Sticking with my plan to share some COIL updates ahead of SAP SapphireNow, I’m now paying close attention today to a cloud-based SAP HANA with 3rd party dB encryption project where SAP is working with partners Intel and Virtustream along with new COIL project member Vormetric (who is also partnering with Intel) to further explore the area of high-speed data at rest encryption and how this can be applied to the advantage of further securing the deployment and use of SAP HANA from the cloud. This has been an amazing composition of participants taking advantage of the degree that Intel and Vormetric have collaborated with respect to encryption and system performance to Virtustream providing reality-based use case details. lastly it has been very impressive to work with our SAP colleagues out of Belfast who really set the bar high for performance engineering test development, execution and analysis.
SAP HANA is of course already natively secure and is designed to provide robust authorization, single-sign on and access control and with management controls allowing it to be securely deployed in support of countless use cases ranging from applications that run over relational databases or as a platform for developing entirely new innovations. There’s lots of solid and useful information on this topic with specific details useful to an SAP HANA administrator.
The reader will also find additional information about SAP Cloud Security in that its cloud solutions contain security controls and practices designed to protect the confidentiality, integrity, and availability of customer information. These controls are further implemented my third parties that provision SaaS cloud services for SAP, and to its internal organization.
For this project, the team is intent to validate and to demonstrate capabilities required to maintain compliance, security and SLAs of SAP HANA in the Cloud. It is a timely project in that SAP’s own Cloud Privacy team advocates providing complete customer-controlled encryption. Many of the cloud solutions from SAP, encrypt data in a way that doesn't affect applications – they decrypt the data on the fly when applications access the data, but keep the data encrypted for other types of access. In the future, we want customers to be able to control this encryption and decide how and when they want to access it.
It is exactly with this notion in mind that the encryption solution stemming from this collaborative project work at COIL, uses hardware assisted high-performance data-at-rest encryption, access control and security intelligence gathering to secure data and satisfy auditors of meeting compliance requirements.
Project Use Case, Testing and Observations-
This COIL Project Evaluates two important dimensions:
1.) Demonstrate minimal performance overhead due to encryption
a. No need for customers to trade off performance for security
There is more analysis to come via whitepapers and an introduction and summary of the results was shared during the demo theatre presentation On June 3rd at SAP SapphireNow. You can also pick up a nice summary of the results now over at Vormetric's Blog.
2.) Further effort is made to attribute the performance characterizations made during the project to then demonstrate how to apply the Security architecture and Vormetric Data Security solutions to SAP HANA in the cloud. This demonstrates-
a.) The SAP Hana Data in the cloud is encrypted
b.) The Customer is the custodian of the encryption keys
c.) Service provider personnel don’t have access to data
but can still provision and manage the infrastructure
d.) Exploit Intel’s AES-NI instructions and other enhancements in
the latest Intel chipsets to accelerate cryptographic computations
A complete whitepaper from COIL will soon be published where you can learn more about the Vormetric Transparent Encryption and Access Control technology and which will further describe the tests performed showing the measured throughput and latency in more detail but the net conclusions are:
What does the Outcome of this Project Signify?
The results observed from the tests the team pursued against Intel Westmere and Ivy-bridge chip architectures is certainly valuable in that it provides an indication that the performance of given OLTP workloads processed through Vormetric’s encryption algorithms does not induce an unfavorable degree of overhead against an SAP Hana database.
There is clearly much more to be explored and observed by employing more use cases and working against different I/O performance targets.
In this project our performance engineering leads would still like to test with higher system utilization to see the extreme case when there is saturation (> 90% CPU usage). Early speculation is that, before ever reaching that point testers will observe a bottleneck at another layer of the system, (e.g., storage layer).
The team already anticipates the question about encryption impact on system performance for high to saturation levels will be asked, so more work will need to be done as the numbers we have now we can only support and provide evidence for the entry-level to the “beginning of mid-range” system utilization, i.e., up to ~40% CPU usage.
Yet another question to address is that once we declare a satisfactory performance outcome that includes persistent ability to more effectively encrypt in the cloud does this help to further satisfy a firm’s security and privacy goals for its data?
Doing More Securely with SAP Hana in the Cloud
SAP HANA leads the charge in changing High-speed data analytics in ways allowing companies to better compete by harnessing real-time insights to support their most important business processes. As mentioned prior, SAP and SAP partner provided S-a-a-S is comprehensive and assures data segregation at every layer of the stack.
While few disagree that Cloud computing offers game-changing capability for business computing, and even with the highly robust capabilities deployed by cloud providers like SAP, many companies do remain reluctant to deploy mission-critical applications in hosted cloud environments. Although they would like very much to derive the potential benefits, they have understandable concerns about security and compliance.
What is being observed from this COIL project work is that there is even more to leverage with respect to the protections afforded through data encryption for companies to seriously consider running mission critical applications deployed over SAP HANA where multiple data types can be safely encrypted and for encryption key management directly controlled by the owners actually responsible for the data.
This COIL project serves as a practical examination of how this security model and architecture, as tested and proven in the SAP COIL labs by multiple partners with expertise in enterprise class databases & analytics, hardware & systems, data security and cloud infrastructure & HANA services is a significant milestone. It is demonstrative of the availability of a high performance data security solution for SAP HANA that will help enterprise customers meet their compliance requirements while hosting their data in the cloud.
From this initial validation work that is very much aligned with the best practices and defense in depth strategy surrounding SAP HANA in the cloud, and where Vormetric drives additional value through its approach to encryption key management.
Where to learn more?
Watch the COIL SCN page for a link to the whitepaper and you can also visit Vormetric and have a look at Ashvin's informative post.
Thanks greatly to Ashvin, Bing, Kathy, Charles, Bill, Wes, Kevin, Sergio and the entire project team for contributing to all of the content shared here. For those who like the system details, here’s the rig all the testing has run through. (Thanks Sergio!)
HW specs of the systems used:
IvyBridge 4-socket 60-core Intel Xeon E7-4890 v2 @ 2.80GHz [1]
(for placing both log and data volumes which are on the file system which is guarded by Vormetric software)
Westmere 4-socket 40-core Intel Xeon E7-4870 @ 2.40GHz [2]
(for placing both log and data volumes which are on the file system which is guarded by Vormetric software)
REFERENCES
[1] IBM System x3850 X6
http://www.redbooks.ibm.com/technotes/tips1084.pdf
[2] Supermicro system
ftp://ftp.supermicro.com/CDR-X9-Q_1.00_for_Intel_X9_Q_platform/MANUALS/X9QR7_i-TF+.pdf
[3] Intel SSD 910 series
http://www.intel.co.uk/content/www/uk/en/solid-state-drives/ssd-910-series-specification.html
[4] OLTP-bench
Note: All experimentation done did not account for hyperthreading. There were 60 physical cores for IVB (otherwise we would have used 120 cores), and 40 physical cores for WM (otherwise we would have used 80 cores).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
6 | |
5 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 |