Data protection and privacy are critical for business success in today’s world. Providing solid security and data protection features like full control of data access, a secure system setup and a software that is resilient against attacks has therefore been a cornerstone of SAP HANA’s security strategy for years.
Looking at current headlines about security and data breaches however it is not surprising that security and compliance concerns make so many businesses hesitate to start new innovation projects. The fear of losing control of the security of their business data, and of violating compliance regulations such as GDPR are on the mind of every company executive today.
This is why the new SAP HANA 2.0 SPS 03 release comes with a host of new advanced security features that help customers remove such innovation hurdles and by securely enabling new data-centric use cases:
- Real-time data anonymization lets you gain analytic insights from your data while protecting the privacy of individuals
- Column encryption with client-controlled keys lets you keep your data always encrypted on the server side, both at rest and in-memory
- Shared SAP business application authorizations allow you to re-use your ABAP permissions in SAP HANA native scenarios
Real-time data anonymization
SAP HANA is the first business data platform to provide built-in, real-time data anonymization. While data masking is a very important tool for many use cases that need to hide parts of sensitive records (e.g. display only parts of a credit card number), it is often not suitable for protecting complex mass data: either the level of security is not sufficient, or the masked data is no longer usable for the intended purpose.
To properly anonymize data while still keeping the ability use it in analytic scenarios, a different approach is needed. This is where SAP HANA anonymization comes into play.
Anonymization in SAP HANA is a structured approach to protect the privacy of individuals while enabling analytics on complex data sets at the same time. It lets you gain insights from data that could not be leveraged before due to regulations.
Anonymization is dynamic: you have real-time access to the anonymized data while the original data stays unchanged.
Two state-of-the-art anonymization methods are available:
- k-anonymity, which hides individuals in a crowd
- Differential privacy, which applies statistical noise to data to hide sensitive information
To learn more about these methods, check out my blog Going beyond masking: how to anonymize large data sets.
Using the Web IDE tool, you can define custom anonymization views on the live data and fine-tune the configuration parameters. This means you can adapt the settings to your specific needs and have full transparency of the algorithms that are applied.
Anonymization is completely integrated into SAP HANA’s security framework, meaning that you have full control over all access to the anonymized data. Additionally, the SAP HANA audit framework allows you to track all access to the anonymized data.
But technically setting up anonymization is not enough – whenever you are dealing with personal data, data protection regulations apply. This means that any scenarios or applications that you build on top of such data usually need to be approved by a data protection officer.
But how to best talk to your data protection officer about the technical configuration? We have recognized that this is a very important piece in any data-related discussion today and want to provide you with as much support as possible. For data anonymization we therefore have created a special view for data protection officers in SAP HANA Cockpit that shows all anonymization scenarios incl. the chosen methods and parameters.
Want to learn more? Visit to our anonymization web page at http://www.sap.com/data-anonymization
Encryption provides an additional layer of protection for data. SAP HANA has comprehensive encryption capabilities for data at rest and in motion.
The new column encryption adds a new dimension. It is more fine-granular than the existing methods: you specify which columns in a table should be encrypted. As the keys are completely controlled by the client driver, the data on the server side will always be encrypted, both at rest and in-memory.
Shared SAP business application authorizations
You can now manage authorizations for SAP applications like S/4HANA or SAP Business Suite and SAP HANA applications in one place. SAP HANA lets you create matching analytic privileges for ABAP PFCG roles.
This ensures consistent access to SAP business data from both SAP applications, and from applications built using the XS Advanced framework. Avoiding double maintenance for authorizations significantly simplifies operations and helps you lower costs.
These are just the security highlights SAP HANA 2.0 SPS 03, but there is much more:
- Dynamic data masking is now available both for tables and views, to protect sensitive data from DBAs and power users. Read this blog to learn more.
- Automatic LDAP user provisioning and a native LDAP authentication allow you to significantly reduce efforts for user management by implementing a central user directory strategy.
- The new audit log viewer in SAP HANA Cockpit allows you to easily filter and sort audit log entries and to monitor critical accesses.
- New best practice guide for developing SAP HANA roles using HDI/XS Advanced – download your copy here
And don’t forget to visit our SAP HANA security website at http://www.sap.com/hanasecurity