January 17, 2003 at 8:59 am
We have a new 3rd party app payroll app using SQL Server as the back end. The powers that be want to secure the application so that no one, including the SAs or DBAs, can access the data.
Is this possible? What is the best way to secure such a server? Does this app need to be on it's own server? Should encryption be used somehow? Etc. etc.
Thanks in advance!
January 17, 2003 at 9:14 am
There are security solutions such as Protegrity, that'll secure the data. However, I don't know if these solutions obscures the information you can get from Profiler.
As for keeping sysadmins out, yes, sort of. You can drop the BUILTIN\Administrators group (review the ramifications before you do so), but this doesn't stop a rogue admin. Doing something as simple as stopping the SQL Server service and copying off the DB (if you can't encrypt it) is entirely possible. Then you have to resort to EFS, but then the admin also has the option of commandeering the account under which the files were encrypted.
Also, it seems like the powers that be don't realize the trust that is implied with these positions. For instance, what stops a mail administrator from sending a message as the CEO of the company? Nothing but ethics. Trust is key. The data in the payroll database is the same way.
Sorry for the rant, but we've had the same discussions where I work, too.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
January 17, 2003 at 9:16 am
SA and DBA need to be able to access the data to verify when issues arise. Yes, I would put apps with specific security needs on their own server and minimalize people with access ability on it. But the thing is the people using the app come and go and know the non-discolsure on t. The SA and DBA are subject to the same.
January 17, 2003 at 9:47 am
You also may want to check the application, to ensure you can't inject sql.
I tested a HR package last year where they had two components the COM+ front end and the intranet web site for viewing data (password protected access).
Both components used the same access (dbo), and both were prone to injection.
Steven
January 17, 2003 at 10:07 am
Hopefully MS will get to the point of making SQL so that SA's dont necessarily have access to the data as part of administering. Look at NT security, entirely common for there to be folders that admins can't access. If they HAVE to, they can take ownership and you can see that happened in the audit history. Still, at some point you do have to have trust.
Andy
January 22, 2003 at 2:31 am
Thanks for the replies. Good rant too. That was my first thought. Would anyone actually recommend encryption in this case? This was upper management's idea, so if I downplay it I need to back it up. And what would be your practical approach to securing such a server?
Thanks again.
Viewing 6 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply