Vormetric Data Security for SAP HANA
Vormetric Data Securityfor SAP HANA
Slide No: 2 Copyright 2015 Vormetric, Inc. All rights reserved.
2015 Vormetric Insider Threat ReportGlobal Edition
Data Security Failures Are RampantSensitive data isn’t protected
• Physical
• Virtual
• Outsourced
• Sources
• Nodes
• Analytics
Slide No: 3
Enterprise Data Centers
Remote Servers
Private, Public, Hybrid CloudsSaaS, PaaS, IaaS
Big Data
Copyright 2015 Vormetric, Inc. All rights reserved.
Data is DistributedSensitive data is everywhere
Vormetric Data at Rest, Logs and Configuration Files
SAP HANA Platform Overview
Flexible
Enterprise-wide protection and compliance
History of delivering new use cases enabling secure innovation
Scalable
Multi-operating systems across all server environments
Global scale with centralized control
Efficient
High-performance, minimizes system resources
Operational simplicity through consistent deployment
Single Platform = Lower TCO
Slide No: 5
ApplicationEncryption
Key Management
TransparentEncryption
DataMasking
Tokenization Encryption
Gateway
Vormetric Data Security PlatformEnabling an enterprise data-at-rest security strategy
The Vormetric Data Firewall Controls Data at Rest Access
Vormetric Security IntelligenceLogs to SIEM
Storage
Database
Application
User
File Systems
VolumeManagers
Big Data, Databases or Files
Allow/Block Encrypt/Decrypt
VormetricData Security Managervirtual or physical appliance
Cloud Admin, Storage
Admin, etc
*$^!@#)(-|”_}?$%-:>>
DSM
*$^!@#)(-|”_}?$%-
:>>
Encrypted& Controlled
Privileged Users
John Smith 401 Main
Street
Clear Text
Approved Processes and Users
Server
DSM
Storage
Database
Application
User
File Systems
VolumeManagers
Policy Based Access Control
Request
VORMETRIC
When WhereWhatWho
File System/Device
VORMETRIC
CO
NTE
XT
• Directory
• File Type
• File Name
• Drive
• Device/Disk
The result:
- Only the SAP HANA process and users have access to the data, but others such as root do not.
- Configuration and logs are protected with their appropriate policy.
Using Security Intelligence for Analyzing Access Attempts and Generating Compliance Reports
Demonstration
Selecting the SAP HANA Hosts to Protect
Selecting Servers to Apply Policies: Created list of HANA Servers
Sample SAP HANA DSM Policies
Policy definition: Root users are denied and logged when accessing protected directories
Viewing DSM Policy Controlling Root Access
Demo Policies: Rule 1: For Root-user, all operations, audit and deny access
Rule 2: Non-root users, encrypt/decrypt and audit
Policy Enforcement in Action!
User (proen) has root privilege/stats directory is protected from root accessRoot can’t even ‘ls’ the directory!
User (proen) SUs to a User (ha1adm)Vormetric Data Security is aware and access is still denied!
Audit Log of Event
Know: Root user proen, denied trying to ‘ls’ protected /stats directory
Know: Root user proen, denied trying to ‘ls’ /stats directory as user (ha1adm)
Negligible Data Security Tax
0
100000
200000
300000
400000
500000
600000
700000
800000
900000
64KLatency
sync.overwrite
1MLatency
sync.overwrite
16MLatency
sync.overwrite
64MLatency
sync.overwrite
Baseline
AES NI Encryption
SoftwareEncryption
Data Latency Micro sec.
• Insignificant added latency
• No throughput tax
Intel AES-NI enables hardware
encryption operations
Result Summary:
Vormetric Data Security Solution SummarySolution Capability Comments
Centralized key management DSM is a centralized key manager for Vormetric Encryption as well as other encryption systems in enterprise
Separation of duties Well defined, strong separation of duties between data administrators and security administrators
Audit Logs Logs events that help with compliance and audits
Security Intelligence Logs easily integrated with SIEMs to provide security intelligence and reduce APT attack surfaces
Structured and unstructured data
Use for SAP HANA, other databases, log and config files and all other kinds of files
Privileged User control Control privileged user access and reduce APT risk surface
Performance and scalability Proven in the field, high-performance and scalability
Security Standards FIPS 140-2 Level 3 compliance; Common Criteria certificationpending
Database coverage All databases, big data systems and unstructured file types
Cloud ready Runs across physical, virtual and cloud environments; Multi-tenant capabilities of DSM
Vormetric Data Security#DEFENDEROFDATA since 2001
VisionTo Secure the World’s Information
Purpose Protect Business Assets and Brand
Customers1500+ Customers Across 21 Countries
17 of Fortune 30
15+ Cloud and Hosting Providers, 100+ customers
Global PresenceGlobal Headquarters - San Jose, CA, USA
EMEA Headquarters - Reading, United Kingdom
APAC Headquarters - Gangnam-gu, Seoul
ProductsTransparent Encryption, Application-layer Encryption
Tokenization with Dynamic Data Masking
Cloud Encryption Gateway
Key Management
Questions?
Thank you