The global and independent platform for the SAP community.
The opinion of the SAP community, IT Security Column, MAG 17-03

Hana Security - New Dimensions

With the Hana database, SAP has created a new dimension with regard to the security of SAP systems.
Thomas Tiede, IBS
March 1, 2017
Content:
it security header
avatar
This text has been automatically translated from German to English.

Previously, the data management level and the application level were clearly separated from each other. In the database itself, only the database administrators were created as users. The developers and end users were in the Abap stack, where all the authorization assignment also took place.

New user distribution

Even if a large part of the applications in the ERP successor S/4 Hana is still mapped via the Abap stack, many developments are already taking place in the Hana database itself.

BW/4 Hana, officially not declared as a successor to SAP BW but as a new product, is already fully mapped in the Hana database. Therefore, not only database administrators are now active as users in the Hana database, but also developers and, in the future, increasingly end users.

Security

The security layers involved in running a Hana DB are many, as they include DB and application security. This starts with the security of the servers on which Hana is installed.

It can only be installed on certain Unix derivatives. The SSFS (Secure Store in the File System) is stored in the file system, where, among other things, the root keys for the encryptions are stored.

Likewise, the persistent data is stored in the file system. For recovery purposes, Hana stores images of the DB at regular intervals (savepoints) on the hard disk of the Hana server (persistent storage).

By default, the persistent data is written to disk unencrypted. Encryption must be explicitly enabled.

Communication is also unencrypted in the default installation. The Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protocol can be used to encrypt internal and external communication. Unencrypted connections are also accepted by default.

For the system security the configuration of the security relevant system parameters is substantial. These are also stored in text files in Unix. Comparable to the system parameters of the Abap stack, these control components such as authentication, encryption and logging.

Access control

With regard to the users set up in the Hana DB, the key distinction is whether they are only to run applications (end users) or require access to the database itself (admins, developers, auditors).

End users are defined as restricted users. This ensures that a direct login to the database via ODBC/JDBC (e.g. using Eclipse) is not possible.

In addition, they must be explicitly assigned permissions for their applications, while normal user accounts are assigned a role with basic permissions by default when they are created (Public catalog role).

Logging must also be configured on a company-specific basis. If a large number of logs requiring retention are generated automatically in the Abap stack, this must be set up individually in the Hana DB.

For example, logging of user maintenance and role assignment must be explicitly enabled. This also applies to changes to the system parameters and the settings for encryption.

Only for changes within the repository, i.e. the development environment, logs (versions) are generated automatically.

Another important point is, of course, the authorization concept. Its functionality is mapped very transparently in the Hana database, so that the authorizations of end users can be separated clearly and in a structured manner from those of administrators and developers.

Back to the roots?

Checking the security of a Hana DB is currently still a bit of a challenge for auditors, as there are no tools for checking in the Hana standard - apart from the SQL editor. Here, it is "back to the roots" with checks directly at the table level.

Fortunately, at least setting up the permissions required for auditors is considerably easier than it was in the Abap stack.

avatar
Thomas Tiede, IBS

Thomas Tiede is managing director of IBS Schreiber.


All articles of the author

Write a comment

Nektarios Makris is Regional VP Sales at Cloudera

We need SAP S/5 Hana

FUE: Estimate for new Rise-with-SAP contracts

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.