Embed Size (px)
Citation preview
1© 2014 SAP AG or an SAP affiliate company. All rights reserved.
SAP HANA SPS 10 – What’s New? Security
SAP HANA Product Management June, 2015
(Delta from SPS 09 to SPS 10)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 2Public
Summary
Simplified role assignment in SAP HANA Cockpit
New option for controlling allowed access channels for users
Improved UI support for configuring user self services in SAP HANA Cockpit
Improved lifecycle management and extended tool support for analytic privileges
Simplified certificate management for SSL/TLS and single sign-on
Automatic generation of PKI/certificates for internal communication channels
FIPS-certified encryption library supported
Extended audit logging coverage
Additional hardening options for multitenant database container isolation
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 3Public
What’s New in SAP HANA SPS10: SecuritySimplified role assignment in SAP HANA Cockpit
You can now use SAP HANA Cockpit to assign roles to a user
Roles are the standard mechanism of granting privileges to users in SAP HANA
Assigning roles
1. Click on the Assign Roles to Users tile on the homepage of the SAP HANA Cockpit.
2. Assign roles to the user.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 4Public
What’s New in SAP HANA SPS10: SecurityUse custom roles for accessing functionality in SAP HANA Cockpit
You can now easily configure Cockpit to use custom roles for accessing functionality
Access to functionality via tiles in SAP HANA Cockpit is role-based. For SAP HANA Cockpit catalogs
and groups delivered as default content, standard roles are available. In some scenarios however it
might not be desirable to use the standard roles but use custom roles instead.
Configure custom role
1. Click on the Configure Role-Based Cockpit Access tile on the homepage of the SAP HANA Cockpit
2. Assign the required catalog(s)/group(s) to the role
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 5Public
What’s New in SAP HANA SPS10: SecurityControl allowed access channels for users
For users that should only connect via HTTP, you can now enforce this access channel
by disabling JDBC/ODBC access
By default, JDBC/ODBC access is
Enabled for normal users
Disabled for restricted users
To disable/enable JDBC/ODBC access, use either
SAP HANA Studio (user editor) or SQL commands.
SAP HANA
XS
BrowserApplication
Server
Client
JDBC/ODBC
SAP HANA Studio
Application
HTTP(S)JDBC/ODBC
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 6Public
E-mail templates and UI support for maintaining the user self service configuration are now
available
What’s New in SAP HANA SPS10: SecurityUser self services enhancements
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 7Public
What’s New in SAP HANA SPS10: SecurityImproved lifecycle management for analytic privileges
SQL-based analytic privileges can now also be created as design-time objects
Analytic privileges grant different users access to different portions of data in the same view based on
their business role.
The conditions that control which data users see is either contained in an XML document, or defined
using SQL.
Advantages of SQL-based analytic privileges
For new projects, we recommend to use SQL-based analytic privileges.
Feature SQL-Based XML-Based
Control of read-only access to SQL views Yes No
Complex filtering Yes No
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 8Public
What’s New in SAP HANA SPS10: SecurityExtended tool support for analytic privileges
Both the Modeling perspective in SAP HANA Studio and Web IDE now support
design-time SQL-based analytic privileges
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 9Public
What’s New in SAP HANA SPS10: SecuritySimplified certificate management for SSL/TLS and single sign-on
Most certificates can now be stored and managed directly in the SAP HANA database
SAP HANA uses X.509 certificates for securing internal and external communication channels and for
several user authentication mechanisms.
Recommendation: Store certificates in the database where possible.
For multitenant database container systems, storing certificates in the database simplifies the
configuration and makes certificate management available to tenant administrators. This is especially
relevant for hosting scenarios where tenant administrators usually do not have access to the file
system.
Certificates can be stored for… …in the database …in the file system
TLS (client-server communication over JDBC/ODBC) YES YES
TLS (client-server communication over HTTP) NO YES
TLS (internal communication) NO YES
Authentication (SAML, SAP Logon and Assertion Tickets, X.509) YES YES
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 10Public
What’s New in SAP HANA SPS10: SecurityViewing certificates stored in the database
Certificates in the database can currently only be managed using SQL. Read-only access to certificate-
related information is available in SAP HANA Cockpit however.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 11Public
What’s New in SAP HANA SPS10: SecurityAutomatic generation of PKI/certificates for internal communication channels (I)
A public-key infrastructure (system PKI) for securing internal communication channels using
TLS is set up automatically during installation. No user interaction is required for the setup.
The following communication channels can be secured:
SAP HANA
Scale-out system
Host1 Host2
System replication
SAP HANA
Primary
SAP HANA
Secondary
SAP HANA
with Dynamic Tiering
With SAP HANA option
Warm
store
Hot
store
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 12Public
What’s New in SAP HANA SPS10: SecurityFIPS-certified encryption library supported
CommonCryptoLib is now FIPS-certified
For more information, see http://scn.sap.com/community/security/blog/2015/01/21/sap-s-crypto-kernel-
receives-fips-140-2-certificate
SAP CommonCryptoLib is the successor of SAPCRYPTOLIB and is the default cryptographic library
for SAP HANA. It is used for operations that require cryptography, for example data volume encryption
and TLS communication encryption.
CommonCryptoLib is installed as part of SAP HANA server installation.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 13Public
What’s New in SAP HANA SPS09: SecurityExtended audit logging coverage
Audit logging now also covers Data Provisioning and Dynamic Tiering
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 14Public
What’s New in SAP HANA SPS10: SecurityAdditional hardening options for multitenant database container isolation
The isolation level is a new option for increasing the isolation between tenant databases on the
operating system level
By default, all database processes in an MDC system run under the default operating system user.
Tenant databases are self-contained/isolated in terms of users, database catalog, repository, logs, etc.
To provide additional protection in case of low-level attacks, you can configure your system for high
isolation, with a dedicated operating system user and group for each tenant database.
SAP HANA
Tenant
database 1
Tenant
database 2
System
database
Tenant
database N
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 15Public
What’s New in SAP HANA SPS10: SecurityMore features can be enabled/disabled for tenants
You can now disable more features in tenant databases
Not all features are required/desirable for tenants in all environments, e.g. features that provide direct
access to the file system, the network, or other critical resources.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 16Public
What’s New in SAP HANA SPS10: SecuritySecurity reference information extended
The reference documentation on security-related topics has been extended
SAP HANA Security Guide
Roles assigned to standard users (SYSTEM, _SYS_REPO)
SAP HANA content (delivery units): Description, URLs, required roles
Security configuration checklist updated
SAP HANA Administration Guide
SAP HANA Cockpit tile catalogs: Description, required roles
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 17Public
More information
Documentation: SAP Help Portal: Security Guide, Master Guide
(network topics), Developer Guide, SQL Reference Guide
Whitepaper: SAP HANA Security Whitepaper
Best practices: How to Define Standard Roles for SAP HANA Systems
Training: HA 240
SAP Note Title
2159014 FAQ: SAP HANA Security
1514967 SAP HANA appliance
1730928 Using external software in a HANA appliance
1730929 Using external tools in an SAP HANA appliance
1730930 Using antivirus software in an SAP HANA appliance
784391 SAP support terms and 3rd-party Linux kernel drivers
1730999 Configuration changes in HANA appliance
863362 Security checks with SAP EarlyWatch Alert
2021789 SAP HANA revision and maintenance strategy
New
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 18Public
SAP HANA – security patches
Operating system security patches
Support operating systems: SUSE Linux Enterprise and RedHat Enterprise
Operating system security patches are provided and published by the operating system vendors
SAP HANA security patches
SAP HANA security patches are published as part of the SAP Security Patch strategy (SAP Security Notes)
– Security notes for all SAP products are available at: https://support.sap.com/securitynotes
– For SAP HANA, filter for component HAN*
Patches are delivered as SAP HANA revisions
More information:
– SAP HANA revision und maintenance strategy: SAP Note 2021789
– Security Patch Process
– SAP Security Notes – Frequently asked questions
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 19Public
SAP – security approach
Security is an important and integral part of every step of the SAP Development Lifecycle which
applies to all products. This includes security testing as well as a defined and established process to
report and deal with potential security issues.
Protect your data – and your business – with SAP and its security solutions
http://www.sap.com/security
More information:
SAP security development lifecycle
SAP product security response team
Source code scanning
Product security validation at SAP
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
Thank you
Contact information
Andrea Kristen
SAP HANA Product Management
