1

Problem

How do I ensure that I cannot access confidential data manually through the database? Practically speaking, this is a firestore database on google cloud, and I have access to the administrator google account. For the purposes of this question, we assume the code is perfect, and is trusted to be not malicious in any way.

I'm developing software for a client, and one of the requirements is that the data is only accessible by two other people, and I am not one of them. It's a small project, and I'm both the sole developer and system administrator. I'm capable of ensuring data confidentiality when the only point of access is the application, but due to the system administrator role I also have direct access to the database.

Possible Solutions

  1. Remove my admin access to the database.

    While it would solve the problem, it would also make further development and support rather difficult.

  2. Use encryption

    Possible, if I only encrypted the records that were confidential. It would slightly impact support but not to any major extent. The main problem here is how to ensure I don't have access to the decryption key, while the server does.

  3. Use database permissions

    As far as I can tell, google firestore only has permissions for different actions, where I would need to have row or column based permission. I could probably do it with table based permission too. Technically speaking as administrator I could add permission back, but so long as it kept a history of permission changes this should be fine.

Programmdude
  • 111
  • 2
  • 1
    I think number 1 is the only way to truly do it. But it doesn't make sense. You need to develop, maintain the system. So any other security measures you could implement (data encryption comes to mind, and have it not decrypt for your login), you can also disable work around. After all you're admin, and there's pretty much no stopping admin, only putting in hurdles and logging. I'm not familiar with google cloud/firestore. But i.e. in SQL server you can do encryption, data masking and trigger to log if permissions are changed. But as admin.. you can disable all of it, even disable the trigger. – D Kramer Sep 14 '20 at 08:08
  • For Google Cloud, use audit logging to track who accesses what. Use Cloud Functions or similar to alert on activity. This can include locking an account. In large enterprise environments, users with high permission levels are audited. We setup honey pots to catch admins that break the rules. – John Hanley Dec 20 '20 at 02:11

0 Answers0