Securing SAP HANA: 6 Best Practices
Protecting the sensitive information stored in your SAP HANA workloads is critical to maintain compliance and business continuity. However, as cyber security threats evolve in a rapid pace, keeping systems secure becomes increasingly challenging.
This article reviews the current challenges, and offers several best practices that can help you to securely run and operate SAP HANA in different environments.
SAP HANA Security Challenges
Below is a brief overview of the typical challenges you might encounter while implementing SAP HANA.
Preventing data loss is often a major concern before, during, and after organizations undergo a migration process. Loss of any data is undesirable, but loss of business-critical data can cause massive disruption and damages.
Another cause for concern is ensuring that any migrated data remains consistent with the source data. Data integration challenges during migration can also cause issues, and even lead to downtime or disruption.
To prevent data migration issues, you can perform data migration testing and Extract / Transform / Load (ETL) testing. Data migration tests help verify the functionality of migrated workloads before migration.
ETL tests help identify and validate aspects such as metadata, data model, field mapping, data types and formats, referential integrity, ETL logic, surrogate keys, boundary conditions, and error logic.
A transition from legacy infrastructure to SAP HANA can expose the organization to security vulnerabilities. Different environments, naturally, are exposed to different risks.
Before migrating business-critical operations, like an enterprise resource planning (ERP) system, you need to conduct a thorough security assessment. This can help you discover vulnerabilities before making the change, creating an appropriate security plan, and then apply it during the implementation phase.
SAP HANA often collects data from different sources, in real-time. However, simultaneously pooling together different big data sets is a major challenge. To ensure a successful outcome, it is critical to ensure data is clean and reliable. You can achieve this by continuously performing end to end testing on data sources, integrators, and connected organizations.
Web applications are connected to the Internet, and this connection creates an open traffic flow. This makes the systems vulnerable to various attacks, such as cross site scripting (XSS) attacks and code injections. During these attacks, threat actors inject malicious software (malware) or commands through user inputs.
Best Practices for Securing SAP HANA
To secure a SAP HANA database, you need to apply certain best practices, such as access control, continuous monitoring, and data anonymization. While SAP HANA provides several built-in security features, not everything is covered. Some of the best practices can be implemented using SAP HANA features, while others require the use of external tools.
1. Limit Permissions to Prevent Insider Threats
SAP HANA lets you prioritize role-based permissions with privilege groups. You can create groups for a system, objects, analytics, packages, and application privileges. A role-based privileges configuration can help restrict the scope of damage inflicted by insider threats (as detailed here) or external attackers. Use “the principle of least privilege” when you set up permissions and groups, to ensure roles are limited to the minimum controls needed.
2. Keep Systems Up-to-Date
System updates are often provided to patch vulnerabilities and fix security issues. To ensure your SAP HANA remains secure, you need to immediately update when a patch is released. Always review the most recent SAP security notes, which are released monthly during Security Patch Day, which is the second Tuesday of the month. The notes provide security information regarding known vulnerabilities and ways to defend against exploits.
3. Mask or Anonymize Data
SAP HANA provides built-in capabilities for data masking and anonymization.
Masking processes help hide a part of the data or replace these parts with synthetic data. Typically, masking is used to hide sensitive data from users who are not permitted to access it.
Anonymization can help hide identifying information or use statistical noise to hide certain sensitive values.
You can apply both of these methods dynamically when data is queried, and original data still remains unchanged.
4. Use Vendor Installed Systems
Vendor-installed systems can help simplify SAP HANA deployments and configurations. In this case, you are introducing a third-party service, and this integration requires special security measures.
Here are certain steps you can take to secure your deployment:
- Change all passwords, and especially the <sid>adm, root, and sapadm passwords. These three provide administrative access and should be highly secured.
- Review all existing users, and delete redundant users. Deactivate the SYSTEM user, because it is the superuser with privileges to create databases.
- Rotate master encryption keys, and recreate the public key infrastructure. By continuously rotating and recreating these configs, you secure your encryption.
5. Endpoint Protection, EPP and XDR
If you need more visibility, you can integrate with third party tools that extend your security reach. There are several endpoint protection solutions that can help you achieve this, each provides different capabilities. Make sure you choose a tool that supports forensic investigation and auditing.
Endpoint protection platforms (EPP), can help prevent malware and other threats located on the device that hosts the database. You can also try eXtended detection and response (XDR) solutions, which can generate contextual insights. XDR tools combine data security with advanced analytics, and then detect and respond to attacks against your database.
6. Auditing Activity in SAP HANA
Auditing lets you monitor and record certain actions that are performed in your SAP HANA database. SAP HANA allows you to independently configure auditing processes for each database. This means changes made to auditing configs in one database will not impact the auditing processes performed on other databases within your SAP HANA environment.
On its own, auditing does not directly impact database security. However, you can set it up to help you support your overall security strategy. You can use auditing to detect vulnerabilities, breach attempts, and meet security requirements. Typically, you achieve this by auditing user authorization changes, changes to database objects, user authentication, system configuration changes, and changes to sensitive information.
While shifting to SAP HANA can be a huge change, it can provide great benefits. There is no need to let data migration and integration challenges, and other security challenges to prevent you from making the change. There are many best practices you can apply to secure your SAP HANA operations, as well as tools you can use to increase security.