With this blog series we provide an update with the latest information about SAP HANA 2.0 SPS 05.
For the overview post, see What’s New in SAP HANA 2.0 SPS 05.
Any good? Post a comment, share on social media, and/or give a like. Thanks!
What’s New – Security
SAP HANA Platform
The SAP HANA 2.0 SPS 05 release introduces a single new feature:
- NEW: We can now connect the local secure store (LSS) to SAP Data Custodian key management service.
- CHANGED: We can now use LSS for production.
For an overview from product management, see
LSS was introduced last year with SPS 04 (non-production single-host single-tenant scenarios), together with
- SQL commands to create anonymized views, the procedure GET_ANONYMIZATION_VIEW_STATISTICS, plus l-Diversity and k-Anonymity configuration (see Tutorial Video below)
- CEK and CKP versioning (see Tutorial Video below)
- Retention period for auditing, read-only access to the trail, plus audit policies for tenant databases
- GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS procedure to debug “insufficient privilege” errors, which now all return a GUID; as of SAP HANA cockpit SP11 there is also an app for that
- Host-specific certificate collections for TLS/SSL and provider-specific certificate collections for single sign-on (SSO) using SAML assertions and JSON Web Tokens (JWT) with optional case sensitivity of user matching
- Object privilege REMOTE TABLE ADMIN authorizes a user to create a table on a remote source object.
As documented (also includes all new features introduced with SPS 03, 02, 01, and 00)
SAP HANA Cockpit
The list of new features for the SAP HANA cockpit and the SAP HANA database explorer is extensive. Most security-relevant information is listed under User Management and Security Administration.
SP 12 (June 2020)
- Temporarily deactivating a cockpit user
- Log in to SAP HANA cockpit using Kerberos SSO
- Configuration wizard for user group management
- Configuration wizard for audit policies
SP 11 (Oct 2019)
- Removal of OS-level access from tenant database administrators, e.g. access to trace files, platform lifecycle management tasks, of full system information dumps (offline)
- App to debug “insufficient privilege” errors by providing GUID plus new authorization dependency viewer
- Licenses require usage type
- Cockpit Manager enhancements for resource groups and technical user
As documented (SP00 – SP12)
Data Masking and Data Anonymization
Data masking was introduced with SAP HANA 2.0 SPS 02 in 2017. For an introduction, read
Data anonymization, “knowing without seeing” was added to SAP HANA in the same release and further enhanced with SPS 04 last year.
- Anonymize like a Rock Star! (or: What’s New on Data Anonymization this Spring in SAP HANA) by Stephan Kessler (2019)
For SAP HANA Cloud, Philip MUGGLESTONE recently published several excellent video tutorials. This works exactly the same for the SAP HANA platform (on premises)
Client-side encryption was introduced with SAP HANA 2.0 SPS 03. We posted a blog on the topic at the time including several tutorial videos how to get started. This information is still accurate and valid.
For the changes added in the SPS 04 release, column encryption key and client key pair versioning, see the guide on the topic.
SAP Data Custodian
Key Management Services (KMS)
SAP Data Custodian key management service provides an independent key management service that is separated from the cloud providers hosting your data to protect data in public, private, hybrid, or multi-cloud environments, simplifying provisioning and control of encryption keys.
For more information, visit the product home page, read the solution brief, or the latest blog
- SAP Data Custodian
- Introducing SAP Data Custodian Key Management Service
- Take Control of Your Encryption Keys with SAP Data Custodian Key Management Service by Wasif Gilani (May 2020)
SAP HANA – SSFS, LSS and KMS
You can use the LSS to store the roots keys used for the encryption of the data volume, redo log, backups, the application encryption service, password of the root key backup, plus any additional configuration information considered sensitive.
Unlike the Secure Stores in the File Server (SSFS) technology used alternatively, LSS runs as a separate service under an isolated operating system user <sid>crypt allowing for a separation of duties between system and security administration.
- Server-Side Data Encryption Services – SAP Security Guide
How to configure SAP HANA to use SAP Data Custodian is documented in the Security Guide and accompanying note.
- Using the Local Secure Store with an External Key Management System – SAP Security Guide
- 2911896 – How to Configure an SAP HANA System to Use the SAP Data Custodian Key Management Service
Key management configuration is performed using SQL. There is no graphical user interface yet, as common with the newest feature, but typically this is added to SAP HANA cockpit in a subsequent Support Pack (SP).
ALTER SYSTEM|DATABASE ADD KEY MANAGEMENT CONFIGURATION ALTER SYSTEM|DATABASE ACTIVATE KEY MANAGEMENT CONFIGURATION
To get information you can query monitoring view KEY_MANAGEMENT_CONFIGURATIONS.
Share and Connect
Enjoyed the blog? Post a comment, share on social media, and/or give a like. Thanks!
If you would like to receive updates, connect with me on
Denys van Kempen
SAP HANA 2.0 – An Introduction
Just getting started with SAP HANA? Or do have a migration to SAP HANA 2.0 coming up? Need a quick update covering business benefits and technology overview. Understand the role of the system administrator, developer, data integrator, security officer, data scientist, data modeler, project manager, and other SAP HANA stakeholders? My latest book about SAP HANA 2.0 covers everything you need to know.
Get it from SAP Press or Amazon:
SAP HANA 2.0 Certification Guide: Technology Associate Exam
Preparing for your SAP HANA 2.0 technology associate exam? Make the grade with this certification study guide! From installation and configuration to monitoring and troubleshooting, this guide will review the key technical and functional knowledge you need to pass with flying colors. Explore test methodology, key concepts for each area, and practice questions and answers. Your path to SAP HANA 2.0 certification begins here!
Pre-order from SAP Press: