SAP HANA Security Guide

1 PUBLICSAP HANA Platform SPS 12 Document Version: 2018-01-24 SAP HANA Security GuideContent1 Important Critical Introduction to SAP HANA SAP HANA Security SAP HANA The SAP HANA SAP HANA XS and Development SAP HANA Implementation HANA as a Data HANA in a Classic 3-tier HANA as Technical Infrastructure for Native Applications, SAP HANA Multitenant Database for Multitenant Database SAP HANA Network and Communication Communication Network Securing Data Communication Between SAP HANA and JDBC/ODBC Communication Between SAP HANA XS Classic and HTTP Internal SAP HANA User User User Administration Predefined Deactivate the SYSTEM SYSTEM User in Multitenant Database SAP HANA Authentication and Single User Authentication Authentication in Multitenant Database SAP HANA Logon Password Policy Configuration HANA Security Single Sign-On Sign-On Using Sign-On Using SAML Sign-On Using SAP Logon and Assertion Sign-On Using JSON Web SAP HANA Database Authorization in the Repository of the SAP HANA Authorization in the Authorization in the and Revoking Privileges on Activated Repository Cross-Database Authorization in Multitenant Database Data Storage Security in SAP

2 Server-Side Data Key Service Data Volume Volume Encryption in Multitenant Database Secure Storage of Passwords in SAP Internal Credential User Store (hdbuserstore).. Protection of Data in SAP HANA Studio Data Protection and Privacy in SAP Deletion of Personal Auditing Activity in SAP HANA Audit Audited by Default Audit Audit Trail Layout for Trail Target CSV and Trail Layout for Trail Target Database Auditing Configuration and Audit Policy HANA Security GuideContentPUBLIC3 System Properties for Configuring Best Practices and Recommendations for Creating Audit Certificate Management in SAP Client Certificate Collections .. SQL Statements and Authorization for In-Database Certificate Security Risks of Trace and Dump Security for SAP HANA Extended Application Services, Advanced Technical System Landscape of SAP HANA XS Server and User Administration and Authentication in SAP HANA XS XSA Database Roles for Administration Authorization in SAP HANA XS and , Attributes, and Role Role Management Tools.

3 Network and Communication Security with SAP HANA XS Data Storage Component Security Aspects of Data, Data Flow, and : Login with xs : Pushing an Application with xs : Access Application Data via Security -Relevant Logging and Security Aspects of SAP Web IDE for SAP HANA Security User Authorization and Known Security -Related Security for Other SAP HANA Platform SAP HANA Platform Lifecycle Management ( Security ).. SAP HANA Content ( Security ).. SAP HANA Smart Data Access ( Security ).. SAP HANA R Integration ( Security ).. SAP HANA Information Composer ( Security )..24017 Security for SAP HANA Replication SAP HANA Security Reference Security Reference for Multitenant Database Features in Multitenant Database Blacklisted System Properties in Multitenant Database Components Delivered as SAP HANA Content .. Lifecycle and HANA Security GuideContentPUBLIC51 Important Critical ConfigurationsCautionSAP HANA has many configuration settings that allow you to customize your system specifically for your implementation scenario and system environment.

4 Some of these settings are specifically important for the Security of your system, and misconfiguration could leave your system vulnerable. For this reason, a Security checklist of critical configuration settings is available. See SAP HANA Security Checklists and Recommendations (For SAP HANA Database) on SAP Help recommend that you verify your system for critical configurations and latest Security patches. Specifically, we recommend verifying that: The initial default master keys of the following stores have been changed: The secure store in the file system (SSFS) of the instance The SSFS used by the system public key infrastructure (PKI) The SAP HANA secure user store (hdbuserstore) of the SAP HANA client Critical privileges are only assigned to trusted users and critical privilege combinations are avoided if possible. The network configuration of your SAP HANA system is set up to protect internal SAP HANA communication channels.

5 Latest Security patches are applied for the SAP HANA system as well as the underlying operating more information about how to check critical settings and how to find information on recommended settings, see SAP HANA Security Checklists and Recommendations (For SAP HANA Database) on SAP Help more information about keeping your system up to date by installing the latest Security patches, see the section on Security InformationSAP HANA Security Patches [page 11]6 PUBLICSAP HANA Security GuideImportant Critical Configurations2 Introduction to SAP HANA SecurityThe SAP HANA Security Guide is the entry point for all information relating to the secure operation and configuration of SAP Guide does not cover Security -relevant information for SAP HANA options and capabilities, such as SAP HANA dynamic tiering and SAP HANA smart data streaming. For more information about the Security of options and capabilities, see the relevant documentation on SAP Help Portal.

6 Be aware that you need additional licenses for SAP HANA options and capabilities. For more information, see Important Disclaimer for Features in SAP HANA Platform, Options and Capabilities [page 276].Why is Security Necessary?Protecting corporate information is one of the most important topics for you as an SAP HANA customer. You need to meet ever increasing cyber- Security challenges, keep your systems secure, and stay on top of the compliance and regulatory requirements of today's digital world. SAP HANA allows you to securely run and operate SAP HANA in a variety of environments and to implement your specific compliance, Security , and regulatory Information MapIn addition to the SAP HANA Security Guide , several other documents in the SAP HANA documentation set provide task- and tool-oriented Security information for specific roles and lifecycle phases. Security -related reference documentation is also available. The following figure shows you where you'll find which a high-level overview of all Security capabilities in the SAP HANA platform, as well as links to Security -related blog posts, videos, and white papers, visit HANA Security GuideIntroduction to SAP HANA SecurityPUBLIC7 Security Information MapNoteThe topics listed above for each area are not intended to be exhaustive but AudiencesDocumentTarget AudienceContent TypeSAP HANA Security GuideTechnology consultants, Security con sultants, system administratorsConcept and overviewSAP HANA Master GuideTechnology consultants, Security con sultants, system administratorsConcept and overviewSecurity Checklists and Recommenda tionsSystem administratorsReferenceSAP HANA Administration GuideSystem administratorsTask- and role-orientedSAP HANA Developer Guides (XSA)

7 Database developers, application pro grammers and client UI developers working in the SAP HANA XS advanced model using the SAP Web IDE for SAP HANATask- and role-orientedSAP HANA Developer Guides (XSC)Database developers, application pro grammers, and client UI developers working in the SAP HANA extended services (SAP HANA XS) classic model using either the SAP HANA studio or SAP HANA Web-based Developer WorkbenchTask- and role-orientedSAP HANA SQL and System Views Ref erenceTechnology consultants, Security con sultants, system administratorsReference8 PUBLICSAP HANA Security GuideIntroduction to SAP HANA SecurityDocumentTarget AudienceContent TypeSAP HANA SQL Command Network Protocol ReferenceDevelopersReferenceAdditional Documentation ResourcesSAP HANA DocumentationFor more information about the SAP HANA landscape, including installation and administration, see SAP Help Portal at SAP NotesImportant SAP Notes that apply to SAP HANA Security are listed in the table below.

8 In addition, SAP publishes information related to Security corrections and improvements through SAP Security notes. For more information about Security notes, see SAP HANA Security supports that customers install additional tools on the SAP HANA appliance within defined boundaries. It is the responsibility of the customer to ensure that the network channels used by those tools are appropriately protected. For detailed information, see the SAP Notes listed below. For SAP HANA deployments that use the SAP HANA tailored data center integration model, the regulations are less restrictive compared to the appliance delivery model. The listed SAP notes can give guidance of the options available for securing SAP NoteTitle1514967 SAP HANA: Central Note1730928 Using external software in an SAP HANA appliance1730929 Using external tools in an SAP HANA appliance1730930 Using anti-virus software in an SAP HANA appliance1730996 Non-recommended external software and software versions1730997 Non-recommended versions of anti-virus software1730998 Non-recommended versions of backup tools1730999 Configuration changes in SAP HANA appliance1731000 Non-recommended configuration changesOther InformationFor more information about specific topics, see the quick links in the table HANA Security GuideIntroduction to SAP HANA SecurityPUBLIC9 ContentSAP Service Marketplace or SDN Quick LinkOther SAP Security SAP Solution InformationSAP HANA Security Patches [page 11]

9 10 PUBLICSAP HANA Security GuideIntroduction to SAP HANA Security3 SAP HANA Security PatchesTo ensure the Security of SAP HANA, it's important that you keep your systems up to date by installing the latest SAP HANA revision and monitoring SAP Security HANA RevisionsSecurity-related code improvements and corrections for SAP HANA are shipped with SAP HANA revisions. SAP publishes information related to Security corrections and improvements through SAP Security notes. In general, Security notes contain information about both the affected SAP HANA application areas and specific measures that protect against the exploitation of potential weaknesses. Additional Security measures are also documented here. SAP Security notes are released as part of the monthly SAP Security Patch recommend that you regularly review new Security notes for SAP HANA application areas and decide whether they are relevant in the context of your systems and more information about SAP Security notes and the SAP Security Patch Day, see SAP Support Portal at get full access to SAP Support Portal, you need an authorized user a list of all SAP HANA application areas, see the SAP HANA Master more information about updating SAP HANA to a new revision, see the SAP HANA Server Installation and Update System PatchesInstall Security patches for your operating (OS) system as soon as they become available.

10 If a Security patch impacts SAP HANA operation, SAP will publish an SAP Note where this fact is stated. It is up to you to decide whether to install such your SAP HANA system runs on SUSE Linux Enterprise Server for SAP Applications, see SAP Note your SAP HANA system runs on Red Hat Enterprise Linux (RHEL) , see SAP Note HANA Security GuideSAP HANA Security PatchesPUBLIC114 SAP HANA OverviewSAP HANA is an in-memory platform for doing real-time analytics and for developing and deploying real-time applications. For on-premise deployment, SAP HANA comes either pre-installed on certified hardware provided by an SAP hardware partner (appliance delivery model) or must be installed on certified hardware by a certified administrator (tailored data center integration model).However, SAP HANA is more than a database management system. It is also a comprehensive platform for the development and execution of native data-intensive applications that run efficiently in SAP HANA, taking advantage of its in-memory architecture and parallel execution SAP HANA Database [page 12]At the core of SAP HANA is the high-performance, in-memory SAP HANA HANA XS and Development Infrastructure [page 13]SAP HANA includes the SAP HANA extended application services (SAP HANA XS), a layer on top of the SAP HANA database that provides the platform for running SAP HANA-based Web applications.