Take data privacy to the next level with SAP HANA 2.0 SPS 03
Data protection and privacy are critical for business success in today’s world. Providing solid security and data protection features like full control of data access, a secure system setup and a software that is resilient against attacks has therefore been a cornerstone of SAP HANA’s security strategy for years.
Looking at current headlines about security and data breaches however it is not surprising that security and compliance concerns make so many businesses hesitate to start new innovation projects. The fear of losing control of the security of their business data, and of violating compliance regulations such as GDPR are on the mind of every company executive today.
This is why the new SAP HANA 2.0 SPS 03 release comes with a host of new advanced security features that help customers remove such innovation hurdles and by securely enabling new data-centric use cases:
- Real-time data anonymization lets you gain analytic insights from your data while protecting the privacy of individuals
- Column encryption with client-controlled keys lets you keep your data always encrypted on the server side, both at rest and in-memory
- Shared SAP business application authorizations allow you to re-use your ABAP permissions in SAP HANA native scenarios
Real-time data anonymization
SAP HANA is the first business data platform to provide built-in, real-time data anonymization. While data masking is a very important tool for many use cases that need to hide parts of sensitive records (e.g. display only parts of a credit card number), it is often not suitable for protecting complex mass data: either the level of security is not sufficient, or the masked data is no longer usable for the intended purpose.
To properly anonymize data while still keeping the ability use it in analytic scenarios, a different approach is needed. This is where SAP HANA anonymization comes into play.
Anonymization in SAP HANA is a structured approach to protect the privacy of individuals while enabling analytics on complex data sets at the same time. It lets you gain insights from data that could not be leveraged before due to regulations.
Anonymization is dynamic: you have real-time access to the anonymized data while the original data stays unchanged.
Two state-of-the-art anonymization methods are available:
- k-anonymity, which hides individuals in a crowd
- Differential privacy, which applies statistical noise to data to hide sensitive information
To learn more about these methods, check out my blog Going beyond masking: how to anonymize large data sets.
Using the Web IDE tool, you can define custom anonymization views on the live data and fine-tune the configuration parameters. This means you can adapt the settings to your specific needs and have full transparency of the algorithms that are applied.
Anonymization is completely integrated into SAP HANA’s security framework, meaning that you have full control over all access to the anonymized data. Additionally, the SAP HANA audit framework allows you to track all access to the anonymized data.
But technically setting up anonymization is not enough – whenever you are dealing with personal data, data protection regulations apply. This means that any scenarios or applications that you build on top of such data usually need to be approved by a data protection officer.
But how to best talk to your data protection officer about the technical configuration? We have recognized that this is a very important piece in any data-related discussion today and want to provide you with as much support as possible. For data anonymization we therefore have created a special view for data protection officers in SAP HANA Cockpit that shows all anonymization scenarios incl. the chosen methods and parameters.
Want to learn more? Visit to our anonymization web page at http://www.sap.com/data-anonymization
Encryption provides an additional layer of protection for data. SAP HANA has comprehensive encryption capabilities for data at rest and in motion.
The new column encryption adds a new dimension. It is more fine-granular than the existing methods: you specify which columns in a table should be encrypted. As the keys are completely controlled by the client driver, the data on the server side will always be encrypted, both at rest and in-memory.
Shared SAP business application authorizations
You can now manage authorizations for SAP applications like S/4HANA or SAP Business Suite and SAP HANA applications in one place. SAP HANA lets you create matching analytic privileges for ABAP PFCG roles.
This ensures consistent access to SAP business data from both SAP applications, and from applications built using the XS Advanced framework. Avoiding double maintenance for authorizations significantly simplifies operations and helps you lower costs.
These are just the security highlights SAP HANA 2.0 SPS 03, but there is much more:
- Dynamic data masking is now available both for tables and views, to protect sensitive data from DBAs and power users. Read this blog to learn more.
- Automatic LDAP user provisioning and a native LDAP authentication allow you to significantly reduce efforts for user management by implementing a central user directory strategy.
- The new audit log viewer in SAP HANA Cockpit allows you to easily filter and sort audit log entries and to monitor critical accesses.
- New best practice guide for developing SAP HANA roles using HDI/XS Advanced – download your copy here
Also check out the updated security guide, and read this blog by SAP HANA Academy.
For general information on the SAP HANA 2.0 SPS 03 enhancements, you can get an overview in this blog, or read the SPS03 release notes.
And don’t forget to visit our SAP HANA security website at http://www.sap.com/hanasecurity
Great ideas. A bit mind boggling when you think about the things that need protected.
We have been getting conflicting information about data encryption in SAP HANA memory. So we called in the our MaxAttention and had an expert session to among other things, discussed best practices in protecting PII data of our customers. The recommended solution by MaxAttention was to enable data volume encryption (data-at-rest) and data masking to prevent privilege users to be able to view PII data at OS level or by SQL commands.
After reading this blog there seem to be a contradiction or knowledge gap with our SAP MaxAttention folks. MaxAttention informed us that encrypting data in SAP HANA memory is not available! So, what is it? Is SAP HANA data encryption in memory supported (we are in HANA 2.0 SP3) Did we just wasted our MaxAttention $$$?
If in-fact HANA 2.0 SP3 column encryption (both memory and at-rest) is available, what is the impact to system performance? Where can we get detail information how to encrypt data in memory?
Please let us know. Thanks!
Thank you for the feedback.
As securing a system usually requires a combination of different security technologies and processes, it is difficult for me to judge what the best approach in your specific scenario would be.
I have therefore already contacted our support organization, and a DBS colleague will contact you to get the issue resolved. SAP HANA Development will support as required.
Thanks for great article!
But I want to ask you is there any mechanism to protect generated SAP External HANA View for some objects? What is better way to protect 0EMPLOYEE tables, generated views from reading by developers who not responsible for HR development.
could you please provide some more information on your use case (which SAP solution etc.)?
Simple case: we have SAP HCM (ERP) and SAP BW, which stores for example Employee data. We have a lot of developers in BW with BI_ALL access. How will be correct to restrict access to HR object tables in BW. Restrict SELECT * FROM EMPLOYEE.
Now I understand this is not a goal for masking or anonymizing data.
The better way is using own schemas in HANA, I guess.
typically, customers do not load the productive, sensitive HR data into a development system, where developers have BI_ALL authorizations.
Conversely, in productive systems, which have the sensitive data, administrators will not have BI_ALL authorizations.
Is it possible to use this tool- when we are using only Hana DB not s4 suite.. No CDS view available …Also – Anonymizing the data during client copy from production.
Is TDMS a better option than using this tool- if we have to anonymize the production copy to test system.
data anonymization is part of the HANA core functionality, not an additional tool.
The main purpose is to provide an anonymized view of data in HANA, while the original data stays unchanged. This works "in place" on the live data in HANA. Typical use cases would be, for example, building dashboards on live data in HANA that only access the anonymized version of the data via such a view. See e.g. this blog: https://blogs.saphana.com/2019/04/15/anonymize-like-a-rock-star-or-whats-new-on-data-anonymization-this-spring-in-sap-hana/
You can of course use standard database export functionality to export data from HANA via such an anonymized view, but this was not the primary use case that the real-time data anonymization function was developed for.
Thanks for the response and also for the link. Much Appreciated!
Will SAP ERP 6.0 EHP8 support the column encryption of HANA DB 2.0 SP03?
This is currently not planned (as far as I know).
I have forwarded the question to the relevant SAP team in case they have any other information.
ABAP Application Server does not support HANA client-side encryption