Security configuration is the first step towards innovating with confidence with SAP HANA. Whether it’s integrating securely into an existing landscape or trying out new functionality for the first time, configuration takes careful consideration.
This is why the new SPS 05 release of SAP HANA 2.0 provides important enhancements addressing these challenges:
- External key server support provides more options to control access to the SAP HANA data encryption keys
- Secure setup wizard offers a workflow and value suggestions for user group and audit policy configuration
- Role editor in the Web IDE minimizes the overhead of role building
These new features fit seamlessly into SAP HANA’s comprehensive security framework which enables businesses to innovate with confidence: with secure access to data and applications, a secure setup, and software that is resilient against attacks.
External key server support
Full data-at-rest encryption (including redo log encryption), application data encryption (including encryption APIs), and native backup encryption are part of SAP HANA’s core feature set.
As of SAP HANA 2.0 SPS 05 it is now also possible to use a key server to control access to the SAP HANA data encryption keys. SAP HANA local secure store (LSS) is leveraged to connect to SAP Data Custodian key management service as the first supported key server. Other 3rd party key management servers or hardware security modules are planned to be supported later.
LSS is a separate, lightweight utility for storing and securely managing the HANA encryption root keys, which is part of the SAP HANA installation. It allows a stronger separation between system administration and encryption key management.
For more information on SAP HANA local secure store, check out the LSS documentation.
SAP Data Custodian KMS is a cloud product which is available as SaaS through a monthly or annual subscription. It supports customer–controlled keys and uses a FIPS 140-2 Level 3 compliant key vault. It is possible to import a key from your preferred HSM into Data Custodian KMS or you can generate the key with Data Custodian.
Want to learn more? Review the SAP Data Custodian KMS documentation.
Secure setup wizard
You can use a new wizard to quickly apply a basic configuration for audit policies or user groups.
Instead of manually configuring audit policies or user groups, you can use a wizard to apply SAP’s recommended configuration settings. This allows you to quickly start working with audit policies and user groups.
For a registered database, the user interface notifies you if the audit policy or user group configuration was not completed using the base setup wizards. You have the option to disable these notifications.
Role editor in the Web IDE
The role concept in SAP HANA 2.0 provides a containerized approach to role development. You can read more about the concepts in the Best practices and recommendations for developing roles in SAP HANA guide.
With the new role editor, roles can now be defined by specifying role parameters with a combination of drop-down menus in the form-based role editor.
The role editor supports you in creating new roles and editing existing roles. You can grant or revoke roles or object, schema, analytic and system privileges from new or existing roles. To access the role editor in the Web IDE, right-click any .hdbrole file and click Open Role Editor.
For more details on the role editor, take a look at the design-time role documentation.
These are just the security highlights for SAP HANA 2.0 SPS 05, but there’s more:
- Kerberos single sign-on support for SAP HANA cockpit users offers an additional authentication mechanism in the SAP HANA Cockpit. For more details, see Enabling SSO with Kerberos or Create or Enable an SAP HANA Cockpit User.
And don’t forget to visit our SAP HANA security website at http://www.sap.com/hanasecurity