SQL Server Performance Forum – Threads Archive
ConfidentialityHow can you prevent the database administrator from accessing a sensitive database such as the Payroll database. He’ll have to perform backups and restores etc. without being able to query the tables or perform bcp etc. Thanks
I do not know of a way to stop the data beign accesses but what you could do is to audit data access. This will not stop access but will allow any access to be reported. It is cumbersome to set up, so it best to limit to only what is strictly required. Lokk under Auditing SQL Server Activity in BOL for further info.
HarryArchibald is correct, an SA cannot be prevented from accessing data, and the only option is to implement auditing. But in most cases, most SQL Server auditing can be circumvented by a clever SA. The only way that I know to ensure that auditing is not compromised is to use a product called Integra from www.lumigent.com. This third-party program can be set up in such a way as to prevent an SA from circumventing standard SQL Server auditing. In fact, Integra was designed with this specific purpose in mind. ——————
Brad M. McGehee
Out of curiosity, why would you want to restrict a DBA from accessing certain databases? Isn’t that part of their job? If he is misusing your corporate data then he should be punished according to your policies. I think I may have hit on a soap box for some DBAs…hmmm.. I guess one could say that the DBA is the most powerful position in most companies. Without data most businesses wouldn’t exist. Like Spider Man learned: "With great power comes great responsibility" ———-
MS, MCDBA, OCA, CIW
You can code your application to encrypt the data but then you loose performance. But if security is more important then it can be done. We’ve had some ordering systems where the entire order except for the orderid was encrypted into a blob. /Argyle
Good suggestion Argyle, I hadn’t though of this. I wonder how easy it is to descrypt SQL Server data? Anyone have any experience in this? ——————
Brad M. McGehee
Thanks for your input guys.
tkelley, an organisation wouldn’t want the DBA have access to the payroll data, specially when the top management’s salaries are confidential.
That is always depending upon the TRUST on that DBA by the organisation.
For utmost confidentiality you can deploy third party tools such as Lumigent’s Entegra which can give information on Auditing against the database. But this proves cumbersome and expensive to the management I believe. I second Argyle & Tkelly’s tips. Satya SKJ