Skip to Content

Dear Reader, let me introduce myself – I am Peter – one of the „techies“ in the  Hana Enterprise Cloud (HEC) security team. We are a rather large international team of security experts working together to ensure that our customers‘ data, systems, business  processes and compliance are safe and secure at all times with Hana Enterprise Cloud.

Apart from the techies like myself who mostly dig deep into security features of products,organize and perform penetration tests, advise on architectural and design decisions, etc. there are the colleagues dedicating their time to security monitoring and logging, technical compliance to our product standards and reporting. Now imagine the tremendous work behind simple words like reporting … or logging. Of course not to forget, there are the „process“ guys – these would be the guys who make sure that our IT processes are designed and live up to the highest industry standards expected by our SOC/ISO auditors as well as by our customers. Last but not least – our management – the guys who coordinate, support and plan the security future of HEC.

So where does HEC security start and where does it end?

I would say HEC security start at the fence of our data centers and ends somewhere at the „green“ security report provided to our customers containing no issues. In other words HEC security does not start with our team and in as well does not end with us – security seems to be much about coordination and collaborative work together with dozens of other departments and colleagues.

Starting at the fence – our HEC data centers meet highest security standards and certification requirements. Take for example the main european HEC data center in St. Leon-Rot ( http://www.sapdatacenter.com/). My last visit there was a really exciting experience (even we – the guys from security do not get to go in it that often). Apart from the data center certifications and  impressive scale, I found the facts that the DC can withstand a small plane crash or that the diesel generators can provide enough electricity for the DC operations and the excess electricity can power the neighboring small towns and communities, rather amusing.

The HEC offering is designed, architectured and implemented with security in mind. The service is implemented as a private cloud solution which means customer‘s HEC systems are attached and seamlessly integrated with his existing infrastructure over MPLS, VPN, etc.

From the SAP HEC-standpoint we provide dedicated cloud-based environments (represented customer clouds below) where we take care of deploying, operating, managing, monitoring and all other tedious expensive activities and the customer can consume the benefits of our software and the Hana platform.

We have isolated customers from each other on different levels – staring on virtualization infrastructure level to communication protocol level. We have even isolated ourselves from HEC allowing only respective personnel to have access to the HEC environment.

/wp-content/uploads/2013/12/hec_overview_352666.png

 
 
Secure HEC IT operations from SAP side are supported by streamlined processes which are being closely monitored for compliance and effectiveness by our ISO/SOC auditors. Processes such as asset management, change management/patch management, incident management, anti-virus software management, backup and restore, identity and access/authorizations management, security vulnerability management, network management are all processes which customers can leave in our hands to take care of and he can enjoy only the benefits of our products.

But what about the provisioned systems themselves? Is the Hana database also securely deployed?

I am one of the „techies“ so that would be one of my specialties here 😉 … Customer systems deployed in HEC are additionally hardened by default according to our internal security hardening procedures which define and go deep into the individual security-related configuration parameters of the products supported in HEC   – this includes not only the Hana database itself, or the SAP ERP or any other SAP-product where we logically have excellent proficiency and expertise, but also all other software components sitting on the customer’s systems such as operating systems, third party application servers and so on.

That all I think sounds like a reasonable load of work done only for the sake of the security of our customers, but is it enough? Well one could say it is, but we decided to enhance the attack detection and prevention capabilities for our customers. Therefore we have deployed and integrated:

  • multiple tier firewalls
  • IDS/IPS appliances
  • We provide Web Application Firewall (WAF) services for the customer applications which can be applied out-of-the-box or trimmed down to the specific needs of the customer‘s application/service.

Detective and preventive controls and appliances are nice and often smart enough to reasonably respond to attacks by themselves, but in case of a serious attack, actions should be taken by people and these actions should be taken quickly – therefore all these detective/preventive services and devices are hooked to a 24×7 security monitoring center where SAP personnel can perform analysis, plan mitigating activities and take respective actions.

This all sounds like a nicely engineered secure environment. But is it perfectly secure? No! Anyone working long enough in the field of IT security knows that there is no perfect security – it is more of a constant race to be ahead of trouble. With that statement in mind we are constantly striving for improving the security of HEC and respectively of our customers. Therefore, we have taken actions and organized different activities and projects which help us improve ourselves:

  • We have implemented ongoing automated regular penetration tests externally over the Internet
  • We perform internal vulnerability scanning of systems
  • We organize black-box / white-box security challenges and technical security validations where third party security experts try to deliberately circumvent our security controls and measures.

All these sources provide us valuable information which help us continuously improve the Hana Enterprise Cloud security and the security of our customers!

Hope you enjoyed the post – if you are more interested in HEC Security, please see also HEC IT Security & Compliance or contact us!

To report this post you need to login first.

10 Comments

You must be Logged on to comment or reply to a post.

  1. Andy Silvey

    Hi Peter,

    thank you for the information.

    I have been wondering about using Hana Cloud as an improvised Web Access Management solution (without the bells and whistles of for example SiteMinder).

    I blogged the thoughts here.

    Question, has the Hana Cloud been penetration tested, and what are/were the results ?

    Kind regards,

    Andy.

    (0) 
    1. Peter Todorov Post author

      Hi Andy,

      Hana Clould Portal is a different SAP service from Hana Enterprise Cloud (HEC) – which is more of a private cloud service we provide where cusomers can consume Hana and Hana-based solutions as well as many other SAP products even certain third-party products.

      AFAIK colleagues in development also follow very strict processes and security validation quality gates, but here I will have to refer you to the Hana Cloud Portal colleagues (SAP HANA Cloud Platform, Portal Service).

      I wish you a very successful 2014!!

      Best Regards,

      Peter

      (0) 
      1. Andy Silvey

        Hi Peter,

        yes the Hana Cloud Portal and Hana Enterprise Cloud are different services, and the question remains, for security savvy SAP Customer’s will need to know, has the Hana Enterprise Cloud service been penetration tested and what were the results and is it a regular exercise ?

        Security Penetration Testing can cover infrastructure application components, or whole solutions or whole landscapes, depending upon budget, high level risk classifications and business motivations.

        If a security savvy SAP Customer uses Hana Enterprise Cloud service as part of a solution which has a high risk high level risk classificiation then the question and demand will arrive, what are the results of security penetration testing of the whole solution.

        As this blog goes into detail concering the security of the Hana Enterprise Cloud service, then I am curious as to whether SAP are planning penetration testing regularly to be able to demonstrate to security savvy SAP Customers the level of security of the SAP Hana Enterprise Cloud service, now or in the future.

        Alternatively, security savvy SAP Customers would execute their penetration tests, but regardless of that, as a baseline it would be nice to know that the SAP Hana Cloud service is regularly penetration tested.

        Kind regards,

        Andy.

        (0) 
        1. Peter Todorov Post author

          Hi Andy,

          yes, there are automated penetration tests being performed on scheduled basis and will be performed in the future.

          A great benefit for us are also the dedicated pen test challenges which we have organized and will organize in the future on regular basis – we carefully define the scope so that we are sure that we have covered security from all angles. In the past we have had dedicated architectural reviews – more of the paper/pencil table exercises where we bring the pen tester perspective by inviting external parties which provide such services. We have had black/white-box pen testing exercises where pen testers get a typical HEC environment for themselves and try to break stuff – escape their network segment, attack other customers, attack SAP management networks, etc. These have also proven to be very helpful and we will perform them on regular basis in the future as well.

          The pen test reports as such are though confidential and we cannot share these in the open space. I can though ensure you that all security improvements suggested  there are being addressed and implemented.

          Cheers,

          Peter

          (0) 
          1. Andy Silvey

            Hi Peter,

            thank you, that is really good to know.

            Suggestion: Add a section to this blog, and give space to this feedback, this information justifies as a minimum a paragraph in the above blog, or even better, a blog of it’s own sharing what you have written in greater detail and proudly explaining how SAP is doing the most possible to keep the SAP Hana Enterprise Cloud service secure.

            Also wishing you and the Team all the success for 2014 🙂

            Best regards,

            Andy.

            (0) 
  2. Shoyeab Ahmed

    Love it..  especially the 2-layered detective and preventive steps being undertaken along with 24×7 security monitoring….

    “detective/preventive services and devices are hooked to a 24×7 security monitoring center where SAP personnel can perform analysis, plan mitigating activities and take respective actions.”

    Regards,

    Shoyeab

    LinkedIn

    (0) 
  3. Ashok Babu Kumili

    Hello Peter Todorov,

    Perfect document to understand the basic concepts of  “HANA Enterprise Cloud Security”. Very nicely written articles. Thanks for the examples & pictures used.. I learnt the key views. It has been summarized very nicely

    Regards

    Ashok

    (0) 

Leave a Reply