Security for the SAP landscape

The second EU Network and Information Security Directive (NIS 2 Directive) was published on December 27, 2022. Member states must transpose the directive into national law by October 2024. With the Cyber Resilience Act of the European Union, regulations for the use of products and software with a digital component are to be harmonized. There is a requirement for due diligence for the entire life cycle of such solutions.

Suse ensures security with BSI certification

Suse Linux Enterprise Server (SLES) and thus the Suse Linux Enterprise Server for SAP Applications (SLES for SAP) has been released in 2021 by the Federal Office for Information Security (BSI) received the Common Criteria EAL 4+ certification. This was based on a comprehensive evaluation of the product and all development and security update processes by atsec information security and BSI officials. The Evaluation Assurance Level 4 Augmented by ALC_FLR.3 (EAL4+) confirms that SLES meets the highest security requirements for the product and the entire supply chain for mission-critical infrastructures - on x86 as well as IBM Z and Arm architectures.

"Certify once, use many"

Suse follows the Certify once, use many principle when certifying its operating system products. This means that the Certified safety and standards from SLES can also be transferred to SLE Micro and SLE BCI (Base Container Images) thanks to the common code base. Customers can rely on independently evaluated security when using these variants. This makes it easier to meet compliance requirements for their entire IT. Organizations also achieve a consistently high level of security in the supply chain when operating edge applications with SLE Micro and when deploying containerized workloads with SLE BCI.

Suse technologies for SAP security operating concept

It is important to be able to react quickly to vulnerabilities on the SAP platform, both for SAP application servers and SAP database servers. Suse provides "Kernel Live Patching", which can be used to quickly close vulnerabilities in the Linux kernel. With "Disc Remote Encryption", SAP Gana data can be encrypted and backed up on the disc. The expansion in the encryption of communication between RAM and CPU was achieved with Intel in the context of confidential computing.

Furthermore, a local firewall is provided for SAP Hana to improve network security. This is achieved by only opening network ports to external network interfaces that SAP Hana really needs. The Suse Hardening Guide for SLES for SAP Applications 15 provides instructions on which settings can be made and which technologies can be used to increase the hardening level of the Linux platform.

In addition to the pure patch management function (Dev-Test-Prod), the Suse Manager also provides the option of analyzing the status with regard to the CVE situation for the Linux platform (Suse Manager Audit). This means that a CVE gap can be closed promptly with live patching by automatically rolling out the patch via the Suse Manager production channel. Scanning the implementation is possible with OpenScap from the Suse Manager.

Further reading:

Click here for the partner entry: