| Author |
Topic |
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
 Posted - 2006-06-16 : 06:10:07
|
| I have a database on a cluster that is particularly sensitive data. I need to be able to guarantee that no-one apart from a very select group can access the data. i.e. I need to ensure that dba's, me, the domain admins etc. etc. CANNOT access the data. One of the people who needs access is in the system administrators group (as am I) but the rest are ordinary users (I think - I'm not allowed to know!)The problem is that this needs to be a no cost option, there are no other servers available to move it to.Any suggestions on how to handle this?I did wonder about setting up another instance just for this application but am not sure how the licencing works for SQL Server 2000 (i.e. if it would cost)and what if any issues there might be with multiple instances on a cluster. I'm going to see what I can find on these topics but would be interested in any feedback from here as wellthankssteve-----------Oh, so they have internet on computers now! |
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2006-06-16 : 06:44:23
|
| Stopping dba's from accessing the data is a bit tricky.If they are going to administer that server they will need to be sysadmin which means they can access anything on the server.The infrastructure people will have access to the disk which means they could copy the files and attach to another server.Suspect encryption would be what you are looking for.==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
 |
|
|
mr_mist
Grunnio
1870 Posts |
Posted - 2006-06-16 : 06:44:49
|
| Licensing does not care about instances, nor are there particular issues with installing additional ones into a cluster (though it may involve down time for others if you have to reboot.) You're going to have difficulty locking this down though. The clustered install would dictate that at least a couple of accounts (real domain accounts) have sysadmin access to the server.-------Moo. :) |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2006-06-16 : 07:55:41
|
| Thanks guys. I'm being told that only the one "dba" should be able to access the data for confidentiality reasons i.e. the person who is already in the sysadmin group. That sounds a high risk option to me but I will explain that.Encryption might be a good answer (assuming it can be implemented for free)cheerssteve-----------Oh, so they have internet on computers now! |
|
|
|
mcrowley
Aged Yak Warrior
771 Posts |
Posted - 2006-06-16 : 09:31:32
|
| Sounds like you bought an application from a guy named Poncho.......Let's see who remembers him. |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2006-06-19 : 03:13:39
|
| I don't remember Poncho (I thought it was something you wore!).Glad to say I have nothing to do with this app apart from coming into it at this late stagesteve-----------Oh, so they have internet on computers now! |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2006-06-19 : 03:34:09
|
| if they don't trust the DBA with the data then why are you (I am assuming you're the DBA) managing the databases/server?I can only think of encryption at the moment following my initial shock at learning that DBAs are now being asked to find ways on how to lock themself out of the server they manage (kinda funny actually lol)--------------------keeping it simple... |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2006-06-19 : 07:23:43
|
| Jen, I thought it was hilarious. The message I get is "We want you to look after these databases but we don't trust you to do it"steve-----------Oh, so they have internet on computers now! |
|
|
|
blindman
Master Smack Fu Yak Hacker
2365 Posts |
Posted - 2006-06-19 : 11:12:32
|
| Then next time an executive demands that you lock yourself out of databases containing sensitive business information, just say "Listen buddy. Considering your last three performance reviews and your recent pattern of alcoholic beverage purchases at the local supermarket, I wouldn't go throwing my weight around. Oh, and also, it's been more than five years since your last cholesterol test, so you might want to get that checked again." |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2006-06-20 : 03:03:42
|
| ROFL, blindman that's genioussteve-----------Oh, so they have internet on computers now! |
|
|
|
|
strange question of the day