Ensure the Security of Your SAP HANA Log Data with Remote Data Center Encryption

The right level of protection for SAP HANA is crucial. Whether it’s customer data, HR records, supplier details, or financial information, every single data area processed in SAP HANA is highly sensitive. If critical business data falls into the wrong hands, the consequences can be dire — companies could face major financial losses, damage to image and trust, and severe fines due to violation of legal compliance requirements.

To protect against these threats, SAP HANA has a built-in feature to encrypt the vast majority of accrued data, known as data volumes, on the SAP HANA server’s hard drive. However, there is no built-in way to encrypt the log files that record ongoing changes to the SAP HANA database, which are used to ensure that the current data set can be restored in the event of an error, such as a system failure. You can use standard file system encryption technology, but you would need to manually enter the decryption key before SAP HANA can start up.

To help SAP customers extend the direct encryption capability provided for data volumes to include log files, SUSE Linux Enterprise Server for SAP Applications provides a remote data center encryption function that enables you to encrypt SAP HANA log files directly on the server’s hard drive.

Remote Data Center Encryption for Log Files

Server restarts are not uncommon in the data center. In the past, a server restart always required direct entry of passwords or key files on the server to decrypt the SAP HANA log files when using disk-based encryption. Scenarios in which an employee was not present to perform the decryption — if a power failure in the data center led to a server restart, for example — were not covered by this approach. This could have serious consequences, since there was no way to start SAP HANA operation without decryption of the SAP HANA log files.

With its new remote data center encryption function, SUSE Linux Enterprise Servers for SAP Applications avoids this scenario. As a requirement, the key files for all drives on which the disk encryption feature is set up and on which SAP HANA applications are running will be stored on a central server, known as the key server. This ensures that manual entry of the decryption password is no longer required when restarting the SAP HANA server. Instead, the SUSE operating system authenticates itself with the remote data center encryption function on the key server (keyword TLS/KMIP) and automatically receives the key file so that the SAP HANA system can start running again without problems. In this way, the SAP HANA data remains protected against unauthorized access.

Because the key server contains the key files required for SAP HANA operation, additional special security measures such as firewalls, robust encryption methods, and regular backups are recommended to protect these files against unauthorized access. In addition, this central server should be used by a few authorized employees only.

Greater Flexibility for Encryption

With the new remote data center encryption function, the SUSE Linux operating system helps companies protect their business-critical data and log volumes in SAP HANA against misuse — whether in their own data centers or in the cloud. At the same time, automatic authentication increases the flexibility of server encryption in the data center.

SUSE delivers the remote data center encryption function with Service Pack 2 for SUSE Linux Enterprise Server for SAP Applications 12, which was initially released in November 2016. In addition to SAP HANA, the new encryption function can be used to boost the data security of a variety of other SAP and non-SAP applications. Learn more at www.suse.com/products/sles-for-sap.