Software from SAP represents a core operational foundation for many of the world’s largest enterprises, powering such core applications as enterprise resource planning, data warehousing, materials management, and more. Used by enterprises both for transactional data operations as well as for real-time analytics, SAP HANA stores and processes sensitive enterprise data. However, traditional data center perimeter security measures are no longer sufficient to protect this sensitive data. A much more secure, and best practice approach is to encrypt mission critical data managed by HANA. This is especially important when HANA is deployed in the cloud or offered as a service.
CSP Exposure and APTs
The Cloud Service Providers (CSP) administrators, who manage cloud infrastructure, typically have access to the entire solution, including applications and data. Although there may be operational safeguards in place, the potential for insider attacks exists not only from CSP administrators but also from advanced persistent threats (APTs) that use sophisticated, long-term strategies to exploit insiders. In this environment, trust between cloud providers and their customers is no longer enough. Organizations need to know that they, and only they, can access their data. They also need to know that protections are in place to guard against both internal and external threats, including APTs.
Data Security Blind Spots
With the native SAP HANA solution, the encryption root key is stored in the secure store in the file system (SSFS), and SAP’s SSFS is collocated on the SAP HANA server. This means encryption keys and data are stored on the same appliance. This is not a good practice, because a hacker can steal both and be able to decrypt the data.
SAP HANA provides various traces for obtaining detailed information about the actions of the database system for troubleshooting and error analysis. The data volume encryption feature in SAP HANA does not encrypt database traces and structured and unstructured data in SAP HANA’s Persistence layer, associated databases, and log and configuration files.
CipherTrust Transparent Encryption for SAP HANA goes well beyond SAP HANA’s native encryption. It enables enterprises to run high-volume/high-value data for mission critical real time applications in a manner that can be trusted whether on premises or in the cloud. The solution provides greater control with separation of duties and policies for data encryption, with minimal administration. CipherTrust Transparent Encryption for SAP HANA:
So, while HANA native encryption offers protection of data in all file system storage and prevents unauthorized access to data, CipherTrust Transparent Encryption extends these security features by creating and enforcing policies for the use of keys, maintaining cryptographic keys separate from data, providing custodianship of keys and access policies, and maintaining secure logs for auditing and reporting.
CipherTrust Transparent Encryption for SAP HANA: