How secure your SAP HANA DB is?
To secure SAP HANA DB modern businesses employ a variety of applications such as SAP, etc., to run their business with seamless integrations. These applications contain vast amounts of sensitive business data. Hackers often target databases instead of applications, as many of the enterprises give utmost importance to secure the applications, but not the databases. To prevent possible attacks, comprehensive security processes and configurations are crucial at the database level as well.
There are however differences between database systems when it comes to security. Not all the databases are the same. Some, such as SAP HANA, provide built-in security. Others require you to manage security manually. The purpose of this article is to give you an overview of SAP HANA and its security features. Additionally, you will learn some best practices for securing SAP HANA deployments.
What Is SAP HANA?
It is SAP’s next-generation revolutionary database, built primarily with a column-oriented table structure. Additionally, it uses in-memory storage, storing data in Random Access Memory (RAM). This differs from traditional databases, which tend to use persistent storage like hard drives.
SAP HANA can store and retrieve application data from memory, which functions as a database server. As your data is stored in memory, you can retrieve it much faster than data that is stored on the disk.
With SAP HANA, you can perform a variety of advanced analytics, such as stream analysis, spatial data analysis, and predictive analytics. Additionally, you can use it to transfer data between databases using Extract, Transform, Load (ETL) processes.
SAP HANA runs in a variety of environments, including on-premises and in the cloud. You can run SAP HANA on Azure, AWS, or GCP.
Risks with SAP HANA database
SAP HANA DB are vulnerable to a variety of risks, including:
- Web applications – Internet access leaves systems more vulnerable due to the requirement for open traffic flow. Since SAP HANA supports integration to third party application, reporting tools, and IDE environments, it is vulnerable to code injection and cross-site scripting attacks. These attacks involve inserting malicious scripts or commands through user input.
- RAM scraping – Viruses or malware run within SAP HANA’s memory are used to infect your systems. Since memory is ephemeral, it is difficult to track these risks. Also, in-memory processes cannot be encrypted since it would degrade performance, so attacks are difficult to stop.
Securing Your SAP HANA DB
SAP by default brings some of the best security practices including features such as encryption, access control, and monitoring. Here is little about these features:
1. Limit authorizations
With SAP HANA, permissions are prioritized based on role, including system privileges, objects, analytic privileges, and package privileges. In the event of compromised credentials, role-based privileges help to limit the damage attackers can cause. It can also help limit the damage that legitimate users might inadvertently cause.
You should follow the principle of least privilege when setting up privileges. By following this principle, you should assign only the minimum number of privileges necessary for each role to be performed. Those with multiple responsibilities should use roles individually to fulfill their responsibilities. You can avoid critical privilege combinations by separating privileges this way. For instance, you should create separate roles to assign privileges and to change database entries.
2. Always Keep Systems Up to date
It is important to keep your SAP HANA deployments and your underlying systems updated. Unmanaged vulnerabilities can occur if you neglect updating one.
Make sure to review the most recent SAP security notes when you update your SAP HANA system. The notes are released every month on Security Patch Day, which falls on the second Tuesday of each month. The notes contain information on affected systems and how to protect against specific exploits.
3. Use the in-built data masking capabilities
With built-in features in SAP HANA, you can mask and anonymize data. Masking hides parts of data or substitutes them with synthetic data. This is a great feature, especially to hide sensitive information from administrators or a specific subset of users, depending on their role. As a result of anonymization, sensitive data is either hidden or masked. Both methods can be applied dynamically when a query is made. However, this will not make any changes to the original data. By dynamically changing data, you can prevent the breach of secure data while ensuring valid statistical analyses.
4. Implement additional security measures
It is also recommended to implement the following security measures:
- Make sure to change the critical passwords periodically.
- Pay special attention to the <sid>adm, root, and sapadm passwords, which provide administrative access.
- Periodically review the existing users and eliminate those that are not needed. (Don’t delete the IDs, instead deactivate them.)
- Make sure to deactivate the SYSTEM user in particular, which is the superuser used for database creation.
- Keep on changing the master encryption keys. This step will ensure that your encryption is secure.
5. Implement the right authentication feature
SAP HANA users can log in with username and password, as well as SAP logon and assertion tickets, Kerberos, Security Assertion Markup Language (SAML), and client certificates. By doing this, you allow only authorized users to access SAP HANA databases.
Are these enough? May be not, in additional to implementing these recommendations, it is also recommended to enable Audit logs for the below critical actions:
Intrusion detection – As a part of intrusion detection, you can check actions such as unsuccessful connection attempts, and attempts to validate user credentials. These audit trails will help you to detect any anonymous attempts and secure the systems immediately.
Security change log and traceability – It is highly recommended to track the security changes such as changes to users, roles, structured privileges, and repository content. Below actions must be included in the Audit trails
– Changes to authorizations
– Changes to Users
– Changes to structured privileges
– Changes and activation of repository content
System Configuration Changes – Changes to system configurations must be audited, this includes changes to certificates and certificates collections, changes to authentication providers, changes to client-side encryption, changes to configuration files (*.ini) and changes to SAP HANA license keys.
Furthermore, audit trails must be enabled for activities such as unsuccessful events and tables with sensitive business data. Note that enabling trails for ALL actions will cause performance issues and occupy a lot of DB space. Consider keeping the logs for a shorter period and deleting those that are no longer needed or archiving them.
How long to retain the audit logs?
It is recommended to retain audit logs for at least 30 days. The old logs can be archived or deleted as per the retention policy. To create an audit policy with a retention period, you may use the below syntax:
CREATE AUDIT POLICY “_SAP_authorizations” AUDITING ALL GRANT ANY, REVOKE ANY LEVEL INFO TRAIL TYPE TABLE RETENTION 30;
ALTER AUDIT POLICY “_SAP_authorizations” ENABLE;
With proper database security, data breaches can be prevented or minimized. As a result, you can avoid regulatory fines, customer distrust, and market advantage. Note that performing the actions listed in this article by itself does not make your system secure. It is best to use built-in tools in conjunction with a larger security platform. Contact to our Subject Matter Experts (SMEs)today!