA, Business Suite on SAP HANA
Client
SAP Application Server
BW ERP
SAP HANA
2014 SAP SE or an SAP affiliate company. All rights reserved. 22 Public
Integrated scenario Reporting on ERP data in SAP HANA
Direct user access to SAP HANA
modified security model
SAP HANA Live for SAP Business Suite supports direct
access to ERP data in SAP HANA
ERP data is exposed via virtual data models (analytic views in SAP HANA) Read only Can be adapted by customers
Integrated approach, but can also be used in a sidecar scenario (replicated data)
Authorization checks using SAP HANA privileges
Tool support for generation of SAP HANA privileges from ABAP PFCG roles (SAP HANA Studio plugin)
Requires users to exist as SAP HANA users
SAP HANA
Client
SAP
Application
Server
Browser BI Client
SAP HANA Live
XS
2014 SAP SE or an SAP affiliate company. All rights reserved. 23 Public
Integrated scenario Reporting on BW data in SAP HANA
Direct user access to SAP HANA
modified security model
SAP Business Warehouse supports direct access to BW
data in SAP HANA
BW data is exposed via special info providers (analytic views in SAP HANA)
Read only
Authorization checks using SAP HANA privileges
Automatic generation of SAP HANA privileges and roles, automatic role assignment
Requires users to exist as SAP HANA users SAP HANA
Client
SAP
NetWeaver AS
Browser BI Client
Info provider
XS
2014 SAP SE or an SAP affiliate company. All rights reserved. 24 Public
Integrated scenarios user generation from ABAP
For scenarios where ABAP is the leading system:
SAP HANA users can be generated from ABAP users
Since NW 7.40 SPS 3
User management transaction SU01
Create SAP HANA user from ABAP user with initial password. The user mapping is stored in a mapping table.
Assign and un-assign SAP HANA roles
Lock and unlock SAP HANA user when ABAP user is locked/unlocked
Control report RSUSR_DBMS_USERS_CHECK for inconsistent mappings
More information: SAP Help Portal: DBMS User Management, SAP Note 1836006
Since NW 7.40 SPS 6
Report for mass synchronization: RSUSR_DBMS_USERS
More information: SAP Note 1927767
User copy supported in SU01
2014 SAP SE or an SAP affiliate company. All rights reserved. 25 Public
SAP HANA
Data mart Customer-specific analytic reporting on SAP HANA
Direct user access to SAP HANA
based on SAP HANA native security model
Custom reports and dashboards for direct access
to data in SAP HANA
Data is exposed via SAP HANA analytic views
Read only
Often on replicated/aggregated data
Authorization checks using SAP HANA privileges
Need to be modelled for the individual project
Requires users to exist as SAP HANA users
Examples: BI tools
Client
Source
Replication
Client
SAP BusinessObjects
Business Intelligence
2014 SAP SE or an SAP affiliate company. All rights reserved. 26 Public
Native applications built on SAP HANA XS
Direct user access to SAP HANA
integrated security model
Integrated security model for direct access to data
in SAP HANA via XS applications:
User and role management
Authorization framework Additional privilege type: application privileges
Authentication and single sign-on User name and password, SAML, SPNego/Kerberos, SAP
logon and assertion tickets, X.509
Communication and data encryption
Audit logging
Additional web-specific protection mechanisms Protection against XSRF, SQL injection, XSS
SAP HANA
XS Control Flow Logic
Client
HT
TP
(S)
DB Calculation Logic
Presentation Logic
Data center integration
2014 SAP SE or an SAP affiliate company. All rights reserved. 28 Public
Secu
rity
In
frastr
uctu
re
SAP HANA integration via standard and documented interfaces
User and role provisioning
Out-of-the-box connector for SAP NetWeaver Identity Management
SQL interface for integration with other identity management solutions
Compliance infrastructure
Out-of-the-box connector for SAP Access Control 10.1
Standards-based SSO infrastructure
E.g. Microsoft Active Directory
Logging infrastructure
Database audit trail written via Linux syslog
Logging
Infrastructure
syslog
Single Sign-On
Infrastructure
Kerberos
SAML
Identity
Management
Infrastructure
SQL
SAP HANA
Compliance
Infrastructure
SQL
2014 SAP SE or an SAP affiliate company. All rights reserved. 29 Public
SAP HANA operating system and patching
Operating system
SUSE Linux Enterprise and RedHat Enterprise
Operating system security patches are provided and published by SUSE/RedHat
SAP HANA security patches
SAP HANA security patches are published as part of the SAP Security Patch strategy (SAP Security Notes)
Security notes for all SAP products are available at: http://service.sap.com/securitynotes
For SAP HANA, filter for component HAN*
For more information on SAP security approach, see on http://www.sap.com/security
Patches are delivered as SAP HANA revisions
2014 SAP SE or an SAP affiliate company. All rights reserved. 30 Public
SAP HANA network security
Network communication documented in the SAP HANA Security Guide and Master Guide
Recommendations for use of network zones
Separation of external and internal communication
Certified SAP HANA hosts use a separate network adapter with a separate IP address for
each of the different networks
SSL support
Between SAP HANA and clients
Between nodes in a scale-out SAP HANA system
Between data centers in system replication scenarios
Summary
2014 SAP SE or an SAP affiliate company. All rights reserved. 32 Public
Summary
SAP HANA provides security functions, frameworks and interfaces that enable customers to
meet security, legal, and regulatory compliance requirements implement different security policies integrate it into existing security infrastructures and processes
SAP HANA is used in different scenarios
scenario determines the security approach
2014 SAP SE or an SAP affiliate company. All rights reserved. 33 Public
Further Information
Important SAP notes
1598623: SAP HANA appliance: Security
1514967: SAP HANA appliance
1730928: Using external software in a HANA appliance
1730929: Using external tools in an SAP HANA appliance
1730930: Using antivirus software in an SAP HANA appliance
1730999: Configuration changes in HANA appliance
Whitepapers and how-to
Whitepaper: http://www.saphana.com/docs/DOC-3751
How to Define Standard Roles for SAP HANA Systems: https://scn.sap.com/docs/DOC-53974
SAP HANA documentation
http://help.sap.com/hana_platform - SAP Help Portal: Security Guide, Master Guide (network topics), Developer Guide, SQL Reference Guide
2014 SAP SE or an SAP affiliate company. All rights reserved. 34 Public
SAP d-code Virtual Hands-on Workshops and SAP d-code Online Continue your SAP d-code education after the event!
SAP d-code Online
Access replays of keynotes, Demo Jam, SAP d-code live interviews, select lecture sessions, and more!
Hands-on replays
http://sapdcode.com/online
SAP d-code Virtual Hands-on Workshops
Access hands-on workshops post-event
Starting January 2015
Complementary with your SAP d-code registration
http://sapdcodehandson.sap.com
35 2014 SAP SE or an SAP affiliate company. All rights reserved.
Feedback Please complete your session evaluation for
SEC200
Thanks for attending this SAP TechEd && d-code session.
2014 SAP SE or an SAP affiliate company. All rights reserved. 35 Public
Contact information:
Andrea Kristen ([email protected])
2014 SAP SE or an SAP affiliate company. All rights reserved. 36 Public
2014 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark
information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing
herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or
release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for
any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.