4 Best Practices for Securing Your SAP HANA Database
Join the DZone community and get the full member experience.
Join For FreeDatabases hold the proverbial keys to modern business processes. These systems contain vast amounts of highly valuable and often sensitive data. This makes database systems a prime target for attackers. Comprehensive security processes and configurations are vital to prevent possible attacks.
Not all database systems treat security concerns equally, however. Some, like SAP HANA, include built-in security features. Others leave security entirely up to you. In this article, you’ll learn what SAP HANA is and the security features it includes. You’ll also learn some best practices for securing your SAP HANA deployments.
What Is SAP HANA?
SAP HANA is a Relational Database Management System (RDBMS). It is built with a column-oriented oriented structure. It uses in-memory storage, keeping data in Random Access Memory (RAM). This is different from traditional databases, which use persistent storage, generally in the form of hard drives.
SAP HANA enables you to store and retrieve application data, functioning as a database server. Since your data is stored in memory, you can retrieve it more quickly than data retrieved from disk. SAP HANA is typically used for analytics, application serving, and business intelligence.
You can use SAP HANA to perform a variety of advanced analytics, such as stream analysis, spatial data processing, and predictive analysis. You can also use it to perform Extract, Transform, Load (ETL) processes, which enable you to transfer data between databases.
You can run SAP HANA in a variety of environments, including on-premises or in the cloud. If you wish to run SAP HANA on Azure, AWS, or GCP, managed services are available. There is also a managed service available directly from SAP.
Security in SAP HANA
SAP HANA includes a variety of built-in security features, including:
Authorization — required to access your database through a client interface. This feature uses privileges that can be provided to individual users or roles.
User and role management — managed through HANA Studio. This feature includes technical users, for administrative tasks, and database or real users, for workload tasks.
Authentication — methods include SAP logon and assertion tickets, username and password pairs, Kerberos, Security Assertion Markup Language (SAML), and client certificates.
Data encryption — can apply to at-rest and in-transit data. SAP HANA includes features for backup, persistent and log data, applications, and database column encryption.
SAP HANA databases face a variety of risks, including:
Web applications — Internet access leaves systems more vulnerable due to a need for open traffic flow. Web applications are vulnerable to risks of cross-site scripting and code injection attacks. These attacks involve inserting malicious scripts or commands via user inputs.
RAM Scraping — malware or viruses running in the same memory as SAP HANA are used to infect your systems. These risks are difficult to track since memory is ephemeral. Also, in-memory processes cannot be encrypted because it would degrade performance, so attacks are difficult to block.
Securing Your SAP HANA Database
Securing a SAP HANA database requires applying standard best practices, including encryption, access control, and monitoring. However, since SAP HANA includes some built-in security features, there are variations you should keep in mind. For more detailed coverage, check out SAP’s security whitepaper.
1. Limit Permissions
SAP HANA prioritizes role-based permissions with different privilege groups, including system, object, analytic, package, and application privileges. Role-based privileges help limit the amount of damage that attackers can cause using compromised credentials. This division of privileges can also help limit the damage caused inadvertently by legitimate users.
When setting up privileges, make sure to follow the principle of least privilege. This principle states that you should only assign the bare minimum of privileges needed to perform each role. Users that have multiple responsibilities should use roles individually to accomplish necessary tasks. Splitting privileges in this way helps you avoid critical privilege combinations. For example, you should have separate roles for privilege assignment and modifying database data
2. Keep Systems Up-to-Date
It is important to keep your SAP HANA deployments and your underlying systems up-to-date. If you neglect patching or updating one, unmanaged vulnerabilities can affect the other.
When updating your SAP HANA system, make sure to review the most recent SAP security notes. These notes are released monthly on Security Patch Day, which is the 2nd Tuesday of each month. These notes include information on affected systems and how to defend against specific exploits.
3. Consider Masking or Anonymizing Data
You can perform both masking and anonymization with built-in features. Masking hides parts of data or substitutes parts with synthetic data. It can be used to hide sensitive information from administrators or users, depending on their role. Anonymization either hides key identifying information or uses statistical noise to hide sensitive values.
Both methods can be applied dynamically when data is queried. The original data remains unchanged. Dynamically changing data enables you to prevent the breach of secure data while ensuring valid statistical analyses.
4. Using Vendor Installed Systems
Using vendor installed systems can be a way to ease SAP HANA deployment and configuration. However, using third-party services requires special security measures. Once your vendor, either third-party or SAP, has handed over your deployment, you need to update certain security measures.
Make sure to change all passwords. Pay special attention to the <sid>adm, root, and sapadm passwords, which provide administrative access.
You should also review any existing users and eliminate those that are not needed. Make sure to deactivate the SYSTEM user in particular, which is the superuser used for database creation.
Finally, make sure to rotate your master encryption keys and recreate the public key infrastructure. Rotating and recreating these configurations helps ensure that your encryption is secure.
Conclusion
Proper database security can help you prevent or at least minimize data breaches. This, in turn, can help you avoid hefty regulatory fines, loss of customer trust, or loss of market advantage. When securing your systems, you should combine benefits offered by built-in tools with your larger security platforms. Hopefully, this article helped you better understand the security tools that SAP HANA provides and how to apply some of these tools.
Published at DZone with permission of Eddie Segal. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments