SAP HANA Security Overview Session 3909 Andrea Kristen, Holger Mack, SAP ASUG Annual Conference 2013
Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent. 2013 SAP AG. All rights reserved. 2
Agenda SAP HANA scenarios SAP HANA security functions Security in SAP HANA scenarios Data center integration and compliance Summary and Q&A 2013 SAP AG. All rights reserved. 3
SAP HANA scenarios
SAP in-memory strategy Innovation Transformation Introduction Side-by-Side Primary Persistence One Store Capabilities SAP HANA real-time operational analytics SAP BW powered by SAP HANA SAP HANA platform for inmemory apps (SAP HANA XS) SAP Business Suite optimized for in-memory computing SAP HANA as persistence layer for SAP Business Suite Benefits Flexible real time analysis of operations on detail level Primary persistence and optimized for SAP BW Enable application development and deployment minimize layers Reduced landscape complexity Value chain transformation This is the current state of planning and may be changed by SAP at any time. 2013 SAP AG. All rights reserved. 5
SAP HANA terminology Category SAP in-memory computing Appliance SAP HANA appliance Database SAP HANA database Platform SAP HANA Extended Application Services (XS) Applications Application Name, powered by SAP HANA Cloud SAP HANA One SAP HANA Cloud Administration and Development Tool SAP HANA studio 2013 SAP AG. All rights reserved. 6
Traditional security architecture Client Application Application Authentication/SSO Encryption Authorization Identity Store Application Server Audit Logging Database 2013 SAP AG. All rights reserved. 7
SAP HANA scenarios 3-tier application, data mart (analytics) 3-tier application e.g. SAP NetWeaver Business Warehouse Data mart (analytics) e.g. SAP BusinessObjects business intelligence solution with data replicated from SAP ERP Client Client Client Application Server SAP BusinessObjects Business Intelligence SQL MDX SAP HANA Source Replication SAP HANA 2013 SAP AG. All rights reserved. 8
SAP HANA scenarios SAP HANA extended application services Technical infrastructure for new applications e.g. browser-based application built directly on top of SAP HANA XS Client HTTP(S) Application Rationale: Enable application development and deployment minimize layers http-based UI (browser, mobile apps) to run directly on SAP HANA, without an additional external application leveraging the built-in strengths of SAP HANA for the best possible performance Scope light-weight small web-based applications Complex high-speed business applications with deep integration of differentiating SAP HANA database feature XS SAP HANA 2013 SAP AG. All rights reserved. 9
SAP HANA security functions
SAP HANA overview of security functions Application Server SQL MDX Client SAP HANA Studio Administration SQL Client HTTP(S) Application XS Authentication/SSO Encryption Authorization Identity Store Audit Logging SAP HANA 2013 SAP AG. All rights reserved. 11
SAP HANA overview of security functions Function Details Authentication SQL access: User name and password (incl. password policy), Kerberos, SAML (bearer token) HTTP access (SAP HANA XS): User name and password (incl. password policy), SAP logon tickets Users and roles User and role concept (more information below) Authorization Privilege concept based on standard SQL privileges + extensions for business applications (more information below) Encryption Communication encryption (SSL) Data volume encryption (on disk) Audit logging Audit logging framework (more information below) Security administration SAP HANA Studio, additionally SQL interface for user/role management and other administration tasks (command line tool hdbsql available) 2013 SAP AG. All rights reserved. 12
SAP HANA user and role management For logon, users must exist in the identity store of the SAP HANA database Roles (and privileges) can be assigned to users Roles are used to bundle and structure privileges Create roles for specific groups of users, role hierarchies supported Role lifecycle: design time roles export to production system activate runtime XS Authentication/SSO Encryption Authorization Identity Store Audit Logging SAP HANA 2013 SAP AG. All rights reserved. 13
SAP HANA authorization System privileges: Authorize execution of administrative actions for the entire SAP HANA database SQL privileges: Authorize access to data and operations on database objects Analytic privileges: Authorize read access on analytic views at run-time, provide row-level access control based on dimensions of the respective view Package privileges: Authorize access in the repository (modeling environment) at design time Application privileges: Authorize access to SAP HANA XS application functions XS Authentication/SSO Encryption Authorization Identity Store Audit Logging SAP HANA 2013 SAP AG. All rights reserved. 14
SAP HANA authorization Runtime access control Access (SELECT) to a specific table or view is restricted by SQL SELECT Object Privilege. Access to a specific column can be restricted by creating a View with a subset of columns and granting the SELECT privilege only on this view. Access to specific rows are restricted by Analytic Privileges. 2013 SAP AG. All rights reserved. 15
SAP HANA audit logging Logging of critical events for security and compliance, e.g. User, role and privilege changes Configuration changes Data access logging Read and write access (tables, views), execution of procedures Audit trail written to Linux syslog XS Authentication/SSO Encryption Authorization Identity Store Audit Logging SAP HANA 2013 SAP AG. All rights reserved. 16
SAP HANA security administration SAP HANA Studio SQL interface (command line tool hdbsql available) SAP HANA Studio Administration SQL XS Authentication/SSO Encryption Authorization Identity Store Audit Logging SAP HANA 2013 SAP AG. All rights reserved. 17
SAP HANA security administration SAP HANA studio 2013 SAP AG. All rights reserved. 18
Security in SAP HANA scenarios
SAP HANA as persistence for Business Suite & BW 3-tier application SAP Business Suite SAP NetWeaver Business Warehouse Client Application Server SQL MDX Access from Business Suite or Business Warehouse to SAP HANA Same security model for user access as with other databases Security functions of SAP NetWeaver ABAP/JAVA still apply Application server connects with technical database user to SAP HANA database Authorization management as before with existing methods (e.g. PFCG, authority check) User management in the application server SAP HANA security functions are used to manage administrative access to the database SAP HANA 2013 SAP AG. All rights reserved. 20
Data mart scenario - General Data-mart (analytics) e.g. SAP BusinessObjects business intelligence solution with data replicated from SAP ERP Client SAP BusinessObjects Business Intelligence Client Direct access of individual users to the SAP HANA database, e.g. to consume reports or view dashboards or using Microsoft Excel Privileges for individual users/roles assigned on database level Direct access of database administrators to the SAP HANA database Individual end users Database admins Source Replication SAP HANA Source Replication SAP HANA 2013 SAP AG. All rights reserved. 21
SAP HANA Live for SAP Business Suite Client Application Server 3-tier application e.g. SAP Business Suite Client SAP BusinessObjects Business Intelligence Client SAP HANA Live for SAP Business Suite supports direct access to ERP data in SAP HANA ERP data is exposed via analytical views as so-called virtual data models Virtual data models can be used by the customer to create new views Virtual data models can be exposed (e.g. via SQL or http) and consumed by different clients (e.g. browser) or reporting tools SAP HANA Live can be used in sidecar (i.e. replicated data) or integrated approach SAP HANA Live SAP HANA Each SAP HANA Live user gets a database user Authorization check within SAP HANA using privileges Tool support to assist with generation of SAP HANA authorizations from ABAP PFCG roles Analytics Authorization Assistant 2013 SAP AG. All rights reserved. 22
Data mart scenario Special Cases Data-mart (analytics) e.g. SAP BusinessObjects business intelligence solution with data replicated from SAP ERP Client SAP BusinessObjects Business Intelligence Client SAP Business Warehouse info providers can be exposed as analytical views in SAP HANA Automatic generation of analytical views on defined info providers Analytic privileges are automatically generated Views can be accessed by native SAP HANA clients and applications Requires users to exist as SAP HANA database users Source Replication SAP HANA 2013 SAP AG. All rights reserved. 23
SAP HANA security aspects of data mart scenarios Integration with SAP BusinessObjects BI solutions Identity forwarding for scenarios with authorization in SAP HANA 1. User authenticates against BOE server with BOE authentication mechanism 2. BOE server securely forwards the user identity to SAP HANA (options): User name/password o SAP HANA database user name/password stored in BOE server o Manual synchronization Kerberos o Users must log on to BOE server using Active Directory authentication o BOE server must run on Linux or Microsoft Windows SAML (on roadmap for SAP Business Objects 4.1) o Users can log on with any BOE logon method (Active Directory, LDAP, SAP, or native enterprise) o BOE user ID must exist as database user in the SAP HANA database o BOE server acts as identity provider. It generates a SAML ticket for the user, sends it to the SAP HANA database to validate -> if valid session will be established for this user o Using SSL transport security between BOE and HANA is highly recommended Individual end users SAP BusinessObjects server SAP HANA Database admins 2013 SAP AG. All rights reserved. 24
SAP HANA security aspects of SAP HANA XS scenarios Technical infrastructure for new applications e.g. browser-based application built directly on top of SAP HANA XS Client HTTP(S) Application XS SAP HANA Integrated with HANA security model User and role management SAP HANA database users and privileges/roles Authorization User needs access to SAP HANA database objects Additional privilege type: application privileges Authentication and single sign-on User name and password, SAP logon ticket; on roadmap: X.509, SAML Communication and data encryption SSL SAP HANA data volume encryption Audit logging SAP HANA audit logging infrastructure Secure web applications Protection against XSRF, SQL injection, XSS 2013 SAP AG. All rights reserved. 25
SAP HANA security aspects of SAP HANA XS scenarios Building secure applications based on SAP HANA XS Application developers can define Which packages get exposed via http Authentication method required for package access Application-specific access privileges Which privileges are required for package access When SSL is used for access to packages Enable Cross-Site-Request Forgery (XSRF) Protection Additional topics SQL connection configuration for database access with different privileges (e.g. for anonymous access) Use prepared statements for SQL injection prevention.xsaccess file More information SAP HANA Developer Guide http://help.sap.com/hana/hana_dev_en.pdf 2013 SAP AG. All rights reserved. 26
Data center integration and compliance
SAP HANA data center integration IdM, SSO and audit logging Identity Management Infrastructure SQL Integration with User and role provisioning solutions Security Infrastructure Single Sign-On Infrastructure Kerberos SAML Out-of-the-box connector for SAP NetWeaver Identity Management SQL interface for integration with other identity management solutions Standards-based single sign-on infrastructures E.g. Microsoft Active Directory Existing logging infrastructures database audit trail written via Linux syslog Logging Infrastructure syslog SAP HANA 2013 SAP AG. All rights reserved. 28
SAP HANA data center integration OS security, patching and network Operating system SAP HANA is based on SUSE Linux Enterprise 11 SP2 for SAP Includes security pre-configurations (e.g. minimal network services) Security patches SAP HANA security patches are published as part of SAP Security Patch strategy (SAP Security Notes) Delivered with SAP HANA revisions and can be applied via SUM for HANA Operating system security patches are provided and published by SUSE Network Integration Network communication (purpose, ports) used by SAP HANA are documented in HANA Security Guide Includes recommendation for use of firewalls e.g. for separation between internal and external communication Use of SSL is supported for all network communication channels 2013 SAP AG. All rights reserved. 29
SAP HANA compliance SAP HANA provides functions that support customers in achieving compliance Compliance is not a product feature but depends on many factors Relevant rules and regulations (IT policies, industry, country, ) Existing technology/infrastructure, processes, audit approach Both process and functional requirements Best practices in security operations Need-to-know principle, separation of duties on all levels Control of privileged access Ability to audit Deletion of data End-to-end approach in SAP HANA Based on built-in database security functions and secure pre-configuration of software and hardware stack Integration existing security infrastructures via standard/documented interfaces and the option to use 3rd party tools that are End-to-end documentation for the whole software lifecycle, incl. exhaustive security guide and recommendations for secure setup and operation Security Infrastructure Application Server Client SQL MDX Authentication/SSO Authorization SAP HANA Studio Administration SQL Identity Store SAP HANA Operating System Client HTTP(S) Applica tion XS Encryption Audit Logging Compliance Environment 2013 SAP AG. All rights reserved. 30
Summary and Q+A
Summary SAP HANA comes with security features that allow implementation of different security policies SAP HANA is used in different scenarios which require different security approach Security architecture of the scenario determines security approach 2013 SAP AG. All rights reserved. 32
Further Information SAP Public Web http://help.sap.com/hana_appliance -> Security Guide http://www.saphana.com 2013 SAP AG. All rights reserved. 33
Security-related SAP notes 1598623: SAP HANA appliance: Security (Central Security Note) 1514967: SAP HANA appliance (Central Appliance Note) 1730928: Using external software in a HANA appliance 1730929: Using external tools in an SAP HANA appliance 1730930: Using antivirus software in an SAP HANA appliance 1730932: Using backup tools with Backint 1730999: Configuration changes in HANA appliance 1730996: Unrecommended external software and software versions 1730997: Unrecommended versions of antivirus software 1730998: Unrecommended versions of backup tools 1731000: Unrecommended configuration changes 2013 SAP AG. All rights reserved. 34
Q+A? Questions 2013 SAP AG. All rights reserved. 35
Thank You! Contact information: Andrea Kristen andrea.kristen@sap.com Holger Mack holger.mack@sap.com
2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/vm, z/os, OS/390, zenterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, purescale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the United States and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries. Oracle and Java are registered trademarks of Oracle and its affiliates. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Apple, App Store, ibooks, ipad, iphone, iphoto, ipod, itunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc. IOS is a registered trademark of Cisco Systems Inc. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc. INTERMEC is a registered trademark of Intermec Technologies Corporation. Wi-Fi is a registered trademark of Wi-Fi Alliance. Bluetooth is a registered trademark of Bluetooth SIG Inc. Motorola is a registered trademark of Motorola Trademark Holdings LLC. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company. Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. 2013 SAP AG. All rights reserved. 37