cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Hana database encryption

former_member207606
Explorer

on ‎02-01-2017 8:12 AM

0 Kudos

As lars.breddemann has described in an ealier post, the HANA DB encryption is not on the inMemory data but for the data partition and the log files.

So I was wondering if this "all or nothing" approach can be differentiated a bit more. E.g. I don't need to encrypt my whole db, but only a single table. How would I be able to do that? Can I move a single table into an individual data partition?

Also I understand that the only possible way to encrypt an individual field of a table is to encrypt it before storing it on HANA - or did that change and HANA comes now with some support for this (e.g the client provides a secret to encrypt the data but the en-/decyrption is done on the DB and not on the clientt

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

dvankempen
Product and Topic Expert
Product and Topic Expert
‎02-01-2017 11:28 AM

Hi Bernd,

Good question. We have three different objectives here:

  1. Encryption of archived storage (backups)
  2. Encryption of the files on the file system (persistence) - for the curios OS hacker
  3. Encryption of rows/columns in-memory (obfuscation/data masking) - for the curious DBA

Currently, for SAP HANA 2.0 SPS 00, both data volume (persistence) and redo log encryption is available (but you still need to be careful with your trace files). The encryption takes places a lower level than the database, so you cannot encrypt on the file system just the bits and bytes for table A or column B. It is all or nothing.

Archived storage is addressed (or not) by the backup tool or by the DBA / System Administrator.

Obfuscation/data masking can be addressed by the application but is not a database feature. See, for example https://blogs.sap.com/2014/05/13/how-to-securely-mask-or-hide-column-data-using-sql-map-function-in-... or https://blogs.sap.com/2016/06/15/hana-eim-sdisdq-sps12-data-mask-node-how-to/ (using SDI).

Targeted audit policies and a solid privilege and role management are obviously also very important to protect sensitive data.

I understood that both backup encryption and data masking are high on the feature list for SAP HANA 2.0 SPS 01 but whether they make it to the release remains to be seen. RTC is planned for mid-April.

Regards,

Denys

Show replies
Show replies
former_member207606
Explorer
‎02-02-2017 2:43 PM
0 Kudos

Thank you Denys that was very helpful - one more question. If the HANA is hosten on the HCP (or SCP how it is called now) is this process any different? Or is this all taken care of by the dev ops? (encryption on persistence level)

dvankempen
Product and Topic Expert
Product and Topic Expert
‎02-03-2017 8:50 AM
0 Kudos

Hi Bernd,

I have very little visibility of what is happening up there in the cloud so I will have to ask around a bit; I will get back to you.

Show replies
Show replies
Ask a Question