GRC
HR
SCM
CRM
BI


Article

 

Are Your Applications Safe in the Cloud?

SAP HANA Cloud Platform is Designed to Protect Your Data

by Martin Raepple | SAPinsider, Volume 15, Issue 2

April 1, 2014

Entrusting your infrastructure, applications, and data to a third-party service provider in the cloud involves a number of security considerations, particularly in the areas of user authentication and data protection. This article looks at how SAP HANA Cloud Platform — SAP’s platform-as-a-service (PaaS) solution for building and deploying business and consumer applications in the cloud and extending existing on-premise and on-demand enterprise solutions — is designed to address these areas and ensure the safety of your applications in the cloud.

 

Cloud platforms offer organizations compelling advantages, such as significantly reduced overhead. But entrusting your infrastructure, applications, and data to a third-party service provider in the cloud involves a number of security considerations, particularly in the areas of user authentication and data protection. Edward Snowden’s ability as a third-party contractor to access government data about surveillance programs is a high-profile example of the critical need to ensure that your data — and user access to that data — is secure in the cloud, and these two areas are at the top of the Open Web Application Security Project (OWASP) list of the top 10 cloud security risks.1

SAP HANA Cloud Platform — SAP’s platform-as-a-service (PaaS) solution for building and deploying business and consumer applications in the cloud and extending existing on-premise and on-demand enterprise solutions2 — not only implements multiple levels of organizational and technical security measures for SAP customers (see the sidebar “A Multi-Level Approach to Security”), it is designed to ensure secure user authentication and data protection in the cloud.
 
This article looks at how SAP HANA Cloud Platform addresses these areas by answering the following questions:

  • How are user accounts managed in the cloud, and how can data be protected from unauthorized access and loss?
  • Is there a secure way to connect mobile devices to the cloud, and to access on-premise systems from the cloud?
A Multi-Level Approach to Security

As a platform-as-a-service (PaaS) provider, SAP is accountable for the infrastructure and the platform services and tools, such as:

  • Core application server runtime
  • Databases
  • Administration tools

SAP HANA Cloud Platform implements organizational and technical security measures on multiple levels. For example, fulfillment of the requirements from the Information Security Management System (ISMS) standard ISO/IEC 27001 and compliance with the Statements on Standards for Attestation Engagements (SSAE) 16 ensures platform stability, security, and performance at a platform operations and process level.

Managing User Access in the Cloud

It may surprise you to learn that SAP HANA Cloud Platform has no built-in user management capabilities of its own, at least not in the traditional sense. There is no runtime component similar to the user management engine (UME), and there is no API in the SAP HANA Cloud Platform software development kit (SDK)3 that gives you control over the life cycle of user accounts stored by the platform. Why is this? By virtue of serving primarily as a solution for building extensions, in many scenarios SAP HANA Cloud Platform is not where end-user accounts are managed.

To mitigate data-related risks, SAP HANA Cloud Platform ensures the security of the connections between your data and the cloud, including support for securing mobile access to cloud applications.

In a cloud-deployed business application for employees, for instance, accounts are usually maintained in a corporate user directory, and employees want single sign-on (SSO) for all their business applications, regardless of whether the applications are hosted in the corporate data center or run in the cloud. 
 
Customers and partners have similar expectations for B2C and B2B applications. Instead of registering yet another user account for each new cloud-based application — which both degrades the user experience and introduces unnecessary security risks, such as weak, easy-to-remember passwords — customers and partners expect the platform to be able to delegate authentication. For example, the authentication could be delegated to an existing system hosted on the partner’s corporate network, or to a social media network such as Facebook or Twitter, where customers may have an account they can use to log in to the application on
SAP HANA Cloud Platform.
 
SAP HANA Cloud Platform protects against unauthorized access by integrating with a wide range of authentication systems, also referred to as identity providers (IdPs), such as SAP NetWeaver Single Sign-On, Microsoft Active Directory Federation Services (ADFS) 2.0, and ForgeRock OpenAM.4 
 
Fortunately, there are common protocols and standards — namely, Security Assertion Markup Language (SAML) and the Open Authorization (OAuth) 2.0 Framework — supported by corporate and social IdPs that simplify the integration from the platform’s perspective while enabling secure cross-domain SSO (also known as “identity federation”) and client access to the cloud. Figure 1 provides an overview of how this works.

Standard-compliant authentication and authorization scenarios with SAP HANA Cloud Platform

Figure 1 — Standard-compliant authentication and authorization scenarios with SAP HANA Cloud Platform

Security Assertion Markup Language

In the enterprise, SAML version 2.0 is a widely adopted protocol for identity federation and is ratified as a standard by the Organization for the Advancement of Structured Information Standards (OASIS). By default, any application deployed on SAP HANA Cloud Platform delegates authentication and user management to SAP ID service,5 a SAML-compliant IdP on the internet that is operated by SAP and enables SSO across SAP’s on-demand portfolio of software-as-a-service (SaaS) offerings and public websites, such as SAP Community Network (SCN). Switching to a corporate IdP is easy because most of the well-known products in this space, such as SAP NetWeaver Single Sign-On and Microsoft ADFS 2.0, support SAML.

Open Authorization 2.0 Framework

Among the social IdPs, the OAuth 2.0 Framework6 is the dominant protocol for enabling SSO. OAuth authorizes a client application to make calls to the social media network’s web APIs to access a specific user’s data on his or her behalf. This usually requires the user to give the client application permission to obtain an OAuth access token from the social network’s OAuth authorization server, which it has to pass with each API call.  
 
On SAP HANA Cloud Platform, any application deployed to a customer or partner account7 that authenticates users with SAP ID service can enable login with Facebook, Twitter, Google, or LinkedIn. In this scenario, SAP ID service takes the role of the OAuth client application that is authorized by the user to call the social network’s API on his or her behalf.

Securing Connections to and from the Cloud

When you deploy applications to the cloud, and enable access to and from the cloud for mobile devices and on-premise systems, you cede some amount of control over your data to the cloud provider and platform. How can you be sure that these assets are protected when they are out of your hands?
 
To mitigate data-related risks, SAP HANA Cloud Platform ensures the security of the connections between your data and the cloud, including support for securing mobile access to cloud applications, protections against common web attacks, as well as services that help you secure data stored by the platform or exchanged with on-premise systems.

Securing Web APIs with OAuth 2.0

As a strategic security technology for SAP HANA Cloud Platform, the OAuth 2.0 Framework supports developers in securing their own web APIs. Without any additional coding, developers can configure the endpoints of their cloud applications to require a valid OAuth access token, which a client — for example, a mobile or desktop application — has to obtain from a platform-provided, central OAuth 2.0-compliant authorization server.
 
Instead of making the client responsible for holding a user’s most secret credentials, such as a corporate user name and password, the developer need only to protect the access token, which is a far less powerful credential. Due to the access token’s narrow scope, it authorizes only a particular client to call the API of a single SAP HANA Cloud Platform appli­cation, which mitigates the potential impact of a successful credential theft. End users can use the platform’s OAuth authorization server to manage the access tokens — for example, to revoke a token issued to a client that is no longer trustworthy or is insecure. Similar to other
central services provided by SAP HANA Cloud Platform, such as the connectivity service and the persistence service, the OAuth authorization server implements a strict tenant separation with a logical isolation of the customer data, so that full protection of user and business data can be ensured.

Local Security Testing

Developers can test the SAML- and OAuth-based authentication and authorization mechanisms on their local systems before deploying applications to SAP HANA Cloud Platform. With the local server runtime of the SAP HANA Cloud Platform SDK, a lightweight SAML 2.0 IdP and OAuth 2.0-compliant authorization server are provisioned and started automatically to let the developer execute all required tests locally. Authentication on the local server runtime is performed against a local user base that can be maintained using the Eclipse-based tools for SAP HANA Cloud Platform.

Protection Against Common Web Attacks

Even with the strongest authentication mechanism in place, once a user logs in, every web application is potentially vulnerable to common web attacks, such as cross-site request forgery (XSRF). With an XSRF attack, a malicious website sends a request to the vulnerable website where the user is currently logged in. This could happen when both sites are opened in different tabs of the same browser window, for example.
 
To help prevent an XSRF attack, SAP HANA Cloud Platform uses a randomly generated unique value — known as a “nonce” — per request, and stores it in the user’s session. URLs are also encoded with the same nonce, which makes requests to the victim’s website unpredictable for the attacker’s website. Each time a request is received, the current nonce in the user’s session is compared to the nonce in the request. Only if both values match is the request considered valid and passed by the platform-provided XSRF filter to the application logic.

Signing and Encrypting Data

If you need to encrypt or digitally sign sensitive data stored by your SAP HANA Cloud Platform application (for example, personal and financial data), or perform SSL communication with client-side certificates,8 you must be able to securely manage the required cryptographic keys and certificates. The keystore service of SAP HANA Cloud Platform helps you manage these keys and certificates by providing a secure repository in the cloud for your applications. Using the platform’s console client, an account administrator can list, upload, download, and delete the keystores in the cloud.
 
Any data exchange between corporate on-premise systems and your cloud applications can be secured by using the platform’s connectivity service. This service establishes an SSL-based virtual private network (VPN) to SAP HANA Cloud Platform via a reverse invoke approach from the internal network to the cloud, which relieves the security administrator from opening any ports for inbound traffic on the corporate firewall that could invite an attack from the internet.

Built for Security

Security is engineered within SAP HANA Cloud Platform across all the layers of its architecture and the entire application life cycle. While the underlying processes and mechanisms are often complex, they are exposed to platform developers and administrators in a simple, consumable, and configurable way, making it easy to not only build and run applications in the cloud, but to do it securely and with confidence.

Learn more at https://help.hana.ondemand.com/help/frameset.htm?e80af38cbb57101495e2cd74c44af674.html.

 

1 See the categories “Accountability and Data Ownership” and “User Identity Federation” at www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project. [back]

2 For more on developing applications with SAP HANA Cloud Platform, see “End-to-End Development Scenarios from SAP: Bridging the On-Demand and On-Premise Divide with SAP Tools for Eclipse” by Karl Kessler and Monika Kaiser in the October-December 2013 issue of SAPinsider. [back]

3 For more on the SAP HANA Cloud Platform tools, see https://tools.hana.ondemand.com/#cloud. [back]

4 For detailed tutorials on how to integrate with these IdPs, see http://scn.sap.com/docs/DOC-35464. [back]

5 To learn more about SAP ID service, see http://scn.sap.com/docs/DOC-20016. [back]

6 For more on the OAuth 2.0 Framework, see http://tools.ietf.org/html/rfc6749. [back]

7 This feature is currently not supported for free SAP HANA Cloud Platform developer trial accounts. [back]

8 For more on client-side SSL connections, see https://help.hana.ondemand.com/help/frameset.htm?38144cd12fcc44249e7b2c4584f46045.html. [back]

An email has been sent to:





 

Martin Raepple
Martin Raepple

Martin Raepple (martin.raepple@sap.com) is the Product Owner for Security and Identity Management in SAP HANA Cloud Platform. He is responsible for the product’s security roadmap and manages the product backlog. Prior to this role, Martin represented SAP in international standard bodies and was responsible for SAP’s strategy on security standards. Martin speaks frequently at international conferences and has written books and articles on IT security.



More from SAPinsider



COMMENTS

Please log in to post a comment.

SAPinsider
FAQ