SAP HANA Security
What is database security?
The necessity to understand database security is increasing with the growing importance of data and data management for business innovation.
Database Security is a complex effort that requires a full blown 360-degree approach - and SAP HANA and SAP HANA Cloud come equipped with a natively comprehensive, strong and robust security framework. It helps organisations to comply with security-relevant regulations and policies and helps to protect the confidentiality, integrity and availability of the data from common threats like unauthorised access, illegitimate privileges and missing control policies.
Data is at the core of today’s digitised economy, constantly increasing not only in volume, but also in value and importance to businesses. Protecting a company’s critical data from unauthorised access and ensuring compliance with the growing number of security, legal and regulatory requirements (e.g. GDPR) is therefore a top concern for business leaders.
Database security should address all security aspects such as secure data access and applications, with functions for authentication and user management, authorisation, masking, anonymization, encryption and auditing.
SAP HANA Security
Address cybersecurity challenges and innovate with confidence, while taking steps to keep your systems secure and comply with the regulatory requirements of today's digital world.
Authentication and user management
SAP HANA and SAP HANA Cloud provide unified user and identity management. SAP HANA provides tools for user administration and role assignment, as well as adapters for SAP Identity Management and SAP Access Control, which allow integration into existing user provisioning infrastructures.
In cloud context you make use of state-of-the-art Single-Sign-On authentication mechanisms like SAML, JWT-Tokens, X.509 certificates or SAP logon through Cloud connector. Additionally, you can connect SAP HANA to third party systems via Kerberos. For combining both worlds within your enterprise you could also connect via LDAP directory service.
Authorisation and role management
The comprehensive authorisation framework of both SAP HANA and SAP HANA Cloud provides highly granular access control. Users can only access the SAP HANA database through defined client interfaces. Their ability to perform operations on database objects is determined by the privileges and roles that they have.
Roles are used to bundle and structure the privileges required for specific user functions or tasks. Privileges are based on standard SQL object privileges and SAP HANA-specific extensions for business applications
SAP HANA provides a broad range of encryption capabilities. For SAP HANA Cloud, communication encryption, data-at-rest encryption as well as backup encryption are always activated and are part of SAP HANA’s core feature set. For on-premise SAP HANA installations, you can configure the same encryption options and more. For both deployment types, the integration with SAP Data Custodian KMS is available, to provide you with full control over your encryption keys.
Preserve privacy and trust while deriving value from data with real-time data anonymization and security. Gain secure and compliant data access in real time without data duplication, keep your data always protected - whether at rest or in motion, lower the risk of security or privacy breaches and simplify compliance with regulations such as GDPR.
Real-time SAP HANA data anonymization happens at the view level, so the data at the table level remains unchanged. SAP HANA offers two different anonymization methods: k-anonymity and differential privacy. Additionally, you can add custom definition of anonymization views, access reporting views, and make use of the integration into our authorisation framework.
- Enables customers to utilise personal data without inferring the privacy of individuals
- Makes analytics and machine learning scenarios of anonymized personal data possible
- Enhances customer's ROI by leveraging the value of enterprise data that was previously inaccessible
Native SAP HANA dynamic data masking is available with SAP HANA and SAP HANA Cloud. This functionality protects data at row-level with data masking in tables and views. Data is not replicated but masked on-the-fly if accessed by unauthorised users.
What is the difference between SAP HANA data anonymization and SAP HANA data masking
SAP HANA data anonymization (of data sets)
- Structured approach to protect the privacy of individuals in complex data sets
- Real-time analytics on anonymized data enables insights into data that could not be leveraged beforehand
SAP HANA data masking (of attributes)
- Selectively hide sensitive information from DBAs and power users with broad access
- Display or hide sensitive information depending on the user role - for example for call centre employees
Auditing allows you to monitor and record selected actions performed in the SAP HANA Cloud and and SAP HANA Platform, SAP HANA databases. Well-designed audit can help you achieve greater security of your database in various ways like detect security vulnerabilities if too many privileges were granted to certain users, reveal security breach attempts, protect the system owner against accusations of security violations and data misuse or allow the system owner to meet security standards.
SAP HANA offers highly configurable, policy-based audit logging for critical system events, for example, changes to roles or the database configuration. It can also record access to sensitive data: write and read access to objects such as tables or views, as well as the execution of procedures. For situations where a highly privileged user needs temporary access to a critical system, firefighter logging can be enabled. Additionally, for SAP HANA Cloud there is a comprehensive logging for cloud operator actions available.
SAP HANA is developed according to SAP’s secure development lifecycle, which is a comprehensive framework of processes, guidelines, tools and staff training to safeguard the architecture, design and implementation of all SAP solutions. The secure development lifecycle is a threat-based approach, which includes risk and data protection assessments, comprehensive security testing including automated and manual tests as well as penetration testing, and a separate security validation phase.
Keep your deployment of SAP HANA up to date with the latest security updates, which are released on second Tuesday of every month. SAP strongly recommends to visit the Support Portal and apply patches on a priority to protect your SAP landscape.
With the transition to the cloud, the solutions offered by SAP are also changing in terms of the operating model. For HANA as a managed service in the cloud, SAP is responsible for setting up and operating the service. You choose your configuration options via self-services or service requests and are responsible for the whole data layer. This way, SAP helps you to get the most out of your data and meanwhile benefit from a managed and always-running service.
SAP operates its solutions to the highest and most important standards. For more information, visit our SAP Trust Center on the compliance finder page and filter by Business Technology Platform, as SAP HANA is part of this broader solution. There you can find our certifications and attestations like ISO, SOC and EU CCoC.
SAP HANA Security Framework
SAP HANA provides a holistic security framework, on premise and in the cloud. SAP HANA enables organisations to embrace security standards and provides the necessary tools to innovate with confidence in today’s business environment. Organisations can easily configure, manage and monitor security. To stay ahead of the competition, SAP HANA data privacy features can help meet increasing regulatory and compliance requirements.
Safeguarding data and accessibility in SAP HANA and SAP HANA Cloud
Learn how the security approach for SAP HANA, part of the Business Technology Platform, and its security capabilities help control critical business data. See how features such as real-time data anonymization and dynamic data masking address data protection and privacy requirements for laws such as the EU General Data Protection Regulation (GDPR).