Skip to Content
Author's profile photo David Cruickshank

Encryption for SAP HANA in the Cloud

Sticking with my plan to share some COIL updates ahead of SAP SapphireNow, I’m now paying close attention today to a cloud-based SAP HANA with 3rd party dB encryption project where SAP is working with partners Intel and Virtustream along with new COIL project member Vormetric (who is also partnering with Intel) to further explore the area of high-speed data at rest encryption and how this can be applied to the advantage of further securing the deployment and use of SAP HANA from the cloud. This has been an amazing composition of participants taking advantage of the degree that Intel and Vormetric have collaborated with respect to encryption and system performance to Virtustream providing reality-based use case details. lastly it has been very impressive to work with our SAP colleagues out of Belfast who really set the bar high for performance engineering test development, execution and analysis.

SAP HANA is of course already natively secure and is designed to provide robust authorization, single-sign on and access control and with management controls allowing it to be securely deployed in support of countless use cases ranging from applications that run over relational databases or as a platform for developing entirely new innovations. There’s lots of solid and useful information on this topic with specific details useful to an SAP HANA administrator.

The reader will also find additional information about SAP Cloud Security in that its cloud solutions contain security controls and practices designed to protect the confidentiality, integrity, and availability of customer information. These controls are further implemented my third parties that provision SaaS cloud services for SAP, and to its internal organization.

For this project, the team is intent to validate and to demonstrate capabilities required to maintain compliance, security and SLAs of SAP HANA in the Cloud. It is a timely project in that SAP’s own Cloud Privacy team advocates providing complete customer-controlled encryption. Many of the cloud solutions from SAP, encrypt data in a way that doesn’t affect applications – they decrypt the data on the fly when applications access the data, but keep the data encrypted for other types of access. In the future, we want customers to be able to control this encryption and decide how and when they want to access it.

It is exactly with this notion in mind that the encryption solution stemming from this collaborative project work at COIL, uses hardware assisted high-performance data-at-rest encryption, access control and security intelligence gathering to secure data and satisfy auditors of meeting compliance requirements.

Project Use Case, Testing and Observations-

This COIL Project Evaluates two important dimensions:

      1.) Demonstrate minimal performance overhead due to encryption

            a.    No need for customers to trade off performance for security

There is more analysis to come via whitepapers and an introduction and summary of the results was shared during the demo theatre presentation On June 3rd at SAP SapphireNow. You can also pick up a nice summary of the results now over at Vormetric’s Blog.

2.) Further effort is made to attribute the performance characterizations made during the project to then demonstrate how to apply the Security architecture and Vormetric Data Security solutions to SAP HANA in the cloud.  This demonstrates-

a.)   The SAP Hana Data in the cloud is encrypted

b.)   The Customer is the custodian of the encryption keys

c.)   Service provider personnel don’t have access to data
       but can still provision and manage the infrastructure

d.)   Exploit Intel’s AES-NI instructions and other enhancements in
       the latest Intel chipsets to accelerate cryptographic computations

A complete whitepaper from COIL will soon be published where you can learn more about the Vormetric Transparent Encryption and Access Control technology and which will further describe the tests performed showing the measured throughput and latency in more detail but the net conclusions are:

  1. Secure SAP HANA-as-a-Service
  2. Consistently Encrypt persistent storage, logs and configurations. (SAP Persistent Data and associated logs, configs, etc. (if they contain sensitive or regulated data, are under the same risks as every other bit of data whether in the on premise, DC or in the cloud)
  3. Maintain governance over keys, policies and data
  4. Control data access from Enterprise and Cloud privileged users
  5. Reduce threat surface available to APTs and Malware acting as “Insiders”
  6. Gain data access security intelligence through audit and alert on data access
  7. All with very little performance overhead as characterized by this project

What does the Outcome of this Project Signify?

The results observed from the tests the team pursued against Intel Westmere and Ivy-bridge chip architectures is certainly valuable in that it provides an indication that the performance of given OLTP workloads processed through Vormetric’s encryption algorithms does not induce an unfavorable degree of overhead against an SAP Hana database.

There is clearly much more to be explored and observed by employing more use cases and working against different I/O performance targets.

In this project our performance engineering leads would still like to test with higher system utilization to see the extreme case when there is saturation (> 90% CPU usage). Early speculation is that, before ever reaching that point testers will observe a bottleneck at another layer of the system, (e.g., storage layer).

The team already anticipates the question about encryption impact on system performance for high to saturation levels will be asked, so more work will need to be done as the numbers we have now we can only support and provide evidence for the entry-level to the “beginning of mid-range” system utilization, i.e., up to ~40% CPU usage.

Yet another question to address is that once we declare a satisfactory performance outcome that includes persistent ability to more effectively encrypt in the cloud does this help to further satisfy a firm’s security and privacy goals for its data?

Doing More Securely with SAP Hana in the Cloud

SAP HANA leads the charge in changing High-speed data analytics in ways allowing companies to better compete by harnessing real-time insights to support their most important business processes. As mentioned prior, SAP and SAP partner provided S-a-a-S is comprehensive and assures data segregation at every layer of the stack.

While few disagree that Cloud computing offers game-changing capability for business computing, and even with the highly robust capabilities deployed by cloud providers like SAP, many companies do remain reluctant to deploy mission-critical applications in hosted cloud environments. Although they would like very much to derive the potential benefits, they have understandable concerns about security and compliance.

What is being observed from this COIL project work is that there is even more to leverage with respect to the protections afforded through data encryption for companies to seriously consider running mission critical applications deployed over SAP HANA where multiple data types can be safely encrypted and for encryption key management directly controlled by the owners actually responsible for the data.

This COIL project serves as a practical examination of how this security model and architecture, as tested and proven in the SAP COIL labs  by multiple partners with expertise in enterprise class databases & analytics, hardware & systems, data security and cloud infrastructure & HANA services is a significant milestone. It is demonstrative of the availability of a high performance data security solution for SAP HANA that will help enterprise customers meet their compliance requirements while hosting their data in the cloud.

From this initial validation work that is very much aligned with the best practices and defense in depth strategy surrounding SAP HANA in the cloud, and where Vormetric drives additional value through its approach to encryption key management.

Where to learn more?

Watch the COIL SCN page for a link to the whitepaper and you can also visit Vormetric and have a look at Ashvin’s informative post.

Thanks greatly to Ashvin, Bing, Kathy, Charles, Bill, Wes, Kevin, Sergio and the entire project team for contributing to all of the content shared here. For those who like the system details, here’s the rig all the testing has run through. (Thanks Sergio!)

HW specs of the systems used:

  1. 1.     Hardware specs:

IvyBridge 4-socket 60-core Intel Xeon E7-4890 v2 @ 2.80GHz [1]

  • 1 TB DRAM
  • Intel Solid-State Drive 910 PCIe. 800 GB Flash card [3]

(for placing both log and data volumes which are on the file system which is guarded by Vormetric software)

Westmere 4-socket 40-core Intel Xeon E7-4870 @ 2.40GHz [2]

  • 1 TB DRAM
  • Intel Solid-State Drive 910 PCIe. 800 GB Flash card  [3]

(for placing both log and data volumes which are on the file system which is guarded by Vormetric software)

  1. 2.     Software specs:
  • SUSE Linux Enterprise Server 11.3 (SP3)
  • SAP HANA Support Package Stack (SPS) 06, revision 63.
  • TPC-C oltpbench, 365 GB dataset [4]


[1] IBM System x3850 X6

[2] Supermicro system

[3] Intel SSD 910 series

[4] OLTP-bench

Note: All experimentation done did not account for hyperthreading. There were 60 physical cores for IVB (otherwise we would have used 120 cores), and 40 physical cores for WM (otherwise we would have used 80 cores).

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Rohit Kar
      Rohit Kar


      Hi David,

      I was wondering how Vormetric is different from native HANA encryption.  As per SAP's documentation, native encryption is not effective if you enable it on an DB that has been operational for some time and its recommended to reinstall the DB.

      How would Thales-Vormetric differ from native encryption approach ? My question is specifically from on Prem instillations stand point.