Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: [Q] Security Paranoia....

Re: [Q] Security Paranoia....

From: Niall Litchfield <n-litchfield_at_audit-commission.gov.uk>
Date: Wed, 29 Aug 2001 09:29:56 +0100
Message-ID: <3b8ca807$0$8510$ed9e5944@reading.news.pipex.net> 





Comments embedded.


"Donovan J. Edye" <donovan_at_namsys.com.au> wrote in message
news:3b8c8a05.687194223_at_can-news.tpg.com.au...


> So is it possible to:

>

> - Encrypt the data in the database

> - Still write SQL such as SELECT * FROM MyTable WHERE AField = 'blah'

> within the stored procedures

> - Encrypt the stored procedures




Yes. You can encrypt either using your own mechanism or using
DBMS_OBFUSCATION_TOOLKIT supplied package. You can also wrap PL/SQL code.



> In short I don't want the dba or any other super user to be able to

> interact or see the data in the db in any way (tables, stored procs

> etc)




I would strongly suggest that this is an unreasonable request. The DBA is
responsible for the integrity of your data and the performance and
reliability of your database. If you deny them the access they need they
will not be able to do their job properly. I note moreover that you are not
posting from a military or other sensitive organisation but from a software
supplier. I find it incredibly hard to believe that this is really a
requirement for Namadgi Systems. In short Paranoia would appear to be the
exact right term to describe this requirement. I would hope that your DBA
would point blank refuse to support this suggestion and leave you to get on
with it on your own. If you don't trust them why should they trust you to
produce reliable scalable code? Incidentally SELECT * FROM MyTable WHERE
AField = 'blah' isn't nearly as good as SELECT * FROM MyTable WHERE AField =
:1 for example.




> and only want external users to access the data from a stored

> procedure interface. Users would be granted access to the stored

> procedure interface via a specified user name and password. The only

> things they would be able to see would be the stored procedures and

> execute them, but not the content of the stored procedures.




This is fair enough. Many web sites for example work in exactly this way.



I realise that this is a strongly worded post, it isn't intended as personal
abuse and I hope it doesn't get taken that way.



--
Niall Litchfield
Oracle DBA
Audit Commission UK


Received on Wed Aug 29 2001 - 03:29:56 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US