Vormetric Data Security for SAP HANA

Vormetric Data Securityfor SAP HANA

Slide No: 2 Copyright 2015 Vormetric, Inc. All rights reserved.

2015 Vormetric Insider Threat ReportGlobal Edition

Data Security Failures Are RampantSensitive data isn’t protected

• Physical

• Virtual

• Outsourced

• Sources

• Nodes

• Analytics

Slide No: 3

Enterprise Data Centers

Remote Servers

Private, Public, Hybrid CloudsSaaS, PaaS, IaaS

Big Data

Copyright 2015 Vormetric, Inc. All rights reserved.

Data is DistributedSensitive data is everywhere

Vormetric Data at Rest, Logs and Configuration Files

SAP HANA Platform Overview

Flexible

Enterprise-wide protection and compliance

History of delivering new use cases enabling secure innovation

Scalable

Multi-operating systems across all server environments

Global scale with centralized control

Efficient

High-performance, minimizes system resources

Operational simplicity through consistent deployment

Single Platform = Lower TCO

Slide No: 5

ApplicationEncryption

Key Management

TransparentEncryption

DataMasking

Tokenization Encryption

Gateway

Vormetric Data Security PlatformEnabling an enterprise data-at-rest security strategy

The Vormetric Data Firewall Controls Data at Rest Access

Vormetric Security IntelligenceLogs to SIEM

Storage

Database

Application

User

File Systems

VolumeManagers

Big Data, Databases or Files

Allow/Block Encrypt/Decrypt

VormetricData Security Managervirtual or physical appliance

Cloud Admin, Storage

Admin, etc

*$^!@#)(-|”_}?$%-:>>

DSM

*$^!@#)(-|”_}?$%-

:>>

Encrypted& Controlled

Privileged Users

John Smith 401 Main

Street

Clear Text

Approved Processes and Users

Server

DSM

Storage

Database

Application

User

File Systems

VolumeManagers

Policy Based Access Control

Request

VORMETRIC

When WhereWhatWho

File System/Device

VORMETRIC

CO

NTE

XT

• Directory

• File Type

• File Name

• Drive

• Device/Disk

The result:

- Only the SAP HANA process and users have access to the data, but others such as root do not.

- Configuration and logs are protected with their appropriate policy.

Using Security Intelligence for Analyzing Access Attempts and Generating Compliance Reports

Demonstration

Selecting the SAP HANA Hosts to Protect

Selecting Servers to Apply Policies: Created list of HANA Servers

Sample SAP HANA DSM Policies

Policy definition: Root users are denied and logged when accessing protected directories

Viewing DSM Policy Controlling Root Access

Demo Policies: Rule 1: For Root-user, all operations, audit and deny access

Rule 2: Non-root users, encrypt/decrypt and audit

Policy Enforcement in Action!

User (proen) has root privilege/stats directory is protected from root accessRoot can’t even ‘ls’ the directory!

User (proen) SUs to a User (ha1adm)Vormetric Data Security is aware and access is still denied!

Audit Log of Event

Know: Root user proen, denied trying to ‘ls’ protected /stats directory

Know: Root user proen, denied trying to ‘ls’ /stats directory as user (ha1adm)

Negligible Data Security Tax

0

100000

200000

300000

400000

500000

600000

700000

800000

900000

64KLatency

sync.overwrite

1MLatency

sync.overwrite

16MLatency

sync.overwrite

64MLatency

sync.overwrite

Baseline

AES NI Encryption

SoftwareEncryption

Data Latency Micro sec.

• Insignificant added latency

• No throughput tax

Intel AES-NI enables hardware

encryption operations

Result Summary:

Vormetric Data Security Solution SummarySolution Capability Comments

Centralized key management DSM is a centralized key manager for Vormetric Encryption as well as other encryption systems in enterprise

Separation of duties Well defined, strong separation of duties between data administrators and security administrators

Audit Logs Logs events that help with compliance and audits

Security Intelligence Logs easily integrated with SIEMs to provide security intelligence and reduce APT attack surfaces

Structured and unstructured data

Use for SAP HANA, other databases, log and config files and all other kinds of files

Privileged User control Control privileged user access and reduce APT risk surface

Performance and scalability Proven in the field, high-performance and scalability

Security Standards FIPS 140-2 Level 3 compliance; Common Criteria certificationpending

Database coverage All databases, big data systems and unstructured file types

Cloud ready Runs across physical, virtual and cloud environments; Multi-tenant capabilities of DSM

Vormetric Data Security#DEFENDEROFDATA since 2001

VisionTo Secure the World’s Information

Purpose Protect Business Assets and Brand

Customers1500+ Customers Across 21 Countries

17 of Fortune 30

15+ Cloud and Hosting Providers, 100+ customers

Global PresenceGlobal Headquarters - San Jose, CA, USA

EMEA Headquarters - Reading, United Kingdom

APAC Headquarters - Gangnam-gu, Seoul

ProductsTransparent Encryption, Application-layer Encryption

Tokenization with Dynamic Data Masking

Cloud Encryption Gateway

Key Management

Questions?

Thank you