Paper
There is another security risk in most
public clouds. The CSP administrators who
manage the infrastructure typically have
access to the entire solution, including
applications and data. Although there may
be operational safeguards, the potential
for insider attacks exists, not only
from CSP administrators, but also from
advanced persistent threats (APTs) that
use sophisticated, long-term strategies to
exploit insiders.
In this environment, trust between cloud
providers and their customers is no longer
enough. Businesses need to know that
they, and only they, can access their data.
They also need to know that protections
are in place to guard against both internal
and external threats, including APTs.
Data Residency Requirements
Data mobility raises additional concerns
about cloud hosting solutions. Data
protection and privacy laws vary around
the world, and many jurisdictions have
strict requirements regarding data
residency. Yet, in many public cloud
environments, customer applications and
data are often moved without notice to
maximize data center efciency. Your data
could potentially be moved across the
data center, across the country, or even
around the world. If you have sensitive
data, this raises serious security concerns.
If you have data residency requirements,
it may put your business at risk for non-
compliance.
For example, the European Union Data
Protection Regulation makes it illegal to
transfer data in response to an overseas
court order without authorization from
the European Commission. However, if
a service provider is incorporated in a
non-EU country or has a data center in a
non-EU country, the provider is required to
comply with a subpoena for data from that
non-EU country, even if the data resides
in the EU. This and many other global
regulatory issues create a tough decision
matrix for CSPs and introduce signicant
potential risks for their customers.
To manage risk in such a complicated
regulatory environment, enterprise
customers must retain full control
over their data. Data must not only be
encrypted in the cloud, but the customer—
and only the customer—must have access
to the encryption keys. With this approach,
the CSP can respond appropriately to
court orders (by sending the encrypted
data), without putting the customer at
risk (since the data cannot be “unlocked”
without the customer-controlled
encryption keys).
Achieving Security and Compliance
for SAP HANA in the Cloud
Providing strong security and compliance
in any computing environment requires
robust capability at every level of the
solution stack. Security and compliance
for SAP HANA begins with the built-in
controls. Vormetric, Virtustream, and
Intel build on this foundation to extend
enterprise-class security and compliance
without sacricing performance or
generating excessive administrative
overhead.
SAP HANA: Built-In Security for
Enterprise Environments
SAP HANA provides integrated support for
establishing and enforcing strong security
policies. Built-in capabilities include:
• Role-based access and authorization
for SAP HANA users and
administrators. SAP HANA supports
strong authentication security using
the customer’s method of choice (basic
authentication, Kerberos, SAML, SAP
login and assertion tickets, X.509,
and so on).
• Data encryption. Encryption is
supported for both data on disk and data
communications across the network.
• Transaction logs and reporting
mechanisms. SAP HANA provides the
information and governance support
that businesses need to monitor and
audit user access and operations.
SAP also provides guidance on how to
implement these capabilities to ensure
strong security across diverse deployment
scenarios. For information, see the SAP
HANA Security Guide. http://help.sap.
com/hana/SAP_HANA_Security_Guide_
en.pdf
Vormetric: Enhancing Security While
Keeping Customers in Full Control of
Their Data
The security protections described above
are sufcient for many customers, as
evidenced by the success of SAP HANA
in supporting mission-critical workloads
for large businesses. However, companies
with particularly stringent data security
requirements are sometimes looking for
an even higher level of control.
3
Security in the Cloud for SAP HANA*