13 Replies Latest reply: Feb 11, 2009 1:05 AM by 668822 RSS

    Securing data from DBAs

    Salman Qureshi
      Hi,
      Data Vault needs a separate license and also requires enterprise edition of database server. Is there any other way which i could use to make my data secure even from privileged users SYSDBAa and DBAs and cheeper than using data vault.
      Thanks

      SalmanSalman
      Senior Advisor

      Posts: 697
      Joined: Tue Nov 02, 2004 1:08 pm
      Location: Pakistan
      Private messageMSNM/WLMYIM
        • 1. Re: Securing data from DBAs
          JustinCave
          Realistically, probably not. Without Data Vault, the DBA can access anything in the database.

          Potentially, you could change all sensitive columns to RAW, change the applications to encrypt the sensitive data outside the database with a key outside the database, and just store the encrypted data. As long as the DBA doesn't have access to whatever server stores the key and doesn't have access to the middle tier server, he won't have the ability to decrypt the data.

          Of course, if there is a problem, and the key is lost, the DBA won't be able to do anything to recover the data.

          Justin
          • 2. Re: Securing data from DBAs
            Salman Qureshi
            Hi,
            Thanks a lot for your suggestion.

            Salman
            • 3. Re: Securing data from DBAs
              492514
              If you are happy with the answer, show your happiness by spending reward points and setting your question to answered, cf. http://forums.oracle.com/forums/ann.jspa?annID=718
              • 4. Re: Securing data from DBAs
                EdStevens
                Justin Cave wrote:
                Realistically, probably not. Without Data Vault, the DBA can access anything in the database.

                Potentially, you could change all sensitive columns to RAW, change the applications to encrypt the sensitive data outside the database with a key outside the database, and just store the encrypted data. As long as the DBA doesn't have access to whatever server stores the key and doesn't have access to the middle tier server, he won't have the ability to decrypt the data.

                Of course, if there is a problem, and the key is lost, the DBA won't be able to do anything to recover the data.

                Justin
                Justin,

                I'll be the first to admit that I've not looked into Data Vault, but I've often wondered about this question .. which was posed to me at a previous employer. The thing I wonder about is ... we're looking to some database feature to keep the DBA from accessing the data. So who, besides the DBA, do they expect to actually implement this database feature and by implication, who 'holds the keys'. It would seem to me that the only person with the knowledge and access to do this is ... the DBA.
                • 5. Re: Securing data from DBAs
                  181444
                  Ed, I think you have found a paradox. Often the only person with the real knowledge level necessary to manage the storage and retrieval of the data is the DBA. Encrypting the data and storing the key externally may keep the DBA from seeing the real data but it also has costs. Loss of the key and security of the externally held key as mentioned but also performance. There is overhead to encrypting and decrypting column values. 10g+ Transparent Data Encryption feature is usually a better choice.

                  Yes there is Data Vault but I have seen reference to an article where a knowledgable DBA could disable Data Vault get to the data and re-enable Data Vault.

                  My view, and I will admit it is biased, is that DBA's and System Administrators should be hired based not just on technical skills but on character. These are people the company should have faith in. That is not to say that the System Administrator and DBA activities should not be monitored but that management should be able to believe that the monitoring really is not necessary because the individuals involved will monitor themselves and each other as a matter of course.

                  TDE combined with normal Oracle object level privilege and their application to business job functions along with RLS/VPD provide all the data security necessary. (System privilege restriction included)

                  IMHO -- Mark D Powell --
                  • 6. Re: Securing data from DBAs
                    Niall Litchfield
                    EdStevens wrote:
                    I'll be the first to admit that I've not looked into Data Vault, but I've often wondered about this question .. which was posed to me at a previous employer. The thing I wonder about is ... we're looking to some database feature to keep the DBA from accessing the data. So who, besides the DBA, do they expect to actually implement this database feature and by implication, who 'holds the keys'. It would seem to me that the only person with the knowledge and access to do this is ... the DBA.
                    In the data vault world, the data vault administrator is a person with significant database and security knowledge, they would however be employed by a different group to the dba themselves - likely an internal compliance or security group. DV is about making separation of duties work, frankly if that's the requirement here - make sure that data is properly secured, and that security is correctly enforced and so on, then the cost of data vault is trivial compared to the staff and procedure cost of doing the thing properly. If on the other hand you don't trust the dba, it's surely time for a new dba.

                    Niall Litchfield
                    http://www.orawin.info/
                    • 7. Re: Securing data from DBAs
                      108476
                      Hi,
                      Is there any other way which i could use to make my data secure even from privileged users SYSDBAa and DBAs
                      Yes! I've helped built many custom auditing solutions, and they MUST also audit the DBA!!

                      It's sad, but the DBA is often the one who can cause the most damage!

                      Your Systems Administrator and DBA have no business touching your auditing mechanism, and while they may be responsible for the integrity of the data, a third-party must be used to perform all auditing collection, administration and reporting duties. There have been many serious lawsuits where a dishonest DBA entered a database and changed financial data, disclosed confidential information and violated Federal data access regulations.

                      This issue of “privilege user” access is a serious security exposure. Because the auditing solution must audit the access of Systems Administrators and DBA’s, these employees must not have any control or responsibilities for the auditing mechanism.

                      This segregation of duties is critical because it is considered malfeasance to give the “Keys to the Kingdom” to anyone charged with maintaining the servers and databases.

                      In sum, the auditing collection, consolidation and reporting must be the responsibility of a separate IT entity, solely charged with managing all data privacy audits. Any access outside the application layer, whether malicious or part of routine DBA duties, must set-off alarms for the SPA.

                      I have a whitepaper on the topic here: http://www.dba-oracle.com/art_lumigent_whitepaper.htm

                      Make sure to check-out the "horror stories"!

                      Hope this helps . . .

                      Donald K. Burleson
                      Oracle Press author
                      Author of "Oracle Privacy Security Autiting"
                      • 8. Re: Securing data from DBAs
                        181444
                        I have read several news reports of misbehavior by a System Administrator but I do not think I have read any about a DBA though I am sure it has happened. If you can post some references I would be interested.

                        Most shops are not large enough to have someone besides the DBA set up the auditing.

                        I am willing to bet that 99.99% of the damage caused by DBA's is the result of mistakes they make while performing DBA administrative tasks. Mistakes of the nature of truncate the wrong table, drop the wrong table, forget to import the data after exporting then truncating the table, and failure to verify the backups were being successfully made per the backup schedule.

                        The cost of mistakes far outweights the cost of misbehavior.

                        IMHO -- Mark D Powell --
                        • 9. Re: Securing data from DBAs
                          668822
                          hi mark,

                          i am completely agree with you. if you don't trust your DBA, how can you trust a person next to DBA and holding the keys for vault??

                          this is non ending suspicious nature..and i am sure after few days the OP will definitely ask "how to prevent data, from the person who is holding the key??" you have to trust your employees.

                          thanks and regards
                          VD

                          Edited by: vikrant dixit on Feb 9, 2009 4:02 AM
                          • 10. Re: Securing data from DBAs
                            668822
                            hi don,

                            i would also be interested in reading about any dishonest DBA. i heard about them, but haven't read any articles.

                            can you plz post any refrence?? i know you are really good at it..

                            thanks and regards
                            VD
                            • 11. Re: Securing data from DBAs
                              108476
                              Hi Mark,
                              I am willing to bet that 99.99% of the damage caused by DBA's is the result of mistakes they make while performing DBA administrative tasks.
                              Yep!

                              Human error (DBA error) is the #1 cause of Oracle unplanned downtime:

                              http://www.remote-dba.net/services.htm
                              I have read any about a DBA though I am sure it has happened. If you can post some references I would be interested.
                              Sure! DBA's are people too, and they can be as naughty as anybody else, especially when money is involved.

                              The worst I saw was a DBA who held a system hostage! He openly claimed that he was entitled to a share of the profits and placed a time-bomb on the database.

                              The police arrested him and led him away in handcuffs.

                              Here are some cases: http://www.dba-oracle.com/t_hackers_breaches_horror_stories.htm
                              The cost of mistakes far outweights the cost of misbehavior.
                              True, I agree.

                              However, to be compliant with Federal regulations, the DBA/SA staff must also be audited . . .
                              • 12. Re: Securing data from DBAs
                                108476
                                Hi VD,

                                BTW, you know that "VD" in English refers to "veneral disease", right?
                                i heard about them, but haven't read any articles.
                                OK, here are some more:

                                http://www.dba-oracle.com/job_interview/evaluating_personal_history.htm

                                In Florida, William Sullivan faces accusations that he stole millions of records from the database, selling his employers mission-critical data to a data broker.

                                http://www.bizjournals.com/tampabay/stories/2007/07/02/daily13.html

                                In California, Jennifer Adams, 45, an IT systems administrator, allegedly orchestrated a tax fraud scheme that scammed the government out of more than $50,000.

                                http://www.nascio.org/publications/documents/NASCIO-InsiderSecurityThreats.pdf

                                This Microsoft MVP runs a fake users group and makes cash selling hyperlinks:

                                http://www.dba-oracle.com/oracle_news/old_2004_11_26.htm

                                And lets not forget the scum who run "fake" user groups, decieving their connunities, in order to line their own pockets:

                                http://www.dba-oracle.com/t_fake_oracle_db2_users_groups.htm

                                Oh, and there are scum who steal other prople's work and copyright it under their own name:

                                http://www.dba-oracle.com/t_theft_research_intellectual_property.htm

                                The scummiest Oracle DBA of all-time this crook who conned people out of tens of thousands of dollars . . . .

                                http://www.eweek.com/article2/0,1759,1729525,00.asp
                                • 13. Re: Securing data from DBAs
                                  668822
                                  hi Don,

                                  you again disappoint me, nothing about any DBA, in any of your given article, is written..(not exactly about DBA)

                                  and about your saying.
                                  @Don
                                  Hi VD
                                  BTW,you know that "VD" in English refers to "veneral disease",right?
                                  why are you always finding some negative things in everything?? i mean i admire you every time..you were my idol.. but i think i have to think about it more..

                                  anyways thanks for links you have provided to me..and by the way VD=vikrant dixit(my name) and not "veneral disease"

                                  thanks and regards
                                  VD

                                  Edited by: vikrant dixit on Feb 10, 2009 11:04 PM

                                  Edited by: vikrant dixit on Feb 10, 2009 11:05 PM