Paper
In typical implementations of SAP HANA,
encryption keys may be hosted and
managed by IT maintenance staff. When
the implementation is hosted in the cloud,
this means that the CSP maintenance
staff has access to the encrypted storage
of customer’s keys and data. Vormetric
Data Security closes this security gap.
CSP maintenance staff can access the
application and the infrastructure, but
only the customer’s authorized users
and security administrators can access
the encryption keys, the data, and the
access policies.
Vormetric Data Security is deployed
and managed using the Vormetric Data
Security Manager, which can be located
either in the customer’s data center or in
the cloud. Encryption keys are stored in a
secure vault (see Figure 1).
In addition to ensuring that data and
access policies are secured against
unauthorized users and administrators,
Vormetric Data Security:
• Provides more exible and granular
decryption access controls based on
the requestor, time, data type, and data
location (drive, device, disk, and so on).
• Provides additional granular logs
for monitoring, reporting, and in-
depth security analysis. Logs can
be monitored and analyzed using
governance, risk management, and
compliance (GRC) applications to provide
continuous assessment of the security
environment and to generate alerts if
potential issues arise. This approach is
recommended, as advanced analytics is
increasingly valuable for detecting the
subtle departures from normal usage
patterns that might indicate an insider
attack or a sophisticated APT.
Customer
Optimized cloud services
for mission-critical applications
Data encryption and access
control policy enforcement
Scalable server platform
with hardware-enhanced security
Intel® Data Protection Technology
with Advanced Encryption
Standard New Instructions
(AES-NI) and Secure Key
Vormetric
Data Security Manager
(Physical or Virtual)
Centralizes policy and key management
Customer-Controlled Data Security
in-memory database
persistent storage
Server (Intel®
Xeon® processor
E7 v2 family)
SAP HANA
VPN
Figure 1. Vormetric provides advanced data encryption and access controls and ensures that only
the customer has access to data, access policies, and encryption keys.
4
Security in the Cloud for SAP HANA*