High Security Level Needed – How to Approach? | SQL Server Performance Forums

SQL Server Performance Forum – Threads Archive

High Security Level Needed – How to Approach?

Not sure if this is the right place for this post or not. I’m developing an application that has sensitive data stored in a few tables. There are also procedures and functions that contain sensitive calculations (this is related to salary information, etc). I need to figure out a security model that is restrictive to the point where not even DBAs can access the tables, procedures, or execute any code in this database. There are a small handful of individuals in the organization who should have access. I’ve never developed something with this level of security before and wanted to reach out here to see if anyone had any insight. I think there is a way to encrypt code relatively easily, right? As far as executing, how do you prevent sysadmins from executing procedures as well? Thanks!

Hi,
AFAIK you can not prevent sysadmins, you may go for Encrypting data. Hemantgiri S. Goswami
MS SQL Server MVP
————————-
"Humans don’t have Caliber to PASS TIME , Time it self Pass or Fail Humans" – by Hemantgiri S. Goswami http://hemantgirisgoswami.blogspot.com
As Hemanth mentioned it is not possible to hide the data from sql server but you can do the auditing who is peeping into it…
And best approach would be data encrption which is fully supported in SQL 2005.
MohammedU.
Moderator
SQL-Server-Performance.com All postings are provided “AS IS” with no warranties for accuracy.

Aah, sounds like the typical HR dilemma. [<img src=’/community/emoticons/emotion-5.gif’ alt=’;)‘ />]<br />They want that nobody can see anything and in case of a desaster they want you to fix it without even knowing what goes on. They should put a little bit more trust in the DBA. You may encrypt the data, you may encrypt the stored procedures. Once you have done that it’s pointless to DENY execution (if that would be possible at all) for sysadmin. After all, since the data is encrypted the DBA won’t see which numbers belong to which employee, right? [<img src=’/community/emoticons/emotion-1.gif’ alt=’:)‘ />]<br /><br />–<br />Frank Kalis<br />Moderator<br />Microsoft SQL Server MVP<br />Webmaster:<a target="_blank" href=http://www.insidesql.de>http://www.insidesql.de</a>
]]>