Cloud platforms offer organizations compelling advantages, such as significantly reduced overhead. But entrusting your infrastructure, applications, and data to a third-party service provider in the cloud involves a number of security considerations, particularly in the areas of user authentication and data protection. Edward Snowden’s ability as a third-party contractor to access government data about surveillance programs is a high-profile example of the critical need to ensure that your data — and user access to that data — is secure in the cloud, and these two areas are at the top of the Open Web Application Security Project (OWASP) list of the top 10 cloud security risks.1
SAP HANA Cloud Platform — SAP’s platform-as-a-service (PaaS) solution for building and deploying business and consumer applications in the cloud and extending existing on-premise and on-demand enterprise solutions2 — not only implements multiple levels of organizational and technical security measures for SAP customers (see the sidebar “A Multi-Level Approach to Security”), it is designed to ensure secure user authentication and data protection in the cloud.
This article looks at how SAP HANA Cloud Platform addresses these areas by answering the following questions:
- How are user accounts managed in the cloud, and how can data be protected from unauthorized access and loss?
- Is there a secure way to connect mobile devices to the cloud, and to access on-premise systems from the cloud?
Managing User Access in the Cloud
It may surprise you to learn that SAP HANA Cloud Platform has no built-in user management capabilities of its own, at least not in the traditional sense. There is no runtime component similar to the user management engine (UME), and there is no API in the SAP HANA Cloud Platform software development kit (SDK)3 that gives you control over the life cycle of user accounts stored by the platform. Why is this? By virtue of serving primarily as a solution for building extensions, in many scenarios SAP HANA Cloud Platform is not where end-user accounts are managed.
To mitigate data-related risks, SAP HANA Cloud Platform ensures the security of the connections between your data and the cloud, including support for securing mobile access to cloud applications.
In a cloud-deployed business application for employees, for instance, accounts are usually maintained in a corporate user directory, and employees want single sign-on (SSO) for all their business applications, regardless of whether the applications are hosted in the corporate data center or run in the cloud.
Customers and partners have similar expectations for B2C and B2B applications. Instead of registering yet another user account for each new cloud-based application — which both degrades the user experience and introduces unnecessary security risks, such as weak, easy-to-remember passwords — customers and partners expect the platform to be able to delegate authentication. For example, the authentication could be delegated to an existing system hosted on the partner’s corporate network, or to a social media network such as Facebook or Twitter, where customers may have an account they can use to log in to the application on
SAP HANA Cloud Platform.
SAP HANA Cloud Platform protects against unauthorized access by integrating with a wide range of authentication systems, also referred to as identity providers (IdPs), such as SAP NetWeaver Single Sign-On, Microsoft Active Directory Federation Services (ADFS) 2.0, and ForgeRock OpenAM.4
Fortunately, there are common protocols and standards — namely, Security Assertion Markup Language (SAML) and the Open Authorization (OAuth) 2.0 Framework — supported by corporate and social IdPs that simplify the integration from the platform’s perspective while enabling secure cross-domain SSO (also known as “identity federation”) and client access to the cloud. Figure 1 provides an overview of how this works.
Security Assertion Markup Language
In the enterprise, SAML version 2.0 is a widely adopted protocol for identity federation and is ratified as a standard by the Organization for the Advancement of Structured Information Standards (OASIS). By default, any application deployed on SAP HANA Cloud Platform delegates authentication and user management to SAP ID service,5 a SAML-compliant IdP on the internet that is operated by SAP and enables SSO across SAP’s on-demand portfolio of software-as-a-service (SaaS) offerings and public websites, such as SAP Community Network (SCN). Switching to a corporate IdP is easy because most of the well-known products in this space, such as SAP NetWeaver Single Sign-On and Microsoft ADFS 2.0, support SAML.
Open Authorization 2.0 Framework
Among the social IdPs, the OAuth 2.0 Framework6 is the dominant protocol for enabling SSO. OAuth authorizes a client application to make calls to the social media network’s web APIs to access a specific user’s data on his or her behalf. This usually requires the user to give the client application permission to obtain an OAuth access token from the social network’s OAuth authorization server, which it has to pass with each API call.
On SAP HANA Cloud Platform, any application deployed to a customer or partner account7 that authenticates users with SAP ID service can enable login with Facebook, Twitter, Google, or LinkedIn. In this scenario, SAP ID service takes the role of the OAuth client application that is authorized by the user to call the social network’s API on his or her behalf.
Securing Connections to and from the Cloud
When you deploy applications to the cloud, and enable access to and from the cloud for mobile devices and on-premise systems, you cede some amount of control over your data to the cloud provider and platform. How can you be sure that these assets are protected when they are out of your hands?
To mitigate data-related risks, SAP HANA Cloud Platform ensures the security of the connections between your data and the cloud, including support for securing mobile access to cloud applications, protections against common web attacks, as well as services that help you secure data stored by the platform or exchanged with on-premise systems.
Securing Web APIs with OAuth 2.0
As a strategic security technology for SAP HANA Cloud Platform, the OAuth 2.0 Framework supports developers in securing their own web APIs. Without any additional coding, developers can configure the endpoints of their cloud applications to require a valid OAuth access token, which a client — for example, a mobile or desktop application — has to obtain from a platform-provided, central OAuth 2.0-compliant authorization server.
Instead of making the client responsible for holding a user’s most secret credentials, such as a corporate user name and password, the developer need only to protect the access token, which is a far less powerful credential. Due to the access token’s narrow scope, it authorizes only a particular client to call the API of a single SAP HANA Cloud Platform application, which mitigates the potential impact of a successful credential theft. End users can use the platform’s OAuth authorization server to manage the access tokens — for example, to revoke a token issued to a client that is no longer trustworthy or is insecure. Similar to other
central services provided by SAP HANA Cloud Platform, such as the connectivity service and the persistence service, the OAuth authorization server implements a strict tenant separation with a logical isolation of the customer data, so that full protection of user and business data can be ensured.
Protection Against Common Web Attacks
Even with the strongest authentication mechanism in place, once a user logs in, every web application is potentially vulnerable to common web attacks, such as cross-site request forgery (XSRF). With an XSRF attack, a malicious website sends a request to the vulnerable website where the user is currently logged in. This could happen when both sites are opened in different tabs of the same browser window, for example.
To help prevent an XSRF attack, SAP HANA Cloud Platform uses a randomly generated unique value — known as a “nonce” — per request, and stores it in the user’s session. URLs are also encoded with the same nonce, which makes requests to the victim’s website unpredictable for the attacker’s website. Each time a request is received, the current nonce in the user’s session is compared to the nonce in the request. Only if both values match is the request considered valid and passed by the platform-provided XSRF filter to the application logic.
Signing and Encrypting Data
If you need to encrypt or digitally sign sensitive data stored by your SAP HANA Cloud Platform application (for example, personal and financial data), or perform SSL communication with client-side certificates,8 you must be able to securely manage the required cryptographic keys and certificates. The keystore service of SAP HANA Cloud Platform helps you manage these keys and certificates by providing a secure repository in the cloud for your applications. Using the platform’s console client, an account administrator can list, upload, download, and delete the keystores in the cloud.
Any data exchange between corporate on-premise systems and your cloud applications can be secured by using the platform’s connectivity service. This service establishes an SSL-based virtual private network (VPN) to SAP HANA Cloud Platform via a reverse invoke approach from the internal network to the cloud, which relieves the security administrator from opening any ports for inbound traffic on the corporate firewall that could invite an attack from the internet.
Built for Security
Security is engineered within SAP HANA Cloud Platform across all the layers of its architecture and the entire application life cycle. While the underlying processes and mechanisms are often complex, they are exposed to platform developers and administrators in a simple, consumable, and configurable way, making it easy to not only build and run applications in the cloud, but to do it securely and with confidence.
Learn more at https://help.hana.ondemand.com/help/frameset.htm?e80af38cbb57101495e2cd74c44af674.html.
1 See the categories “Accountability and Data Ownership” and “User Identity Federation” at www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project. [back]
2 For more on developing applications with SAP HANA Cloud Platform, see “End-to-End Development Scenarios from SAP: Bridging the On-Demand and On-Premise Divide with SAP Tools for Eclipse” by Karl Kessler and Monika Kaiser in the October-December 2013 issue of SAPinsider. [back]
3 For more on the SAP HANA Cloud Platform tools, see https://tools.hana.ondemand.com/#cloud. [back]
4 For detailed tutorials on how to integrate with these IdPs, see http://scn.sap.com/docs/DOC-35464. [back]
5 To learn more about SAP ID service, see http://scn.sap.com/docs/DOC-20016. [back]
6 For more on the OAuth 2.0 Framework, see http://tools.ietf.org/html/rfc6749. [back]
7 This feature is currently not supported for free SAP HANA Cloud Platform developer trial accounts. [back]
8 For more on client-side SSL connections, see https://help.hana.ondemand.com/help/frameset.htm?38144cd12fcc44249e7b2c4584f46045.html. [back]