Protect sensitive information from the DBA in SQL Server 2008
Asked Answered
R

6

3

Our client need to encrypt the MOSS content database so the content db should not be able to view by DBA or unauthorized people without the right encryption key. Seem the Transparent Data Encryption (TDE) in SQL Server 2008 cannot protect the sensitive information from DBA cause TDE is designed to protect data 'at rest'. Does anyone here faced this problem?

Rapping answered 24/5, 2009 at 9:37 Comment(1)
It may not be a question of trust, but of capability. They seem to require that it be impossible for the DBA to see the sensitive data. DBA should be able to destroy all the data, but not to see it.Westerman
H
6

It seems to me that a requirement to have sensitive data in a database is to trust the database admin.

Even if you could encrypt the data in a manner the dba isn't able to see it, he could sniff the connection where you pass the key (or the data!) or set up triggers to capture the data before encryption in case the scheme would allow that.

In short, getting a trusted DBA is an easier and better solution.

Hertzfeld answered 24/5, 2009 at 9:42 Comment(1)
To prevent the DBA from sniffing the connection, you can do the encryption at the application level.Desultory
O
2

If you can't trust the DBA, you can't trust the database itself. Your application should only communicate encrypted data to the database server.

Having said that, there is also the administrator of the server that runs your application. Encrypting your way out of trusting him will be next to impossible.

Agree with Vinko here, get a DBA you can trust, or who can pass the screening.

Overheat answered 24/5, 2009 at 9:58 Comment(0)
H
2

Same problem here...

We are an mssql database hosting company, i can say for us it's not the question, trust the DBA or not. Our clients are banks, and insurance companies, Their requirements are: "the DBA can't read the database", because it contains very sensitive datas.

Currently we are looking for a solution.

Hesitate answered 3/6, 2009 at 17:32 Comment(1)
I think you should post this as a question on its own. I'm having sort of the same problem you're having, look here: #970762Galligan
B
1

There is no way to do it so that the data would still be usable within DB.

You can do it so that the data is usable outside of DB. Simply encrypt it before CRUD operations with some method.

There are ways to do it "reasonably" harder for DBA to access the data, f.ex. you can store the key as inline data in sqlclr functions, but the binary code for them is still accessible by DBA. However this means replicating the key around, synchronizing and it pretty much thwarts effective security.

Brouwer answered 24/5, 2009 at 10:0 Comment(1)
Wouldn't entering only encrypted content be a real performance killer though? Also, given that is a Sharepoint DB I doubt you actually can do that.Hertzfeld
S
0

Trust the DBAs?! Technically, if we allow a DBA to control security without any restriction, the whole system becomes vulnerable because if the DBA is compromised, the security of the whole system is compromised, which would be a disaster.

Selfoperating answered 24/5, 2009 at 10:14 Comment(1)
What about rogue programmers inserting backdoors in the system? Or rogue managers selling the data from the reports they get from their valid use of the system? Or a rouge cleaning lady which copies the harddrive? ... you get the idea. You just have to trust somebody. Else we are talking about military security level where nobody knows everything and everything is handled on a need to know basis and so on, but that is real money. For a Sharepoint database it seems to me getting an honest DBA is enough. I'm not even sure you can achieve that kind of security with off the shelf DB servers.Hertzfeld
S
0

Encrypting data at application level is way to go. you would need to store keys where DBA can't access it.

This is tried and tested solution nothing new.

Sumptuary answered 11/9, 2013 at 19:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.