/scripts/ahub.form.attachments.js
0

Hana database encryption

Feb 01, 2017 at 08:12 AM

467

avatar image
Former Member

As @lars.breddemann has described in an ealier post, the HANA DB encryption is not on the inMemory data but for the data partition and the log files.

So I was wondering if this "all or nothing" approach can be differentiated a bit more. E.g. I don't need to encrypt my whole db, but only a single table. How would I be able to do that? Can I move a single table into an individual data partition?

Also I understand that the only possible way to encrypt an individual field of a table is to encrypt it before storing it on HANA - or did that change and HANA comes now with some support for this (e.g the client provides a secret to encrypt the data but the en-/decyrption is done on the DB and not on the clientt

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Denys van Kempen
Feb 01, 2017 at 11:28 AM
1

Hi Bernd,

Good question. We have three different objectives here:

  1. Encryption of archived storage (backups)
  2. Encryption of the files on the file system (persistence) - for the curios OS hacker
  3. Encryption of rows/columns in-memory (obfuscation/data masking) - for the curious DBA

Currently, for SAP HANA 2.0 SPS 00, both data volume (persistence) and redo log encryption is available (but you still need to be careful with your trace files). The encryption takes places a lower level than the database, so you cannot encrypt on the file system just the bits and bytes for table A or column B. It is all or nothing.

Archived storage is addressed (or not) by the backup tool or by the DBA / System Administrator.

Obfuscation/data masking can be addressed by the application but is not a database feature. See, for example https://blogs.sap.com/2014/05/13/how-to-securely-mask-or-hide-column-data-using-sql-map-function-in-sap-hana-views/ or https://blogs.sap.com/2016/06/15/hana-eim-sdisdq-sps12-data-mask-node-how-to/ (using SDI).

Targeted audit policies and a solid privilege and role management are obviously also very important to protect sensitive data.

I understood that both backup encryption and data masking are high on the feature list for SAP HANA 2.0 SPS 01 but whether they make it to the release remains to be seen. RTC is planned for mid-April.

Regards,

Denys

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thank you Denys that was very helpful - one more question. If the HANA is hosten on the HCP (or SCP how it is called now) is this process any different? Or is this all taken care of by the dev ops? (encryption on persistence level)

0
Denys van Kempen
Feb 03, 2017 at 08:50 AM
0

Hi Bernd,

I have very little visibility of what is happening up there in the cloud so I will have to ask around a bit; I will get back to you.

Share
10 |10000 characters needed characters left characters exceeded
Skip to Content