Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Why encrypt SAP HANA persistent data and log ?

Topas
Discoverer

‎2024 Aug 13 7:34 PM - edited ‎2024 Aug 13 7:36 PM

0 Likes
838

Dear all,

This concerns sap hana on-premises

My company started recently to assess the possibility to use encryption for SAP Hana databases at the level of data / log and backups.
However, it is not clear what sort of attack the encryption tend to prevent :

2 distinct scenarios :
First: Database is not encrypted :

How can you read data directly from data files and logs of the Sap HANA system via unauthorized access to the OS and/or <sid>admin account? Unless you stop the database, copy it over to another place and open it for reading, I'm not seeing any other way to inspect data directly in the datafiles/logs at file system level. So why to encrypt ?

Second: Database is encrypted at the level of log and data
Supposing that the attack via unauthorized access to the OS and/or <sid>admin account is successful, then you will also have access to the SSFS store and master key saved in its default location :

/usr/sap/<SID>/SYS/global/hdb/security/ssfs/SSFS_<SID>.KEY
/usr/sap/<SID>/SYS/global/hdb/security/ssfs/SSFS_<SID>.DAT

So, what is the point to encrypt ? Or am I missing some additional security step to prevent this scenario ? 
Thank you for helping to clarify
Kind regards to all

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

HakanHaslaman
Product and Topic Expert
Product and Topic Expert
‎2024 Sep 03 11:51 AM
0 Likes

Encrypting SAP HANA data and log is vital for data protection, compliance, and preventing insider threats. Encryption prevents unauthorized access to sensitive data and meets regulatory requirements. Even with access to the OS or admin account, encrypted data remains unreadable. Strong access controls should protect the SSFS store and master key.

Show replies
Show replies
Topas
Discoverer
‎2024 Sep 03 12:01 PM
0 Likes

Hello,

Thank you for your response.

However, your response is alike the SAP security guidelines documentation that invite us all, in an unquestionable way, to implement these functionalities for the sake of protection, compliance, regulatory requirements ... etc.

At the end, probably much of us, don't know how they are being used to prevent attacks. Having technical knowledge of the nature of threads will definitely help you in defining a strong security strategy and at the very bottom end, if encryption is really necessary in your environment.

Thank you

 

Ask a Question