Skybuffer
Mobile Menu
Skybuffer Mobile menu

Information Security Questions of Hosting SAP HANA Database in Cloud

ABSTRACT

Key words: SAP HANA, ERP, cloud technologies, on-premises, transaction, analytics, authentication, single sign-on.

SAP HANA (High Performance Analytics Appliance) is the leading platform for real-time in-memory computing combining analytical tools and transaction processing of large data volumes. SAP offers 3 basic options of hosting SAP HANA databases: traditional – at the facilities of the customer (on-premises), in the cloud and hybrid. The cloud is an effective alternative to large investments in the purchase of hardware (typical of traditional hosting), administration and upgrades. One of the reasons of slow growth of popularity of using cloud technologies in the Republic of Belarus is the assertion of the insecurity of data storage in the cloud. The research presents some aspects of information security for several hosting options of SAP HANA database in the cloud, the evaluation and analysis of the most effective forms security-wise. The possibility of secure usage of the cloud solution in case of implementation of the recommended means of information protection is proved.

INTRODUCTION

Many software systems are based on database technologies. One of the largest suppliers of systems for working with databases is SAP (“Systeme, Anwendungen und Produkte in der Datenverarbeitung” (German) — “Systems, Applications and Products in data processing”.

SAP ERP covers all areas of financial and managerial accounting, personnel management, operational activities and services of the company. It provides full functionality necessary for the implementation of information self-services and Analytics. In addition, SAP ERP provides tools for system administration and tasks such as user management, centralized data management and management of web services.

The system of a new generation should be able to evaluate, analyze, predict and give recommendations — and all these in real time. In-Memory technology is the only way of solving the problem of processing real-time data, which supports new data types such as social media monitoring, and automatic meter and sensors reading via the Internet.

SAP HANA (High Performance Analytics Appliance) is the leading platform for real-time in-memory computing combining analytical tools and transaction processing of large data volumes.

1. SAP HANA platform: database hosting

SAP HANA provides users with features of flexible and operational data modeling, eliminates the wait time for changes to model data and perform administration tasks with the database, and eliminates the delay needed for a traditional database, downloading the backup data store.

SAP HANA provides three main options of database hosting:

  1. In the cloud:
  • Private Cloud
  • Enterprise Cloud
  • Hybrid (Private+Enterprise)
  1. On-premises (at the facilities of the customer)
  2. Cloud + on-premises (partially on-premises, some of the applications in the cloud: SRM, CRM modules and so on)

If you select the option “on-premises”, there is a need for a hardware set which is usually purchased with a reserve for the future. Calculation of the required capacity should include unexpected loads and a reserve for growth. According to statistics, server capacity is used by 40-60 %. At the same time, hardware must be constantly maintained. The company incurs costs, but does not receive a full return on investment.

Cloud solutions allow to minimize service costs or get rid of them at all. The cloud is an effective alternative to large investments in the purchase of own equipment, administration and upgrades costs.

In general, the “Cloud computing” is an approach for placement, delivery and consumption of applications and computer resources, in which applications and resources become available through the Internet as services consumed on the platforms and devices. [3]

As a part of the transformation to cloud-based solutions it is effective to use SAP HANA platform as the most modern and powerful computing technology that allows you to achieve multiple effects. SAP HANA provides users with functions of fast and flexible data modeling by creating non-persisted views directly with all required details. SAP HANA speeds up changes taking place in the data model and eliminates the latency associated with loading the backing store of the data required for traditional databases. Elimination of aggregates and indices of relational tables, and appropriate technical support can significantly reduce total cost of ownership.

Databases SAP HANA in the cloud improve the overall effectiveness of the solutions by ensuring continuous support of the hardware on the side of organizations providing leasing of Public cloud (HANA Enterprise Cloud) or rental services of private cloud (Private Cloud). An additional advantage of hosting databases in the cloud (HANA Enterprise Cloud) is a centralized mechanism for updating the database in accordance with the latest updates, SAP Patches SAP. Thus, we can distinguish the following main advantages of databases SAP HANA in the cloud:

  1. Reducing the cost of equipment maintenance (and in some cases the reduction is to zero)
  2. Availability of the latest system updates: the company always working with the latest technologies.

However, the question of cloud information security solutions still remains open.

2. Cloud solutions in the Republic of Belarus

In general, the consumption of cloud technologies in our market lags behind Western Europe and North America, especially in the segment of small and medium businesses. For these regions cloud solutions are typical and often the only accessible option of informational technologies. In the Republic of Belarus small and medium business are currently at the acceleration stage, so the main growth of the market is provided by the large companies which build private clouds and use public clouds for individual units or business tasks. This also applies to the transfer of corporate email, video conferencing, CRM solutions for transportation of management and other business applications into the cloud.

One of the reasons for the slow growth of the popularity of using Cloud technologies in the Republic of Belarus is the assertion of the insecurity of data in Cloud storage.

Globally, the issues of information security are governed by the ISO/IEC 27017:2015 / ITU-T X. 1631 (Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services) as well as the local legislative regulations in the field of information security.

In Belarus, information security of cloud solutions is regulated by the Law “On telecommunications”, the presidential Decree № 60. [1]

There are no specific rules on the issues of information security of “cloud solution” at the moment.

However, the government policy supports the development and promotion of cloud technologies. The decree of the President of the Republic of Belarus No. 46, dated 23 January 2014 provides for the establishment of the Republican platform, acting based on cloud technologies. This platform will be implemented on the basis of the core network of Unified Republican data transmission network, the National Data Processing Centre and virtual “cloud”.

3. Data security in HCP

Nowadays the most popular methods of information security in the “Cloud technologies” are:

1) Encryption;

2) Protection of data during transmission;

3) Authentication;

4) User isolation.

Let us have a look at the methods of information protection, which SAP HANA Cloud platform provides.

Data protection is one of the main features of the SAP HANA Cloud platform (SAP HCP), which is easily synchronized in all systems interfaces. SAP HCP includes the following components of information security:

  • Protection of logging
  • Integrated application protection.

For example, the user can log in to multiple systems simultaneously using Single Sign-on (SSO).

Single Sign On (SSO) is a technology where the user once authenticated in certificate authority will be automatically authenticated to another service of this company. [1]

Figure 1. The scheme of user authentication in single sign-on

Now let us focus on available options of extended informational security provided for SAP HCP

The storage of data in SAP HANA database is equipped with different security measures. A strict data separation is required for multi-tenancy. Alternatively, the data can be stored by means of encryption. There can be numerous isolated databases in HCP which allow different applications to be separated from each other. So that multiple business units and customers can use specific data only. Additionally, to support recovery and back-up, data is also stored on the file system apart from in-memory storage and users can make a choice to encrypt the stored data. On the other hand, this choice can be made individually for different users in a multi-tenant landscape.

4. Use of authentication on the HCP

HCP applications have a default set of authorization and authentication services. Different Roles can be assigned by the users of a specific application. This helps to make portions of the available application for the specific users. Furthermore, SAP Cloud identity service is the standard identity provider of the HCP which is also known as SAP ID service.

SAP Cloud Platform Identity Authentication service is a cloud service for secure authentication and user management for SAP cloud applications and on-premise applications. It provides services for authentication, single sign-on, user management, and on-premise integration as well as convenient user self-services such as registration or password reset for employees, customer partners, and consumers. Identity Authentication service provides security features for protecting access to applications – definition of risk-based authentication rules, two-factor authentication and delegated authentication to on-premise user stores or other identity providers.

Identity Authentication is offered as a standalone service. Being tightly integrated with SAP Cloud Platform, it is offered as part of SAP Cloud Platform and part of many other SAP cloud products establishing itself as the central authentication hub for SAP customers for SAP and non-SAP applications.

Identity Authentication is hosted and maintained in SAP’s secure, world-class data centers. [2]

Features and Functions:

  • Secure authentication to cloud and on-premise applications
  • Single sign-on from anywhere on any device
  • Social login via Twitter, LinkedIn, Facebook and Google
  • Two-factor authentication based on one-time passwords (OTP)
  • Risk-based authentication, applied for applications, user group assignment and IP ranges
  • Easy application on-boarding
  • Support of SAP and 3rd party applications
  • Password policies on application level
  • Own look & feel including company branding
  • Self-services (self-registration, password reset, etc.)
  • Configurable user registration form
  • REST APIs for user management
  • Custom privacy policy and terms of use setup on application level
  • Responsive user interfaces
  • Usage reporting capabilities
  • Delegated authentication via integration with on-premise user stores and corporate identity providers

This service is designed by default and a choice can be made that whether to use authentication from the browser or to use basic authentication. Regardless of what identity provider you choose, the HCP facilitates Single Sign-on. The SAP HCP always uses the data provided by the identity provider as it does not store the identity information. If someone wants to integrate applications, they can use open Autorization (oAuth) scope provided by HCP. [5]

5. Security of the integration using HCP

One of the most secure and simple ways to integrate on-premises environments with the HCP is Cloud Connector. This cloud connector is also known as Secure Socket Layer, which permits the HANA Cloud Platform controlled and auditable access to on-premises services. Users can use the services within an HCP application by using a set of java functions which is offered by connectivity services. Moreover MAIL, RFC and HTTP connections can be easily setup. Web services, ABAP and JAVA SAP systems can be easily integrated with HCP applications. The SAP HANA cloud platform uses the generic identity provider for integrating mobile services throughout the entire platform. The personal data of mobile users is guaranteed by effective encryption and other privacy measures taken on the HCP.

The SAP Cloud Platform cloud connector (Cloud connector) serves as the link between on-demand applications in SAP Cloud Platform and existing on-premise systems. It combines an easy setup with a clear configuration of the systems that are exposed to SAP Cloud Platform. In addition, you can control the resources available for the cloud applications in those systems. Thus, you can benefit from your existing assets without exposing the whole internal landscape.

The Cloud connector runs as on-premise agent in a secured network and acts as a reverse invoke proxy between the on-premise network and SAP Cloud Platform. Due to its reverse invoke support, you do not need to configure the on-premise firewall to allow external access from the cloud to internal systems. The Cloud connector provides fine-grained control over:

  • On-premise systems and resources that shall be accessible by cloud applications;
  • Cloud applications that shall make use of the Cloud connector.

You can use the Cloud connector in business critical enterprise scenarios. The tool takes care to automatically re-establish broken connections, provides audit logging of the inbound traffic and configuration changes, and can be run in a high-availability setup. [2]

Figure 2. General scheme of authentication in cloud solutions

At the end, in my opinion, this overview of security measures on SAP HANA cloud platform provides an idea of the standards and opportunities available on the platform. HCP provides all the components to quickly and easily expand existing environments, without any impact on existing security infrastructure and policies.

CONCLUSION

From the context above we can draw the following conclusions:

  1. When making decisions about where to locate databases SAP HANA, the company should consider certain aspects that can affect the final choice. These aspects include the following parameters:

– Purchasing costs

– Maintenance costs

-The efficiency of capacity utilization

– Parameters of the information security of the chosen option.

  1. SAP HANA Cloud platform provides all the components for fast and simple transformation of existing infrastructure, without any harm to existing policies and security systems.

Thus, the hosting of databases on SAP HANA cloud platform can be considered as the most effective and safe option, considering the usage of the methods and systems provided by default on the SAP HANA Cloud platform.

BIBLIOGRAPHY

  1. Katashiсhev I. A., Barylova E. A. Protection of information in “Cloud technology” as a subject of national security // the Young scientist. — 2015. No. 6.4. — P. 30-34.
  2. https://blogs.sap.com/2016/05/11/sap-hana-cloud-platform-and-its-effective-security-capabilities/
  3. E. Schneider and R. Jandhyala, the Computing technology of SAP® In-Memory: changing the way of managing business information and Analytics (SAP AG, March 2011, available at http://fm.sap.com/data/UPI OAD/files/SAP_In-Memorv Computing_ Technology_.pdf)
  4. The main SAP HANA source ® www.experience.saphana.com
  5. Help portal SAP® help.sap.com/hana/
  6. SAP HANA security guide help.sap.com/hana/hana1_sec_en.pdf