Expedite Your Security Configuration with SAP HANA...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Security configuration is the first step towards innovating with confidence with SAP HANA. Whether it’s integrating securely into an existing landscape or trying out new functionality for the first time, configuration takes careful consideration.
This is why the new SPS 05 release of SAP HANA 2.0 provides important enhancements addressing these challenges:
External key server support provides more options to control access to the SAP HANA data encryption keys
Secure setup wizardoffers a workflow and value suggestions for user group and audit policy configuration
Role editor in the Web IDE minimizes the overhead of role building
These new features fit seamlessly into SAP HANA’s comprehensive security framework which enables businesses to innovate with confidence: with secure access to data and applications, a secure setup, and software that is resilient against attacks.
External key server support
Full data-at-rest encryption (including redo log encryption), application data encryption (including encryption APIs), and native backup encryption are part of SAP HANA’s core feature set.
As of SAP HANA 2.0 SPS05 it is now also possible to use a key server to control access to the SAP HANA data encryption keys. SAP HANA local secure store (LSS) is leveraged to connect to SAP Data Custodian key management service as the first supported key server. Other 3rd party key management servers or hardware security modules are planned to be supported later.
LSS is a separate, lightweight utility for storing and securely managing the HANA encryption root keys, which is part of the SAP HANA installation. It allowsa stronger separation between system administration and encryption key management.
For more information on SAP HANA local secure store, check out the LSS documentation.
SAP Data Custodian KMS is a cloud product which is available as SaaS through a monthly or annual subscription. It supports customer-controlled keys and uses a FIPS 140-2 Level 3 compliant key vault. It is possible to import a key from your preferred HSM into Data Custodian KMS or you can generate the key with Data Custodian.
You can use a new wizard to quickly apply a basic configuration for audit policies or user groups.
Instead of manually configuring audit policies or user groups, you can use a wizard to apply SAP's recommended configuration settings. This allows you to quickly start working with audit policies and user groups.
For a registered database, the user interface notifies you if the audit policy or user group configuration was not completed using the base setup wizards. You have the option to disable these notifications.
With the new role editor, roles can now be defined by specifying role parameters with a combination of drop-down menus in the form-based role editor.
Role Editor
The role editor supports you in creating new roles and editing existing roles. You can grant or revoke roles or object, schema, analytic and system privileges from new or existing roles. To access the role editor in the Web IDE, right-click any.hdbrole file and click Open Role Editor.
Please check out the updated security guide.For general information on the SAP HANA 2.0 SPS 05 enhancements, you can sign up here for live expert sessions, or review the SPS 05 release notes.