November 16, 2009 at 9:38 am
Thanks all who responded.
Auditing (profiler trace) seems to be a better option for me.
subban
February 1, 2010 at 2:07 pm
How to use EKM outside SQL Server?
February 2, 2010 at 2:46 am
Roberto Fonseca (2/1/2010)
How to use EKM outside SQL Server?
Please post new questions in a new thread. Thank you.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
February 3, 2010 at 4:52 am
Sorry Gail, Please, let me be more specific... You told about "Excryption (with the keys stored outside the DB)" right? What it means? Just a "BACKUP CERTIFICATE" statement? or are any other ways to use a key "outside" the SQL?
February 3, 2010 at 5:13 am
I mean non-SQL based encryption.
If the encryption is done in the database (certificate/key), then anyone with sysadmin rights has permission to open the key and decrypt the data. If you want to encrypt data so that sysadmins cannot read it, you must do the encryption somewhere other than the database (in the application, with the application responsible for storing, opening and using keys)
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
February 3, 2010 at 6:03 am
On top of Gail's good suggestion, if you don't want any one person to have the key, then use a dual key external encryption and store each key in the safes of two different people.
--Jeff Moden
Change is inevitable... Change for the better is not.
February 3, 2010 at 7:56 am
One option is to force two DBA's to be present when working with sensitive data. Give each of them half the login credentials and have them watch each other. To go even further, have all commands issued echoed to a secure server for review later.
February 3, 2010 at 9:30 am
Don´t you think that "Oracle Database Vault" is a great feature that Microsoft should create in SQL Server?
February 3, 2010 at 9:56 am
Don't know enough about that product, but there definitely could be some better security controls and auditing improvements in SQL Server.
February 3, 2010 at 10:05 am
Roberto Fonseca (2/3/2010)
Don´t you think that "Oracle Database Vault" is a great feature that Microsoft should create in SQL Server?
Uh sure, if getting a mostly illusory sense of data security at the expense of nightmarish potential maintenance and support problems is attractive to you. Personally, I'd rather chew glass than have to work with something like this, but I suppose it's an individual thing.
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
February 4, 2010 at 7:41 am
Steve Jones - Editor (2/3/2010)
Don't know enough about that product, but there definitely could be some better security controls and auditing improvements in SQL Server.
Hi Steve,
What sorts of improvements do you have in mind? Just curious, since I think this whole thread has been fascinating.
Thanks,
webrunner
P.S. I tend to agree that even trustworthy DBAs should, under certain scenarios, be audited or kept from certain data. In fact, I would say that the most trustworthy DBAs would be perfectly fine with it, especially being audited, since they would have no reason to object to being watched.
Some people even argue for a kind of separation of powers where DBAs can control servers but their manager(s) will always be able to see what they've done via a system that the DBA does not control.
-------------------
A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html
Viewing 11 posts - 16 through 25 (of 25 total)
You must be logged in to reply to this topic. Login to reply