SAP software is the core operational foundation for many highly regulated organizations, supporting essential applications such as enterprise resource planning, data warehousing, and materials management.

Encryption solutions have long been crucial for protecting data and ensuring compliance with regulatory requirements. However, this raises questions about who owns and controls the infrastructure environment and the data, including the related encryption keys.

Thales guarantees data security in SAP environments by offering key generation, separation of duties, reporting, and key lifecycle management solutions.

External key management for SAP applications

Thales and SAP offer external, multi-cloud key lifecycle management for SAP applications, allowing organizations to protect sensitive data while maintaining control over their encryption keys. With the integration of SAP Data Custodian Key Management Service (SAP Data Custodian KMS) and Thales CipherTrust Cloud Key Management (CCKM), highly regulated enterprises can externally root their encryption keys, enabling Bring Your Own Keys (BYOK) and Hold Your Own Keys (HYOK) data security policies.

Key features and benefits:

Securely generate, store, and protect customer-managed encryption keys
Improve IT efficiency and reduce costs by simplifying key management
Maximize choice from a single console, manage BYOK and HYOK keys across multiple clouds
Comply with the most stringent data protection and sovereignty mandates such as GDPR, LGPD, PCI-DSS, and CCPA
Simplify compliance reporting with detailed audit logs and prepackaged reports
Root keys in up to FIPS 140-2 Level 3/FIPS 140-3 Level 3 security by leveraging CipherTrust Manager or Thales Luna HSMs

Read the BYOK Solution Brief Read the HYOK Solution Brief

Simplify SAP HANA data encryption

CipherTrust Transparent Encryption for SAP HANA enables enterprises to run high-volume/high-value data for mission-critical real-time applications in a manner that can be trusted, whether on-premises or in the cloud. The solution offers enhanced control through the separation of duties and policies for SAP HANA data encryption, with minimal administrative requirements.

Key features and benefits:

Address business and industry compliance obligations even when data resides in the cloud
Establish safeguards to structured and unstructured data in SAP HANA’s persistence layer
Encrypt HANA data and log volumes at the file system level without re-architecting the database or application
Enforce flexible customer-defined policies for access controls and audits
Safeguard and manage associated encryption keys, allowing cloud service users to be their own custodians
Root keys in up to FIPS 140-2 Level 3/FIPS 140-3 Level 3 security by leveraging CipherTrust Manager or Thales Luna HSMs

Read the Solution Brief

[Thales] facilitates the control of data, preventing access from people that might have the rights of access but not the privilege."

Damian McDonald VP of Global Information Security Becton, Dickinson and Company Read the Case Study

Recommended resources

Protecting sensitive data in and around SAP HANA

On the surface, encrypting the database instance using SAP native encryption would appear to be sufficient to protect data at rest within the SAP HANA database. But, enterprises storing sensitive data in an SAP HANA database need to consider exactly where in and around the database sensitive data might reside -- even outside the direct control of the Database Administrators (DBAs). To give an example, an SAP HANA database might encounter an error causing it to send information with sensitive data into a trace file or an alert log.

Get the White Paper