Securing SAP HANA with the Operating System
IT security is a very important topic in almost any organization. Newspapers report frequently about new IT security incidents like hacked websites, successful Denial-of-Service attacks, stolen user data like passwords, bank account numbers and other sensitive data. Aside of the publicly reported attacks, there is also a large number of incidents that are not reported to the public. In particular, these cases are often related to espionage, where the affected party has no interest to report an incident.
Security experts all agree, that for protecting sensitive data, an organization must have an comprehensive security concept in place, taking all eventualities into account, that can potentially lead into security risks. This starts with properly setup policies, like a password policy and data protection policies for users and system administrators, continues with a protected IT environment using i.e. firewalls, VPNs, SSL in communication protocols and ends with hardened servers, intrusion detection systems, data encrypting and automated security reporting. Additionally, many organizations perform security audits on a regular basis in order constantly guarantee a maximum of security in their IT environment.
Comprehensive security concepts usually pay a high attention on database systems, since databases belong to the most critical pieces in each IT environment. Database systems, that potentially store sensitive data, are naturally very popular targets for hackers. Therefore, they must uniquely be protected.
The SAP HANA database typically stores business related information and very often, this information can be considered as being critical. In particular this is the case for ERP systems using SAP HANA as their database. Also many other SAP applications using HANA, like BW systems, might store sensitive data in the database.
SAP pays high attention on the security topic. For SAP HANA, there is a comprehensive security guide available, that describes in detail how to protect HANA from a database perspective. The guide also refers to security concepts for other connecting layers that are separate from the HANA database. This is for example the network and storage layer. However, these topics are described very generic and there is no specific guidance on how to apply these recommendations i.e. on the Operating System level.
At least as important as the security of the HANA database is the security of the underlying Operating System. Many hacker attacks are targeted on the Operating System and not directly on the database. Once a hacker gained access and sufficient privileges, he can continue to attack the running database application.
SUSE Linux Enterprise server is the recommended and supported Operating System for SAP HANA. SUSE has a long running history in IT security for Linux Operating Systems and offers a comprehensive security package for the SUSE Linux Enterprise Server to protect systems from all kind of security incidents. This package consists of the following components:
- Security certifications: SUSE Linux Enterprise 11 Operating System achieved many important security certifications, like Carrier Grade Linux (CGL) Registration, FIPS (Federal Information Processing Standard) 140-2 validation for OpenSSL and Common Criteria Security certification EAL4+.
- Security updates and patches: SUSE constantly provides security updates and patches for their SLES Operating Systems and guarantees high security standards over the whole product lifecycles.
- Documentation: SUSE published a security guide, that describes the security concepts and features of the SUSE Linux Enterprise Server 11 Operating System. The SLES security guide provides generic security information valid for all workloads, not just for SAP HANA.
In order to further improve the security standard specifically for HANA, SUSE is currently developing a guide, dedicated for the security hardening of SUSE Linux Enterprise Server 11 running SAP HANA databases. It is meant to fill the gap between the generic SLES security guide and the HANA security guide. SUSE works together with a large pilot customer in order to identify all relevant security settings and avoid problems in real world scenarios. Also, SUSE works together with SAP to validate the hardening settings and to provide best compatibility with HANA.
The guide will provide detailed descriptions on the following topics:
- SUSE Linux Enterprise hardening settings for HANA: A Linux Operating System provides many tweaks and settings to further improve the OS security and the security for the hosted applications. In order to be able to fit for certain application workloads, the default settings are not tuned for maximum security. This guide will describe how to tune the OS for maximum security when running specifically SAP HANA. It will also describe possible impacts, i.e. on system administration and give a prioritization of each setting.
- Local firewall for SAP HANA systems: A local running firewall further improves the network security of a HANA database, even if the network, a HANA database is connected to, is already behind a firewall. Network-local attacks (i.e. inside of a DMZ) and also the opening of additional ports on already infiltrated systems can thus be minimized. The OS security hardening guide will describe, how to configure a local firewall dedicated for HANA database systems.
- Minimal package selection: The fewer OS packages a HANA system has installed, the less possible security holes it might have. According to that principle, the hardening guide will describe which packages are absolutely necessary and which packages can be safely discarded. As a nice side effect, a minimized amount of packages also reduces the number updates and patches that have to be applied to a system.
All in all, this guide will cover all important topics in detail for the OS hardening of a SAP HANA system. Together with the other security features of SUSE Linux Enterprise Server 11, like the security certifications (CGL, FIPS, EAL4+) and the constantly provided security updates and patches, HANA can run in a very secure environment, meeting highest security standards and being able to fit in corporate security concepts of organization of all sizes.
The guide for the security hardening of SUSE Linux Enterprise Server 11 running SAP HANA databases is in final development stage and will be available early Q2 2014. Comments and feedback are welcome so feel free to post them here. I will post a blog with the guide on SCN once it is publicly available.