SAP HANA Cloud, SAP HANA Database, SAP BTP Security, SAP S/4HANA Cloud Master Data

Safeguarding Enterprise Personal and Financial Data in SAP HANA with IBM Security Guardium


In the modern digital world, protecting sensitive business data is more important than ever. SAP HANA Cloud databases, known for their high performance and advanced analytics, serve as essential to many organisations’ operations. However, the huge amounts of personal and financial data they handle make them potential targets for cyber-attacks. Implementing advanced security measures is critical for protecting these datasets from any possible breaches.

This blog explains how IBM Security Guardium offers an additional level of safety to SAP HANA Cloud databases. You can ensure that enterprise personal and financial data is secure and meets regulatory standards by leveraging Guardium’s complete capabilities. Learn how this powerful combo may improve your data security strategy and safeguard your company’s most precious assets.

Importance of Data classification and identification for Data security

Identifying and classifying data is crucial for maintaining data security and ensuring compliance with regulatory standards. It helps in understanding the sensitivity and value of data, enabling organisations to implement appropriate security measures. Proper classification aids in protecting sensitive information from unauthorised access and potential breaches, while also facilitating efficient data management and retrieval.

About this blog

In this blog, IBM Guardium can be utilised to discover sensitive data within an SAP HANA DB. By scanning the database, Guardium identifies and classifies sensitive information, such as personal data, financial records, and intellectual property. Once discovered, this data is added to specific groups of fields or objects for continuous observation. This grouping facilitates targeted monitoring and protection, ensuring that sensitive data is safeguarded against unauthorized access and potential breaches. Guardium’s scanning and classification capabilities help maintain data security and compliance with regulatory standards for data protection in SAP HANA environments.


  • SAP BTP Account with access to SAP HANA Cloud Database
  • IBM Security Guardium


SAP HANA Cloud, a cloud-based version of the SAP HANA database, offers a multi-model platform for storing and processing diverse data. It integrates with SAP S/4HANA, the latest ERP suite, and SAP Business Technology Platform for application development. Here, security is ensured through IBM Guardium. IBM Security Guardium will scan the SAP HANA Cloud DB for the identification and classification of sensitive data such as personal details, financial details … etc. This data classification will enable administrator to keep an eye on specific table fields and help them formulate further business strategies such as data masking of data hiding for the database for the security purpose. Hence, this architecture positions SAP HANA Cloud as a secured and strong foundation for building versatile cloud-based enterprise applications.

Steps for integration

Log in to Guardium, and you will be directed to the home page as shown below:

Go to the Discover button on the left-hand panel, open the “Classification” dropdown, and select “Datasource Definitions” as shown below:

Click the “New” button, as highlighted below:

Enter details such application type, name, database type and other details in the pop-up screen as shown below:

Please keep in mind that the username and password for the SAP HANA Cloud database must be entered here.

To obtain the host name/IP address and port number, log into your SAP BTP account and click to the space for which you want to integrate Guardium with SAP HANA Cloud DB.

Select “SAP HANA Cloud” as indicated below:

Now, click “Actions” and choose “Copy SQL Endpoint”.

Paste the copied SQL endpoint and receive the hostname/IP data as shown below:

And get the port number details displayed follows from the same:

To check the status of your connection, click the “Test Connection” button.

The SAP HANA Cloud database setup is now complete. You can see the details as follows:

Click the Discover button on the left-hand panel, then open the drop-down menu by clicking “Classification” and selecting “Discover Sensitive Data”. Refer to the image below.

On the following screen, select “PII [template]”. Check out the information as recommended below, then click “Roles” to assign them, and then click the “Next” button.

Select the check box for the template pattern you wish to include (for example, birth date, city) and click the “Copy” button as displayed below and click on “Next” button:

Once we’ve completed “What to discover,” we’ll go on to “Where to search” and choose the integrated SAP HANA Cloud database and click on “Next”.

“Run discovery” is a convenience feature that allows you to conduct classification and check the status. Click “Next”.

We are now in the “Review report” stage, where we select a list of fields and select “Add to Groupof Object/Field” from the “Add to Group” drop-down and click on the “Next” button.

Select group “SAP Sensitive Data” and click on the “OK” button.

Select group “SAP Sensitive Data” and click on the “OK” button.

Let’s Test

Click the “Setup” button on the left-hand panel and choose “Group Builder” from the “Tools and Views” drop-down list.

Select “Object/Field” from the “Action” drop-down, then select “SAP Sensitive Data” from the list. Click the “Edit” button.

In the pop-up screen, select “Members”.

You will be able to see the relevant personal and financial table and fields from SAP HANA Cloud database.

Now that you identified and categorised that sensitive data in your HANA database, IBM Security Guardium can further help to improve data security by adoption of specialised security measures, such as to

  • Add encryption or access controls, to safeguard important data from unauthorised access and breaches; or by
  • Masking or blocking data access requests that violate regulations or policies
  • Configuring alerts for unauthorised access attempts, e.g. if someone from a non-finance department tries to access financial data, an alert can be triggered.

In general, classifying data based on its sensitivity in the first place helps to increase visibility and in turn to comply with regulatory obligations (e.g. by generating detailed reports for audits), prevent data loss, and reduce risks associated with data misuse. These features ensure that data handling procedures are consistent with organisational rules and legal standards, hence improving overall data security.


Securing SAP HANA Cloud databases is critical for safeguarding company personal and financial information from changing cyber threats. IBM Security Guardium improves your SAP HANA environment by offering strong data protection, continuous monitoring, and compliance capabilities, ensuring that critical information is protected. Investing in these advanced security measures not only protects essential data, but it also demonstrates how committed your company is to data privacy and compliance with laws and regulations. As cyber threats become more sophisticated, using IBM Security Guardium is a proactive step towards strengthening your SAP HANA Cloud databases and ensuring the integrity and security of your company data.