cancel
Showing results for 
Search instead for 
Did you mean: 

SAP's support for "Always Encrypted" functionality offered by MS SQL 2016 Server

former_member347411
Discoverer
0 Kudos

Hello Community,

We are trying to explore options to protect sensitive data in SAP especially customer SSN#s. We are inclined to use column based data encryption to meet the requirement while having minimal impact to system performance. I have found OSS Note# 1380493 (SQL Server Transparent Data Encryption (TDE)) that talks about TDE (Transparent Data Encryption) in SQL Server. However, the document is from 2009 and as per the note, SAP did not support column based encryption. I did find a question in the community "SQL 2016 Always Encrypted Columns" that talks about utilization of "Always Encrypted" functionality in MS SQL 2016.We currently are in the process of upgrading to MS SQL 2016 Server and would like to utilize this functionality to protect sensitive information. Is there a note or some documentation that SAP provides on its support for data encryption in MS SQL 2016 Server?

Thanks for your valuable response in advance!

Best Regards,

Vikas Devrani

Accepted Solutions (0)

Answers (2)

Answers (2)

clas_hortien
Active Contributor

Hello,

the TDE functionality of SQL Server is transparent to the SAP System and therefor supported. As you already stated is the column based encryption not supported, you you need to change ABAP code for this. But TDE is already used by several customers, especially in the Azure Cloud.

I made a performance testing of different TDE algorithms in the past, it might be valuable for you to estimate the impact of TDE to your system. It was made for Azure, but as long as the machines on premise support the Intel AES-NI instruction set you can expect similar results.

Best regards

Clas Hortien

former_member347411
Discoverer
0 Kudos

Hi Clas,

Thanks for your response and sharing the link to performance testing results. Very informative! It definitely helps me feel more comfortable (from performance standpoint) in considering TDE.

While researching on the subject, I found the following link, where Jakub suggests using “Always Encrypt” functionality along with TDE.

https://channel9.msdn.com/Shows/Data-Exposed/SQL-Server-2016-Always-Encrypted

So, if the performance impact for utilizing “TDE” has gone down significantly in 2016 version, it might be worthwhile to use it along with “Always Encrypt”. This would allow us to encrypt data at column level both at rest and in motion. Based on what I understand from the presentation in the aforementioned link (between 8.45 mins to 9 mins in the video), it seems like “Always Encrypted” allows data to be transparent to SAP system and hence could be supported by SAP.

Also, in the following link, the user talks about the utilization of “Always Encrypted” functionality with SAP application.

https://answers.sap.com/questions/494037/sql-2016-always-encrypted-columns.html

Based on the question, I assume that SAP supports the functionality. I am trying to find SAP’s documentation that explicitly confirms that it supports" Always Encrypted" functionality offered by MS SQL 2016. Please let me know if you have any information on such documentation.

Thanks again for your valuable inputs and have a great day ahead!

Best Regards,

Vikas Devrani

clas_hortien
Active Contributor
0 Kudos

Hi Vikas,

always encrypted is not transparent to the SAP system, as you have to change the table structure for it (apply encryption to certain columns). The application itself would work once the columns are encrypted and the driver is installed, but every SAP service pack or update / upgrade can fail due to the changed tables structures. It is not supported by SAP.

Best regards

Clas Hortien

former_member347411
Discoverer
0 Kudos

Hi Clas,

I just realized that you had responded to my earlier response. I apologize for the delay in getting back.

We discussed with SAP’s development team on the possibility of utilizing “Always Encrypted” functionality for encrypting customer’s PII information. SAP does not recommend using it for technical reasons and have mentioned that they recommend and support TDE for data encryption needs. This is consistent with your recommendation as well 😊

Hence, we are now evaluating TDE as an option and would like to have your inputs on the following questions:

1.It is stated that TDE should not be used for OLAP (BW) systems – So, what does SAP recommend for encrypting the data in this database?

2.Since TDE will require more storage, more CPUs, and more memory – What is the estimated (%) increase in resources that is needed?

3.What should be tested within the application if TDE is enabled? Do you have a sample testing plan?

Thank you for all your help on the topic and have a great day ahead!

Best Regards,

Vikas Devrani

clas_hortien
Active Contributor
0 Kudos

Hi,

1. SAP makes no recommendation in the area of database encryption, it is totally the customer choice.

2. We do not have values for the increase, but you can reduce the storage and memory impact when apply the database compression before you apply TDE, then the compressed pages will be encrypted and stored on disk and in memory.

3. As TDE is transparent to the application, you do not need a real function test, when the application starts and is usable than it is fine. As you can't have "incomplete encrypted" databases or database pages it is just a binary decision, either it fully works or it will not work at all.

As the backup / restore procedure is more complicated, this should be tested. And ensure that you have backups of the certificates and keys, otherwise you can lose your DB completely.

Regards

Clas