Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SAP HANA SPS10- Security

4,648 views

Published on

See what's new in SAP HANA SPS10- Security

Published in: Technology

SAP HANA SPS10- Security

  1. 1. 1© 2014 SAP AG or an SAP affiliate company. All rights reserved. SAP HANA SPS 10 – What’s New? Security SAP HANA Product Management June, 2015 (Delta from SPS 09 to SPS 10)
  2. 2. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 2Public Summary  Simplified role assignment in SAP HANA Cockpit  New option for controlling allowed access channels for users  Improved UI support for configuring user self services in SAP HANA Cockpit  Improved lifecycle management and extended tool support for analytic privileges  Simplified certificate management for SSL/TLS and single sign-on  Automatic generation of PKI/certificates for internal communication channels  FIPS-certified encryption library supported  Extended audit logging coverage  Additional hardening options for multitenant database container isolation
  3. 3. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 3Public What’s New in SAP HANA SPS10: Security Simplified role assignment in SAP HANA Cockpit You can now use SAP HANA Cockpit to assign roles to a user Roles are the standard mechanism of granting privileges to users in SAP HANA Assigning roles 1. Click on the Assign Roles to Users tile on the homepage of the SAP HANA Cockpit. 2. Assign roles to the user.
  4. 4. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 4Public What’s New in SAP HANA SPS10: Security Use custom roles for accessing functionality in SAP HANA Cockpit You can now easily configure Cockpit to use custom roles for accessing functionality Access to functionality via tiles in SAP HANA Cockpit is role-based. For SAP HANA Cockpit catalogs and groups delivered as default content, standard roles are available. In some scenarios however it might not be desirable to use the standard roles but use custom roles instead. Configure custom role 1. Click on the Configure Role-Based Cockpit Access tile on the homepage of the SAP HANA Cockpit 2. Assign the required catalog(s)/group(s) to the role
  5. 5. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 5Public What’s New in SAP HANA SPS10: Security Control allowed access channels for users For users that should only connect via HTTP, you can now enforce this access channel by disabling JDBC/ODBC access By default, JDBC/ODBC access is  Enabled for normal users  Disabled for restricted users To disable/enable JDBC/ODBC access, use either SAP HANA Studio (user editor) or SQL commands. SAP HANA XS Browser Application Server Client JDBC/ODBC SAP HANA Studio Application HTTP(S)JDBC/ODBC
  6. 6. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 6Public E-mail templates and UI support for maintaining the user self service configuration are now available What’s New in SAP HANA SPS10: Security User self services enhancements
  7. 7. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 7Public What’s New in SAP HANA SPS10: Security Improved lifecycle management for analytic privileges SQL-based analytic privileges can now also be created as design-time objects Analytic privileges grant different users access to different portions of data in the same view based on their business role. The conditions that control which data users see is either contained in an XML document, or defined using SQL. Advantages of SQL-based analytic privileges For new projects, we recommend to use SQL-based analytic privileges. Feature SQL-Based XML-Based Control of read-only access to SQL views Yes No Complex filtering Yes No
  8. 8. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 8Public What’s New in SAP HANA SPS10: Security Extended tool support for analytic privileges Both the Modeling perspective in SAP HANA Studio and Web IDE now support design-time SQL-based analytic privileges
  9. 9. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 9Public What’s New in SAP HANA SPS10: Security Simplified certificate management for SSL/TLS and single sign-on Most certificates can now be stored and managed directly in the SAP HANA database SAP HANA uses X.509 certificates for securing internal and external communication channels and for several user authentication mechanisms. Recommendation: Store certificates in the database where possible. For multitenant database container systems, storing certificates in the database simplifies the configuration and makes certificate management available to tenant administrators. This is especially relevant for hosting scenarios where tenant administrators usually do not have access to the file system. Certificates can be stored for… …in the database …in the file system TLS (client-server communication over JDBC/ODBC) YES YES TLS (client-server communication over HTTP) NO YES TLS (internal communication) NO YES Authentication (SAML, SAP Logon and Assertion Tickets, X.509) YES YES
  10. 10. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 10Public What’s New in SAP HANA SPS10: Security Viewing certificates stored in the database Certificates in the database can currently only be managed using SQL. Read-only access to certificate- related information is available in SAP HANA Cockpit however.
  11. 11. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 11Public What’s New in SAP HANA SPS10: Security Automatic generation of PKI/certificates for internal communication channels (I) A public-key infrastructure (system PKI) for securing internal communication channels using TLS is set up automatically during installation. No user interaction is required for the setup. The following communication channels can be secured: SAP HANA Scale-out system Host1 Host2 System replication SAP HANA Primary SAP HANA Secondary SAP HANA with Dynamic Tiering With SAP HANA option Warm store Hot store
  12. 12. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 12Public What’s New in SAP HANA SPS10: Security FIPS-certified encryption library supported CommonCryptoLib is now FIPS-certified For more information, see http://scn.sap.com/community/security/blog/2015/01/21/sap-s-crypto-kernel- receives-fips-140-2-certificate SAP CommonCryptoLib is the successor of SAPCRYPTOLIB and is the default cryptographic library for SAP HANA. It is used for operations that require cryptography, for example data volume encryption and TLS communication encryption. CommonCryptoLib is installed as part of SAP HANA server installation.
  13. 13. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 13Public What’s New in SAP HANA SPS09: Security Extended audit logging coverage Audit logging now also covers Data Provisioning and Dynamic Tiering
  14. 14. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 14Public What’s New in SAP HANA SPS10: Security Additional hardening options for multitenant database container isolation The isolation level is a new option for increasing the isolation between tenant databases on the operating system level By default, all database processes in an MDC system run under the default operating system user. Tenant databases are self-contained/isolated in terms of users, database catalog, repository, logs, etc. To provide additional protection in case of low-level attacks, you can configure your system for high isolation, with a dedicated operating system user and group for each tenant database. SAP HANA Tenant database 1 Tenant database 2 System database Tenant database N
  15. 15. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 15Public What’s New in SAP HANA SPS10: Security More features can be enabled/disabled for tenants You can now disable more features in tenant databases Not all features are required/desirable for tenants in all environments, e.g. features that provide direct access to the file system, the network, or other critical resources.
  16. 16. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 16Public What’s New in SAP HANA SPS10: Security Security reference information extended The reference documentation on security-related topics has been extended SAP HANA Security Guide  Roles assigned to standard users (SYSTEM, _SYS_REPO)  SAP HANA content (delivery units): Description, URLs, required roles  Security configuration checklist updated SAP HANA Administration Guide  SAP HANA Cockpit tile catalogs: Description, required roles
  17. 17. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 17Public More information  Documentation: SAP Help Portal: Security Guide, Master Guide (network topics), Developer Guide, SQL Reference Guide  Whitepaper: SAP HANA Security Whitepaper  Best practices: How to Define Standard Roles for SAP HANA Systems  Training: HA 240 SAP Note Title 2159014 FAQ: SAP HANA Security 1514967 SAP HANA appliance 1730928 Using external software in a HANA appliance 1730929 Using external tools in an SAP HANA appliance 1730930 Using antivirus software in an SAP HANA appliance 784391 SAP support terms and 3rd-party Linux kernel drivers 1730999 Configuration changes in HANA appliance 863362 Security checks with SAP EarlyWatch Alert 2021789 SAP HANA revision and maintenance strategy New
  18. 18. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 18Public SAP HANA – security patches Operating system security patches  Support operating systems: SUSE Linux Enterprise and RedHat Enterprise  Operating system security patches are provided and published by the operating system vendors SAP HANA security patches  SAP HANA security patches are published as part of the SAP Security Patch strategy (SAP Security Notes) – Security notes for all SAP products are available at: https://support.sap.com/securitynotes – For SAP HANA, filter for component HAN*  Patches are delivered as SAP HANA revisions  More information: – SAP HANA revision und maintenance strategy: SAP Note 2021789 – Security Patch Process – SAP Security Notes – Frequently asked questions
  19. 19. © 2015 SAP SE or an SAP affiliate company. All rights reserved. 19Public SAP – security approach Security is an important and integral part of every step of the SAP Development Lifecycle which applies to all products. This includes security testing as well as a defined and established process to report and deal with potential security issues. Protect your data – and your business – with SAP and its security solutions http://www.sap.com/security More information:  SAP security development lifecycle  SAP product security response team  Source code scanning  Product security validation at SAP
  20. 20. © 2015 SAP SE or an SAP affiliate company. All rights reserved. Thank you Contact information Andrea Kristen SAP HANA Product Management andrea.kristen@sap.com

×