Prevent SAs from viewing user data | SQL Server Performance Forums

SQL Server Performance Forum – Threads Archive

Prevent SAs from viewing user data

We have a database that contains very confidential information and only 2 users in our company are allowed to view the data. Even the system administrators must not see the data. However, SA must perform the usual DBA tasks on the sql server and the database. Please guide me on how this can be achieved. we are using SQL server 2005. Regards,
Shivi
I don’t think there is any way to hide the data from DBAs when they use ‘sa’ level access.
Only option would be encrypt the data without give DBAs to the encryption key…. SA level access is as SUPER USER…. Check for data encryption in 2005….
MohammedU.
Moderator
SQL-Server-Performance.com
Either client-side or server-side encryption are your only choices. Client-side encryption is done by the client, and server-side encryption (only available in 2005) is done at the SQL Server. The current 2005 server-side encryption setup is not all that easy. Be sure you read the Books Online very carefully before you begin using server-side encryption to you make the correct decisions that best meet your needs. ——————————–
Brad M. McGehee, SQL Server MVP
http://www.sqlbrad.com
While I agree that encryption seems to be the only way, I would say that using an SQL Server based application for just 2 users looks like an overkill. Also, a certain level of trust in the integrity of your DBAs you should have, otherwise you’re in big trouble anyway. —
Frank Kalis
Moderator
Microsoft SQL Server MVP
Webmaster:http://www.insidesql.de
As FrankKalis mentioned you have to have trust…at the same time you can Enforce auditing even for selecting in those tables…
MohammedU.
Moderator
SQL-Server-Performance.com
With SP2 you can take help of logon triggershttp://msdn2.microsoft.com/en-us/library/bb326598.aspx,also you can rename the SA account where the renamed name and password can be stored in secure place. But as suggested you need to trust the DBAs and if it is really a sensitive and protected data then take other measures such as audit the feature. Satya SKJ
Microsoft SQL Server MVP
Writer, Contributing Editor & Moderator
http://www.SQL-Server-Performance.Com
This posting is provided AS IS with no rights for the sake of knowledge sharing. The greatest discovery of my generation is that a human being can alter his life by altering his attitudes of mind.
<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote"><i>Originally posted by FrankKalis</i><br />Also, a certain level of trust in the integrity of your DBAs you should have, otherwise you’re in big trouble anyway.<br /><hr height="1" noshade id="quote"></font id="quote"></blockquote id="quote"><br />Does the DBA’s trust anybody ?[<img src=’/community/emoticons/emotion-4.gif’ alt=’:p‘ />]<br /><br />Roji. P. Thomas<br />SQL Server MVP<br /<a target="_blank" href=http://toponewithties.blogspot.com>http://toponewithties.blogspot.com</a><br />
When it is a guard duty… you should not trust your own shadow [<img src=’/community/emoticons/emotion-2.gif’ alt=’:D‘ />] [<img src=’/community/emoticons/emotion-5.gif’ alt=’;)‘ />]<br /><br />MohammedU.<br />Moderator<br />SQL-Server-Performance.com<br /><br />All postings are provided “AS IS” with no warranties for accuracy.<br />
<br />I just "invented" this quote.<br /><br />Trust me, because I am the DBA<br />I don’t trust you, because I am the DBA<br /><br />[<img src=’/community/emoticons/emotion-1.gif’ alt=’:)‘ />]<br /><br />Roji. P. Thomas<br />SQL Server MVP<br /<a target="_blank" href=http://toponewithties.blogspot.com>http://toponewithties.blogspot.com</a><br />
<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote"><i>Originally posted by Roji. P. Thomas</i><br /><br /><br />I just "invented" this quote.<br /><br />Trust me, because I am the DBA<br />I don’t trust you, because I am the DBA<br /><br />[<img src=’/community/emoticons/emotion-1.gif’ alt=’:)‘ />]<br /><br />Roji. P. Thomas<br />SQL Server MVP<br /<a target="_blank" href=http://toponewithties.blogspot.com>http://toponewithties.blogspot.com</a><br /><br /><hr height="1" noshade id="quote"></font id="quote"></blockquote id="quote"><br /><br />Very nice….[8D]<br /><br />MohammedU.<br />Moderator<br />SQL-Server-Performance.com<br /><br />All postings are provided “AS IS” with no warranties for accuracy.<br />
Nice of you to invent such a wonderful quote that applies to most of us here [<img src=’/community/emoticons/emotion-2.gif’ alt=’:D‘ />]<br /><blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote"><i>Originally posted by Roji. P. Thomas</i><br /><br /><br />I just "invented" this quote.<br /><br />Trust me, because I am the DBA<br />I don’t trust you, because I am the DBA<br /><br />[<img src=’/community/emoticons/emotion-1.gif’ alt=’:)‘ />]<br /><br />Roji. P. Thomas<br />SQL Server MVP<br /<a target="_blank" href=http://toponewithties.blogspot.com>http://toponewithties.blogspot.com</a><br /><br /><hr height="1" noshade id="quote"></font id="quote"></blockquote id="quote">
]]>