How can we secure our data from DBA?

Question

I have very confidential data in my database. I am trying to secure my data from dba.

I am a member of development team. We develop our software and delpoy in a server which has its own dba. We have limited control over the server.

In this scenario how can i deny dba of the server to lookup my data and deny making changes to them.

Is it possible?

Answer 1

Always Encrypted will be the best way to go for Encryption Data encryption and decryption takes place on client side, so data is not revealed in the databases but again DBA will be able to see and delete/edit the data as other users have advised.

Answer 2

there is 2 ways

1 Manual encrypt decrypt with a password (Only the person who knows the password can encrypt/decrypt)

2 Automated (inside the code) encryption, decryption (Developer who wrote the code can see the data)

Add CRC to check if data has been altered Keep backup of senstive data to restore if deleted or altered

Answer 3

In Oracle, you can use database vault option.

Answer 4

You can always encrypt all data that goes into the database.

However, a DBA will have full control on this data - he may not be able to decrypt it, but will be able to read it (in encrypted form), update it and even delete it. Nothing you can do about this.

You really need to rethink things - how can you work with a DBA you cannot trust? Most places will have service agreement that forbid DBAs from doing certain things. You need to rely on this kind of assurance if you don't think your DBAs are trustworthy.

Answer 5

Encrypt on the client side, only send and store encrypted data in the database.

In a SQL Server instance, sysadmin can do everything and can not be blocked.

Some thoughts... why is your team of developers more trusted then the single DBA who I assume is looking after more then one SQL Server box? Can you explain more please?