Assessing HANA Systems Against the SAP HANA Security Guide
SAP takes their responsibility to help their customers be secure seriously. They have released the SAP HANA Security Guide to help their customers deploy HANA in a secure way. SAP Security Guides are nothing new, they help define a minimum benchmark of a securely deployed SAP system.
For those tasked with assessing a SAP HANA (or ABAP) system and determining the complete risk the system represents to the business, they know that just performing a SoD check is not enough (and for those that don’t the list of security guides from SAP and this blog should help explain why). SAP states that “[these] security guides provide information that is relevant for all lifecycle phases”. When auditing or assessing these SAP systems, and HANA in particular a logical place to start is to compare the system against SAP’s own security recommendations and benchmarks for HANA.
The SAP HANA Security Guide provides those minimum security recommendations. At 102 pages, the guide provides a lot of detailed information about the SAP HANA solution, common deployment scenarios and an overview of the communication paths used within a SAP HANA deployment and how they should be secured. This is further broken out into the following areas:
- SAP HANA User and Role Management
- SAP HANA Authentication and Single-Sign On
- SAP HANA Authorization
- SAP HANA Data Storage Security
- Auditing Activity in SAP HANA Systems
- Security Risks of Trace and Dump Files
- SAP HANA Additional Components
- Security for SAP HANA Data Provisioning Technologies
- Security Reference Information
When reviewing the document what immediately stands out is the multiple ways a SAP HANA system can be deployed, as well as the multiple connections between SAP HANA and external components and applications. The security of the connections and the underlying secure configuration of the end points must be taken into account when planning an assessment of a SAP HANA based system.
Secure communications simply mean that the traffic being sent and received cannot be intercepted and analyzed, or replaced with malicious instructions or data. It does not ensure that the systems that received the encrypted packets are secure from attack by someone who is able to make a legitimate, encrypted connection to the targeted system.
The key elements to check for are the areas in the deployment that are most likely to be weak (and are therefore the most likely to be leveraged by an attacker so represent the major areas of security risk for a SAP HANA deployment) the use of a weak password policy or allowing easily guessed passwords. Available missing notes for a SAP systems should also be assessed.
In addition, an auditor should make sure the audit policies for SAP HANA are enabled. This gives the organization the capability to perform forensic analysis should any incident take place effecting the SAP HANA system or the data it protects.
SAP systems, like most systems in an organization are not set in stone; therefore the results of an audit are only an indication of the state of the system at that point in time and do not necessarily represent the current state of the system, or the security risk it possesses. When you consider the monthly release of new SAP Notes regarding vulnerabilities not previously released, as illustrated here, it is increasingly likely with every passing month that a system that is not reviewed and updated monthly will slip to a less secure state.
The key is frequent auditing. The level of frequency should increase directly with the increase of the importance of the system to the business. The more important the system is the shorter the period of time you should be prepared to allow unacceptable levels of risk to exist on that system and the more frequently you should audit those systems.
While it is possible to audit those systems manually, when you take into account you should be doing this auditing across your entire series of SAP landscapes the cost of doing this on even a monthly basis becomes prohibitive. To discover risks and audit your SAP environments at the speed a modern business requires the use of automation is key. In my forthcoming webcast I am going to take the opportunity to discuss:
- the key takeaways from the SAP HANA Security Guide
- how you can leverage Onapsis X1 to perform these audits not only with lightning speed, but also unattended on a scheduled basis.
If you are interested in learning more, click here to register for the webcast.