Skip to Content
Product Information

SAP HANA 2.0 SPS 05 Security | Hands-on

With this blog series we provide an update with the latest information about SAP HANA 2.0 SPS 05.

For the overview post, see What’s New in SAP HANA 2.0 SPS 05.

Any good? Post a comment, share on social media, and/or give a like. Thanks!

/wp-content/uploads/2016/02/sapnwabline_885687.png

What’s New – Security

SAP HANA Platform

The SAP HANA 2.0 SPS 05 release introduces a single new feature:

  1. NEW: We can now connect the local secure store (LSS) to SAP Data Custodian key management service.
  2. CHANGED: We can now use LSS for production.

As documented,

For an overview from product management, see

LSS was introduced last year with SPS 04 (non-production single-host single-tenant scenarios), together with

  • SQL commands to create anonymized views, the procedure GET_ANONYMIZATION_VIEW_STATISTICS, plus l-Diversity and k-Anonymity configuration (see Tutorial Video below)
  • CEK and CKP versioning (see Tutorial Video below)
  • Retention period for auditing, read-only access to the trail, plus audit policies for tenant databases
  • GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS procedure to debug “insufficient privilege” errors, which now all return a GUID; as of SAP HANA cockpit SP11 there is also an app for that
  • Host-specific certificate collections for TLS/SSL and provider-specific certificate collections for single sign-on (SSO) using SAML assertions and JSON Web Tokens (JWT) with optional case sensitivity of user matching
  • Object privilege REMOTE TABLE ADMIN authorizes a user to create a table on a remote source object.

As documented (also includes all new features introduced with SPS 03, 02, 01, and 00)

SAP HANA Cockpit

The list of new features for the SAP HANA cockpit and the SAP HANA database explorer is extensive. Most security-relevant information is listed under User Management and Security Administration.

SP 12 (June 2020)

  • Temporarily deactivating a cockpit user
  • Log in to SAP HANA cockpit using Kerberos SSO
  • Configuration wizard for user group management
  • Configuration wizard for audit policies

SP 11 (Oct 2019)

  • Removal of OS-level access from tenant database administrators, e.g. access to trace files, platform lifecycle management tasks, of full system information dumps (offline)
  • App to debug “insufficient privilege” errors by providing GUID plus new authorization dependency viewer
  • Licenses require usage type
  • Cockpit Manager enhancements for resource groups and technical user

As documented (SP00 – SP12)

/wp-content/uploads/2016/02/sapnwabline_885687.png

Tutorial Videos

Data Masking and Data Anonymization

Data masking was introduced with SAP HANA 2.0 SPS 02 in 2017. For an introduction, read

Data anonymization, “knowing without seeing”  was added to SAP HANA in the same release and further enhanced with SPS 04 last year.

For SAP HANA Cloud, Philip MUGGLESTONE recently published several excellent video tutorials. This works exactly the same for the SAP HANA platform (on premises)

 

 

Client-Side Encryption

Client-side encryption was introduced with SAP HANA 2.0 SPS 03. We posted a blog on the topic at the time including several tutorial videos how to get started. This information is still accurate and valid.

For the changes added in the SPS 04 release, column encryption key and client key pair versioning, see the guide on the topic.

/wp-content/uploads/2016/02/sapnwabline_885687.png

SAP Data Custodian

Key Management Services (KMS)

SAP Data Custodian key management service provides an independent key management service that is separated from the cloud providers hosting your data to protect data in public, private, hybrid, or multi-cloud environments, simplifying provisioning and control of encryption keys.

For more information, visit the product home page, read the solution brief, or the latest blog

SAP HANA – SSFS, LSS and KMS

You can use the LSS to store the roots keys used for the encryption of the data volume, redo log,  backups, the application encryption service, password of the root key backup, plus any additional configuration information considered sensitive.

Unlike the Secure Stores in the File Server (SSFS) technology used alternatively, LSS runs as a separate service under an isolated operating system user <sid>crypt allowing for a separation of duties between system and security administration.

 

How to configure SAP HANA to use SAP Data Custodian is documented in the Security Guide and accompanying note.

Key management configuration is performed using SQL. There is no graphical user interface yet, as common with the newest feature, but typically this is added to SAP HANA cockpit in a subsequent Support Pack (SP).

ALTER SYSTEM|DATABASE ADD KEY MANAGEMENT CONFIGURATION
ALTER SYSTEM|DATABASE ACTIVATE KEY MANAGEMENT CONFIGURATION

To get information you can query monitoring view KEY_MANAGEMENT_CONFIGURATIONS.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Share and Connect

Enjoyed the blog? Post a comment, share on social media, and/or give a like. Thanks!

If you would like to receive updates, connect with me on

Best,

Denys van Kempen

/wp-content/uploads/2016/02/sapnwabline_885687.png

SAP HANA 2.0 – An Introduction

Just getting started with SAP HANA? Or do have a migration to SAP HANA 2.0 coming up? Need a quick update covering business benefits and technology overview. Understand the role of the system administrator, developer, data integrator, security officer, data scientist, data modeler, project manager, and other SAP HANA stakeholders? My latest book about SAP HANA 2.0 covers everything you need to know.

Get it from SAP Press or Amazon:

/wp-content/uploads/2016/02/sapnwabline_885687.png

/wp-content/uploads/2016/02/sapnwabline_885687.png

SAP HANA 2.0 Certification Guide: Technology Associate Exam

Preparing for your SAP HANA 2.0 technology associate exam? Make the grade with this certification study guide! From installation and configuration to monitoring and troubleshooting, this guide will review the key technical and functional knowledge you need to pass with flying colors. Explore test methodology, key concepts for each area, and practice questions and answers. Your path to SAP HANA 2.0 certification begins here!

Pre-order from SAP Press:

/wp-content/uploads/2016/02/sapnwabline_885687.png

/wp-content/uploads/2016/02/sapnwabline_885687.png

For the others posts, see

/wp-content/uploads/2016/02/sapnwabline_885687.png

Be the first to leave a comment
You must be Logged on to comment or reply to a post.