SAP HANA Security: Do You Want a Basic or Secure Implementation?

Different software companies take different approaches to the security of their products after they have been sold to their customers. Some would prefer it if previously released software had no security research attention paid to it where as others take a more realistic and therefore positive (to their customers) attitude. This positive approach is not only to provide their customers with security guidance for each component but to also release vulnerability information to them along with patches or remediation information in a regular and predictable way that allows their customers to anticipate and plan for application of remediation.

SAP falls into the positive camp; as well as releasing vulnerability information for HANA and other SAP components on the second Tuesday of every month they also publish security guidance for best practices to securely install and maintain HANA deployments.

Now, you could try and argue that the ultimate best practice is for SAP to release completely perfect and secure code and products; and to not allow their customers to reconfigure it so it can run in an insecure manor. That and unicorn hamburgers would be fantastic; but I am not holding my breath for either to present itself to me any time soon…

The reality is that SAP systems are installed in a varied and complex ecosystem of business systems. Whether it is supply chain management for collecting information from global systems and 3rd party businesses and systems in order to ensure every item arrives as it is needed, not before or after. Or when one company acquires another; each running different generations of SAP software; they expect it to “just work” when they merge the systems together.

Faced with this SAP is producing open systems they are designed to get the job done. To enable organizations to implement security in a manner that works best for them and meets their standards and compliance requirements SAP publishes detailed security guidance.

Here at Onapsis that guidance is required bedtime reading; we absorb that information and instill it into our products. We also take it further; dedicating researchers in our acclaimed research labs to take a deeper dive into the technology; to better understand ways it could be manipulated and abused in an insecure manner. All this information, along with the most effective way to mitigate these issues are fed into our products and utilized by our customers.

I’m proud to announce the release of capabilities to do this for HANA, which we will be making available this month. If you are not aware of what SAP HANA is there is a primer here; in short (very short) it is an in-memory database; which makes it incredibly fast at analyzing the data, leading to the creation and implementation or more real-time analytic solutions vs performing historical analysis. You can read more about what businesses are doing with HANA in these case studies. From a security point of view it is quite scary to consider what could go wrong if a system acting at near real-time; making critical business decisions; is insecure and subject to risk and attack.

What security intelligent organizations are doing with Onapsis solutions is to ensure that their SAP implementations are both secure and compliant. Compliant to internal and external policies and also compliant to the policies they expect to be audited against.

With the release of support for HANA they will be able to measure for the same level of security and compliance with their HANA based systems. Meaning they can breathe easy when considering the security of these breathtakingly fast systems.

Share Button
This entry was posted in Corporate and tagged , , , , , , , , by Alex Horan. Bookmark the permalink.

About Alex Horan

Alex Horan is a Product Manager at Onapsis Inc. where he is responsible for the development of ERP vulnerability assessment, testing and securing solutions. Alex has over 15 years of experience working within the IT security industry, covering both software and hardware. As a result he brings a deep knowledge and understanding of vulnerability assessment and penetration testing, as well as systems and network administration and auditing to his work at Onapsis. Alex has previously worked for mid- and large-sized companies helping to design and maintain their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>