Data Security for SAP Environments

CSP Exposure and APTs

Cloud Service Provider (CSP) administrators, who manage cloud infrastructure, typically have access to the entire solution, including applications and data. Although there may be operational safeguards in place, the potential for insider attacks exists not only from CSP administrators but also from advanced persistent threats (APTs) that use sophisticated, long-term strategies to exploit insiders. In this environment, trust between cloud providers and their customers is no longer enough. Organisations need to know that they and only they, can access their data. They also need to know that protections are in place to guard against both internal and external threats, including APTs.

Data Security Blind Spots

With the native SAP HANA solution, the encryption root key is stored in the secure store in the file system (SSFS), and SAP’s SSFS is collocated on the SAP HANA server. This means encryption keys and data are stored on the same appliance. This is not a good practice, because a hacker can steal both and be able to decrypt the data.

Comprehensive Coverage

SAP HANA provides various traces for obtaining detailed information about the actions of the database system for troubleshooting and error analysis. The data volume encryption feature in SAP HANA does not encrypt database traces and structured and unstructured data in SAP HANA’s Persistence layer, associated databases and log and configuration files.

CipherTrust Transparent Encryption for SAP HANA goes well beyond SAP HANA’s native encryption. It enables enterprises to run high-volume/high-value data for mission critical real time applications in a manner that can be trusted whether on premises or in the cloud. The solution provides greater control with separation of duties and policies for data encryption, with minimal administration. CipherTrust Transparent Encryption for SAP HANA:

•  Addresses business and industry compliance obligations even when data resides in the cloud
•  Establishes safeguards to structured and unstructured data in SAP HANA’s Persistence layer, associated databases, log and configuration files
• Encrypts HANA data and log volumes at the file system level in a cloud service provider infrastructure, with minimal overhead
• Does not require alterations to SAP HANA software or administrative procedures for integration
• Does not require re-architecting databases, applications or storage networks
• Enforces flexible customer defined policies for access controls and audits
• Prevents root/system administrators/privileged users from accessing HANA data
• Safeguards and manages associated encryption keys, allowing cloud service users to be their own custodians
• Provides a FIPS 140-2 Level 1, 2 or 3 certified root of trust for key management
• Eliminates, via the CipherTrust Live Data Transformation option, the downtime required for initial encryption and scheduled rekeying operations

So, while HANA native encryption offers protection of data in all file system storage and prevents unauthorised access to data, CipherTrust Transparent Encryption extends these security features by creating and enforcing policies for the use of keys, maintaining cryptographic keys separate from data, providing custodianship of keys and access policies and maintaining secure logs for auditing and reporting.

CipherTrust Transparent Encryption for SAP HANA:

• Significantly strengthens SAP HANA native encryption
• Delivers proven protection
• Meets compliance requirements
• Deploys quickly without changes to SAP HANA or associated apps
• Enforces rigorous separation of duties
• Secures enterprise data for any SAP HANA cloud deployment
• Allows customers to operate optimally