Hana requires rethinking security

Hana was initially developed as a relational database for SAP systems. It is based on in-memory technology. The main advantage is the enormous performance boost compared to conventional database systems.

With the introduction of Hana, SAP also broke new ground in terms of development environment and user interface: Java and HTML5, or Fiori and SAPUI5, are in the foreground.

This also opens up new application possibilities for Hana in business use. Hana is therefore increasingly seen as a development platform on which any Java and HTML5 applications can be run in runtime environments.

The expanded application spectrum also affects the security model and architecture. The focus is now on five primary security levels resulting from the Java development environment as well as the database technology:

Network security, authentication and SSO (single sign-on), authorization, encryption (transport and data), and audit and logging.

The focus in the area of network security is on classic measures, i.e. system architecture with multiple security zones and limited provision of required services.

Network communication must be reduced to the most necessary ports, especially with regard to data and administrative access options: for example, via the SQLDBC protocol, Hana Studio or SolMan.

In terms of authentication, Hana supports a variety of secure methods, such as username and password, Kerberos, SAML (Security Assertion Markup Language) 2.0, SAP logon tickets or X.509.

Correct implementation and integration into the existing authentication environment is important, i.e., connection to Microsoft AD (Active Directory) and LDAP (Lightweight Directory Access Protocol) directory services, integration into PKI (Public Key Infrastructure) environments, or linkage with token-based authentication methods such as SAML or Active Directory Federation Services (AD FS).

The most serious changes in Hana are in the area of authorization. Put simply, SAP admins now have to master the "DBA language".

While role and authorization management were always linked to SAP ERP applications in the past, they are now outsourced to the database layer. This means that virtually every application within the Hana runtime adopts the authorization model from the database environment.

However, this differs significantly from previous authorization models, for example in the ERP system. An SAP admin must now understand how databases work and how the previous roles and rights can be transferred. Hana's new authorization model enables extremely detailed and precise access control.

This uses roles in which rights are grouped and structured. The rights are based on standard SQL permissions for objects and Hana specifications for business applications.

With regard to encryption, the two levels of transport and data must be considered. Transport encryption initially means SSL encryption, but alternatives such as VPN techniques should also be examined.

Data encryption only works when storing data in storage volumes. The encryption of data in main memory is the sticking point here, especially when multiple instances are to be run on the same system.

The crucial - but often unanswered - question in such cases is: "Who then ensures the integrity of the data and prevents it from 'jumping' from one instance to the next?"

Hana also offers extensive auditing and logging options. However, the free storage space is the limiting factor here. Due to the flood of (SQL) queries on the system, there is quickly a risk that the memory will reach its capacity limits.

Currently, only external tools can help here, especially when it comes to meeting compliance requirements. Hana thus comes with several security functions by default. However, its use requires a rethink on the part of SAP administrators.

The biggest challenge here relates to role and authorization management, as it has completely changed compared to previous SAP ERP environments, where the application and database levels were clearly separated.

This is also the topic on which NTT Security currently receives the most customer inquiries. Encryption, on the other hand, is not yet a focus for users.

But here, too, a change will soon occur, as there is still a high need for action due to compliance requirements. Finally, it must not be forgotten that attackers can steal, change or delete business-critical data without much effort if they successfully access Hana.