Encryption for HANA in the cloud – Findings of a collaborative COIL project with Intel, Vormetric, and Virtustream
At the age of the cloud, corporate and government data breaches are in daily headlines. These breaches can be deadly expensive.
As the most important asset of every enterprise, mission critical data must be secured using a combination of access controls, mature key management, and encryption. Used by enterprises both for transactional data operations as well as for real-time analytics, SAP HANA stores and processes sensitive enterprise data. It is no longer sufficient to secure just the perimeter of data centers where HANA is hosted., encryption of the mission critical data managed by HANA becomes more and more critical for many of our customers, especially when HANA is deployed in the cloud and offered as a service.
However, the overhead of encrypting data often leads to tradeoffs between performance and security.
What we have found at COIL
Thanks to recent innovations in hardware to accelerate encryption at the processor level, tradeoffs between performance and encryption are no longer necessary. Working closely with Intel, Vormetric, and Virtustream, , SAP Co-innovation Lab (COIL), with the help of our HANA product management team, HANA Enterprise Cloud team, and many other SAP groups, has shown that with the recent AES-NI innovations in the Intel Xeon processor family and the Vormetric encryption software enhancements optimally exploiting AES NI, large data sets on SAP HANA can be encrypted or decrypted with virtually no performance overhead.
Motivated by real customer requirements provided by Virtustream and SAP HANA Enterprise Cloud team, the COIL project focuses on evaluating an encryption solution for HANA that address the following challenges with minimal performance overhead:
- Secure customers’ data using a combination of access controls and encryption
- Lock cloud administrators out of access to the data without impeding their ability to perform administrative tasks (and even applying to “root” accounts)
- Leave the owner of the data in full control of the encryption keys
The following diagram provides a high level overview of the solution we tested at COIL, and all our findings are documented in two papers:
- For a business oriented summary, check out the paper published at Intel website http://www.intel.com/content/www/us/en/cloud-computing/cloud-security-xeon-e7-v2-sap-virtustream-paper.html?cache=no
- For those who want a technical deep dive of the tests and results, check out a COIL whitepaper published today at SCN https://scn.sap.com/docs/DOC-58601
We have a lot people to thank…
The COIL project is a true example of great collaborations of teams across organizational the geographical boundaries.
Here is a list of the core virtual team members from the 4 participating companies who have spent many days and nights together in the last a couple of months working on bringing our technologies together to address the encryption challenges of our customers: David Cruickshank (SAP SE), Tariq Ellahi (SAP), Roger Guedes (SAP), Mark Hourani (SAP), Heather Li (SAP), Kevin Liu* (SAP COIL lead), Sergio Pacheco-Sanchez (SAP), Carmelo Ragusa (SAP), Jay Thoden van Velzen (SAP), Kathy Barboza (Intel Corporation), Todd Christ (Intel), Martin Guttmann (Intel), Bing Wang* (Intel lead), Ashvin Kamaraju* (Vormetric, Inc. lead), Sridharan Sudarsan (Vormetric), Carlos Wong (Vormetric), Michael Powell (Virtustream Inc.), Gregsie Leighton (Virtustream), Vince Lubsey* (Virtustream Lead), Pete Nicoletti (Virtustream).
As the lead of each participating company, Bing, Ashvin, and Vince have invested tremendous amount of time and efforts to make sure right resources from each company are brought to the team and real customer challenges are addressed with the solution we evaluated. Many colleagues in the participating company helped the team in various phases of the project, just to mention a few we are thankful – Frank Ober of Intel for getting us SSDs, Andi Kleen for helping us debug Linux kernel, and Craig Piece for helping us resolve our networking issues.
With the continuous support of the entire team, Sergio and his teammates at Belfast, UK did an excellent job in driving the critical performance tests and documenting our findings.
As the COIL lead, I would like to thank all the SAP colleagues who supported us through out the lifespan of the project, in particularly our SAP executive sponsors for this project Clark Masters and Wesley Mukai, our HANA product management colleague Mark Hourani with support from Michael Eacrett,, Holger Mack, and Andrea Kristen; and the entire COIL computing center team. Nothing could have been done without your valuable support.