Episode #223
Introduction
In episode 223 of our SAP on Azure video podcast we talk about Security and Encryption and the impact on performance. With all the recent incidents and news on hackers attacking systems around the world, it is more important than ever to secure and encrypt your systems. But what is the impact of all that when it comes to performance? Cameron Gardiner and Evren Buyruk join us today to talk about their findings.
Find all the links mentioned here: https://www.saponazurepodcast.de/episode223
Reach out to us for any feedback / questions:
- Robert Boban: https://www.linkedin.com/in/rboban/
- Goran Condric: https://www.linkedin.com/in/gorancondric/
- Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/
#Microsoft #SAP #Azure #SAPonAzure #Security #Performance
Summary created by AI
- Introduction and Encryption Overview:
- Goran introduced the podcast episode 223, focusing on encryption and security in SAP and Microsoft environments. He highlighted the importance of database encryption, antivirus solutions like Microsoft Defender, and the potential impact on performance.
- Podcast Introduction: Goran introduced the podcast episode 223, mentioning the focus on encryption and security in SAP and Microsoft environments. He emphasized the importance of these topics for customers and the potential impact on performance.
- Encryption Importance: Goran discussed the significance of database encryption, such as HANA encryption, and how it is a critical aspect of security best practices. He noted that while encryption is essential, it can influence performance due to the computational resources required for encryption and decryption processes.
- Antivirus Solutions: Goran highlighted the use of antivirus solutions like Microsoft Defender for endpoint protection. He mentioned that these solutions are crucial for maintaining security but can also impact system performance, which needs to be tested and measured.
- Performance Benchmark Testing:
- Goran introduced Cameron and Evren, who conducted intensive performance benchmark testing to measure the impact of enabling and disabling security features on SAP systems. Cameron and Evren shared their expertise and findings on the topic.
- Expert Introduction: Goran introduced Cameron and Evren, highlighting their expertise in performance benchmark testing. Cameron has been with Microsoft for 18 years, focusing on SAP workloads and security, while Evren specializes in networking infrastructure, security, and reliability.
- Testing Purpose: The purpose of the performance benchmark testing was to measure the impact of enabling and disabling various security features on SAP systems. This included testing the overhead of TDE, host-based encryption, and Microsoft Defender.
- Testing Methodology: Cameron and Evren conducted intensive performance benchmark testing by creating a realistic customer scenario. They applied and removed security features like TDE, host-based encryption, and Defender, and measured the actual impact on system performance.
- Findings: The findings from the performance benchmark testing showed that enabling security features like TDE, host-based encryption, and Defender had minimal impact on system performance. This provided valuable insights for customers on the feasibility of implementing these security measures without significant performance degradation.
- Cameron’s Background and Testing Details:
- Cameron, based in Singapore, has been with Microsoft for 18 years, focusing on SAP workloads and security. He developed a performance lab to test the overhead of various security features, including TDE, host-based encryption, and Defender.
- Cameron’s Experience: Cameron has been with Microsoft for 18 years, primarily focusing on SAP workloads and security. His extensive experience includes working on certification benchmarking and security topics, which have become increasingly important in recent years.
- Performance Lab: Cameron developed a performance lab to test the overhead of various security features on SAP systems. The lab was designed to simulate realistic customer scenarios and measure the impact of security features like TDE, host-based encryption, and Defender on system performance.
- Testing Scenarios: The performance lab included scenarios such as applying and removing TDE, host-based encryption, and Defender on both application and database servers. Cameron also tested HANA system replication between zones and disaster recovery setups to evaluate the impact on performance.
- Testing Methodology and Results:
- Cameron explained the testing methodology, which involved creating a SUSE 15.5 system with the latest ML4 benchmark kit and applying various security features. The results showed minimal impact on performance, even with all security features enabled.
- Testing Setup: Cameron created a SUSE 15.5 system with the latest ML4 benchmark kit, which is used for HANA certification. He applied various security features, including TDE, host-based encryption, and Defender, to measure their impact on performance.
- Security Features Tested: The security features tested included HANA transparent data encryption (TDE), host-based encryption, and Microsoft Defender. Cameron applied these features in different combinations to evaluate their individual and combined impact on system performance.
- Minimal Performance Impact: The results of the testing showed that enabling security features like TDE, host-based encryption, and Defender had minimal impact on system performance. This was a significant finding, indicating that these security measures can be implemented without major performance degradation.
- Defender on Linux and Windows:
- Cameron shared that Defender on Linux and Windows has been successful, with 90,000 customers using it. He recommended moving to SUSE 15 for better performance and highlighted the importance of excluding certain SAP files from Defender scans.
- Defender Adoption: Cameron shared that Microsoft Defender has been successfully adopted by 90,000 customers, with an equal split between Windows and Linux users. This widespread adoption highlights the effectiveness and reliability of Defender in protecting SAP systems.
- Recommendation for SUSE 15: Cameron recommended that customers using SUSE 12 should consider upgrading to SUSE 15 for better performance and compatibility with Defender. The newer kernel in SUSE 15 provides improved support for security features and better overall performance.
- Exclusion of SAP Files: Cameron emphasized the importance of excluding certain SAP files from Defender scans to avoid potential performance issues. He provided detailed documentation on the exclusions needed to ensure optimal performance while maintaining security.
- Performance Impact of Security Features:
- Cameron presented the performance impact of various security features, showing that HANA transparent data encryption and Defender had minimal impact. He emphasized the importance of encrypting backups to prevent data theft.
- Minimal Impact: Cameron presented data showing that enabling HANA transparent data encryption (TDE) and Microsoft Defender had minimal impact on system performance. This finding reassures customers that they can implement these security measures without significant performance degradation.
- Importance of Backup Encryption: Cameron emphasized the critical importance of encrypting backups to prevent data theft. He explained that encrypting backups is a must-do security measure, as it protects against the risk of backup data being stolen and compromised.
- Host-Based Encryption: Cameron discussed the performance impact of host-based encryption, noting a small overhead of around 2%. Despite this minor impact, he recommended using host-based encryption for the additional layer of security it provides.
- SE Linux and Its Challenges:
- Cameron discussed SE Linux, an advanced security solution for Linux, and its challenges. He noted that SE Linux in permissive mode caused significant performance issues and recommended consulting with Linux vendors for high-security customers.
- SE Linux Overview: Cameron provided an overview of SE Linux, describing it as an advanced security solution for Linux systems. He explained that SE Linux offers robust security features but can be complex to implement and manage.
- Performance Issues: Cameron noted that enabling SE Linux in permissive mode caused significant performance issues, making the system almost unusable. He highlighted the need for careful configuration and testing when implementing SE Linux.
- Consulting Recommendation: For high-security customers considering SE Linux, Cameron recommended consulting with Linux vendors to ensure proper implementation and ongoing management. He emphasized that SE Linux requires continuous adjustments, especially after system upgrades or changes.
- Azure Virtual Network Encryption:
- Evren introduced Azure Virtual Network encryption, which enables seamless encryption and decryption of traffic between Azure virtual machines. He explained the technology behind it and its benefits for securing VM-to-VM communication.
- Introduction to Azure VNE: Evren introduced Azure Virtual Network Encryption (VNE), explaining that it allows seamless encryption and decryption of traffic between Azure virtual machines. This feature enhances security for VM-to-VM communication within the same virtual network.
- Technology Behind VNE: Evren explained that Azure VNE uses Datagram Transport Layer Security (DTLS) to encrypt traffic. DTLS is designed to provide security for datagram-based applications, ensuring secure communication without significant performance impact.
- Supported Scenarios: Evren highlighted that Azure VNE supports various scenarios, including VMs in availability sets and VM scale sets within the same virtual network.
- 0:00 Intro
- 2:35 Introducing Evren and Cameron
- 4:30 Performance Lab - Impact on Security
- 6:30 Overview of the test cases
- 8:10 Defender for Endpoint commands
- 9:05 Microsoft Defender for Endpoint on Windows Server with SAP
- 12:20 High Level Results
- 19:40 HANA TDE - Transparent Data Encryption
- 23:25 Defender for Endpoint
- 25:05 Defender for Endpoint Commandlines
- 25:45 Host encryption - HBE
- 27:05 SELinux - permissive
- 28:10 SELinux Commands
- 30:40 Summary of Results
- 36:50 Evren - Hana System Replication - High level results
- 37:35 Azure Virtual Network encryption
- 41:10 DTLS Tunnel with Virtual Network Encryption