views:

249

answers:

5

Our client need to encrypt the MOSS content database so the content db should not be able to view by DBA or unauthorized people without the right encryption key. Seem the Transparent Data Encryption (TDE) in SQL Server 2008 cannot protect the sensitive information from DBA cause TDE is designed to protect data 'at rest'. Does anyone here faced this problem?

+7  A: 

It seems to me that a requirement to have sensitive data in a database is to trust the database admin.

Even if you could encrypt the data in a manner the dba isn't able to see it, he could sniff the connection where you pass the key (or the data!) or set up triggers to capture the data before encryption in case the scheme would allow that.

In short, getting a trusted DBA is an easier and better solution.

Vinko Vrsalovic
+2  A: 

If you can't trust the DBA, you can't trust the database itself. Your application should only communicate encrypted data to the database server.

Having said that, there is also the administrator of the server that runs your application. Encrypting your way out of trusting him will be next to impossible.

Agree with Vinko here, get a DBA you can trust, or who can pass the screening.

Andomar
+1  A: 

There is no way to do it so that the data would still be usable within DB.

You can do it so that the data is usable outside of DB. Simply encrypt it before CRUD operations with some method.

There are ways to do it "reasonably" harder for DBA to access the data, f.ex. you can store the key as inline data in sqlclr functions, but the binary code for them is still accessible by DBA. However this means replicating the key around, synchronizing and it pretty much thwarts effective security.

Pasi Savolainen
Wouldn't entering only encrypted content be a real performance killer though? Also, given that is a Sharepoint DB I doubt you actually can do that.
Vinko Vrsalovic
A: 

Trust the DBAs?! Technically, if we allow a DBA to control security without any restriction, the whole system becomes vulnerable because if the DBA is compromised, the security of the whole system is compromised, which would be a disaster.

What about rogue programmers inserting backdoors in the system?Or rogue managers selling the data from the reports they get from their valid use of the system? Or a rouge cleaning lady which copies the harddrive? ... you get the idea. You just have to trust somebody. Else we are talking about military security level where nobody knows everything and everything is handled on a need to know basis and so on, but that is real money. For a Sharepoint database it seems to me getting an honest DBA is enough. I'm not even sure you can achieve that kind of security with off the shelf DB servers.
Vinko Vrsalovic
So trustworthy programmers manage your data, backups etc?
gbn
+2  A: 

Hi! Same problem here...

We are an mssql database hosting company, i can say for us it's not the question, trust the DBA or not. Our clients are banks, and insurance companies, Their requirements are: "the DBA can't read the database", because it contains very sensitive datas.

Currently we are looking for a solution.

I think you should post this as a question on its own. I'm having sort of the same problem you're having, look here: http://stackoverflow.com/questions/970262/how-to-protect-a-database-from-the-server-administrator-in-sql-server
julio.g