SAP HANA 2.0 SPS 05 Security | Hands-on

What’s New – Security

SAP HANA Platform

The SAP HANA 2.0 SPS 05 release introduces a single new feature:

1. NEW: We can now connect the local secure store (LSS) to SAP Data Custodian key management service.
2. CHANGED: We can now use LSS for production.

As documented,

• SAP HANA Server Installation and Update (New and Changed) – SPS 05

For an overview from product management, see

• Expedite Your Security Configuration with SAP HANA 2.0 SPS 05 by Melanie Handreck

LSS was introduced last year with SPS 04 (non-production single-host single-tenant scenarios), together with

• SQL commands to create anonymized views, the procedure GET_ANONYMIZATION_VIEW_STATISTICS, plus l-Diversity and k-Anonymity configuration (see Tutorial Video below)
• CEK and CKP versioning (see Tutorial Video below)
• Retention period for auditing, read-only access to the trail, plus audit policies for tenant databases
• GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS procedure to debug “insufficient privilege” errors, which now all return a GUID; as of SAP HANA cockpit SP11 there is also an app for that
• Host-specific certificate collections for TLS/SSL and provider-specific certificate collections for single sign-on (SSO) using SAML assertions and JSON Web Tokens (JWT) with optional case sensitivity of user matching
• Object privilege REMOTE TABLE ADMIN authorizes a user to create a table on a remote source object.

As documented (also includes all new features introduced with SPS 03, 02, 01, and 00)

• SAP HANA Server Installation and Update (New and Changed) – SPS 04

SAP HANA Cockpit

The list of new features for the SAP HANA cockpit and the SAP HANA database explorer is extensive. Most security-relevant information is listed under User Management and Security Administration.

SP 12 (June 2020)

• Temporarily deactivating a cockpit user
• Log in to SAP HANA cockpit using Kerberos SSO
• Configuration wizard for user group management
• Configuration wizard for audit policies

SP 11 (Oct 2019)

• Removal of OS-level access from tenant database administrators, e.g. access to trace files, platform lifecycle management tasks, of full system information dumps (offline)
• App to debug “insufficient privilege” errors by providing GUID plus new authorization dependency viewer
• Licenses require usage type
• Cockpit Manager enhancements for resource groups and technical user

As documented (SP00 – SP12)

• What’s New in SAP HANA Cockpit 2.0

Tutorial Videos

Data Masking and Data Anonymization

Data masking was introduced with SAP HANA 2.0 SPS 02 in 2017. For an introduction, read

• Protect your sensitive data using SAP HANA’s new dynamic data masking by Aleks Aleksic (2017)

Data anonymization, “knowing without seeing”  was added to SAP HANA in the same release and further enhanced with SPS 04 last year.

• Anonymize like a Rock Star! (or: What’s New on Data Anonymization this Spring in SAP HANA) by Stephan Kessler (2019)

For SAP HANA Cloud, Philip MUGGLESTONE recently published several excellent video tutorials. This works exactly the same for the SAP HANA platform (on premises)

• Getting Started with SAP HANA Cloud V | Hands-on Video Tutorials

Client-Side Encryption

Client-side encryption was introduced with SAP HANA 2.0 SPS 03. We posted a blog on the topic at the time including several tutorial videos how to get started. This information is still accurate and valid.

• SAP HANA Client-Side Data Encryption – by the SAP HANA Academy

For the changes added in the SPS 04 release, column encryption key and client key pair versioning, see the guide on the topic.

• SAP HANA Client-Side Data Encryption Guide

SAP Data Custodian

Key Management Services (KMS)

SAP Data Custodian key management service provides an independent key management service that is separated from the cloud providers hosting your data to protect data in public, private, hybrid, or multi-cloud environments, simplifying provisioning and control of encryption keys.

For more information, visit the product home page, read the solution brief, or the latest blog

• SAP Data Custodian
• Introducing SAP Data Custodian Key Management Service
• Take Control of Your Encryption Keys with SAP Data Custodian Key Management Service by Wasif Gilani (May 2020)

SAP HANA – SSFS, LSS and KMS

You can use the LSS to store the roots keys used for the encryption of the data volume, redo log,  backups, the application encryption service, password of the root key backup, plus any additional configuration information considered sensitive.

Unlike the Secure Stores in the File Server (SSFS) technology used alternatively, LSS runs as a separate service under an isolated operating system user <sid>crypt allowing for a separation of duties between system and security administration.

• Server-Side Data Encryption Services – SAP Security Guide

How to configure SAP HANA to use SAP Data Custodian is documented in the Security Guide and accompanying note.

• Using the Local Secure Store with an External Key Management System – SAP Security Guide
• 2911896 – How to Configure an SAP HANA System to Use the SAP Data Custodian Key Management Service

Key management configuration is performed using SQL. There is no graphical user interface yet, as common with the newest feature, but typically this is added to SAP HANA cockpit in a subsequent Support Pack (SP).

ALTER SYSTEM|DATABASE ADD KEY MANAGEMENT CONFIGURATION
ALTER SYSTEM|DATABASE ACTIVATE KEY MANAGEMENT CONFIGURATION

To get information you can query monitoring view KEY_MANAGEMENT_CONFIGURATIONS.

Share and Connect

Enjoyed the blog? Post a comment, share on social media, and/or give a like. Thanks!

If you would like to receive updates, connect with me on

• LinkedIn > linkedin.com/in/dvankempen
• Twitter > @dvankempen

Best,

Denys van Kempen