SAP HANA Security: Do You Want a Basic or Secure Implementation?
Different software companies take different approaches to the security of their products after they have been sold to their customers. Some would prefer it if previously released software had no security research attention paid to it where as others take a more realistic and therefore positive (to their customers) attitude. This positive approach is not only to provide their customers with security guidance for each component but to also release vulnerability information to them along with patches or remediation information in a regular and predictable way that allows their customers to anticipate and plan for application of remediation.
SAP falls into the positive camp; as well as releasing vulnerability information for HANA and other SAP components on the second Tuesday of every month they also publish security guidance for best practices to securely install and maintain HANA deployments.
Now, you could try and argue that the ultimate best practice is for SAP to release completely perfect and secure code and products; and to not allow their customers to reconfigure it so it can run in an insecure manor. That and unicorn hamburgers would be fantastic; but I am not holding my breath for either to present itself to me any time soon…
The reality is that SAP systems are installed in a varied and complex ecosystem of business systems. Whether it is supply chain management for collecting information from global systems and 3rd party businesses and systems in order to ensure every item arrives as it is needed, not before or after. Or when one company acquires another; each running different generations of SAP software; they expect it to “just work” when they merge the systems together.
Faced with this SAP is producing open systems they are designed to get the job done. To enable organizations to implement security in a manner that works best for them and meets their standards and compliance requirements SAP publishes detailed security guidance.
Here at Onapsis that guidance is required bedtime reading; we absorb that information and instill it into our products. We also take it further; dedicating researchers in our acclaimed research labs to take a deeper dive into the technology; to better understand ways it could be manipulated and abused in an insecure manner. All this information, along with the most effective way to mitigate these issues are fed into our products and utilized by our customers.
I’m proud to announce the release of capabilities to do this for HANA, which we will be making available this month. If you are not aware of what SAP HANA is there is a primer here; in short (very short) it is an in-memory database; which makes it incredibly fast at analyzing the data, leading to the creation and implementation or more real-time analytic solutions vs performing historical analysis. You can read more about what businesses are doing with HANA in these case studies. From a security point of view it is quite scary to consider what could go wrong if a system acting at near real-time; making critical business decisions; is insecure and subject to risk and attack.
What security intelligent organizations are doing with Onapsis solutions is to ensure that their SAP implementations are both secure and compliant. Compliant to internal and external policies and also compliant to the policies they expect to be audited against.
With the release of support for HANA they will be able to measure for the same level of security and compliance with their HANA based systems. Meaning they can breathe easy when considering the security of these breathtakingly fast systems.