databases – Keeping data confidential from the system administrator


Problem

How do I ensure that I cannot access confidential data manually through the database? Practically speaking, this is a firestore database on google cloud, and I have access to the administrator google account. For the purposes of this question, we assume the code is perfect, and is trusted to be not malicious in any way.

I’m developing software for a client, and one of the requirements is that the data is only accessible by two other people, and I am not one of them. It’s a small project, and I’m both the sole developer and system administrator. I’m capable of ensuring data confidentiality when the only point of access is the application, but due to the system administrator role I also have direct access to the database.

Possible Solutions

  1. Remove my admin access to the database.

    While it would solve the problem, it would also make further development and support rather difficult.

  2. Use encryption

    Possible, if I only encrypted the records that were confidential. It would slightly impact support but not to any major extent. The main problem here is how to ensure I don’t have access to the decryption key, while the server does.

  3. Use database permissions

    As far as I can tell, google firestore only has permissions for different actions, where I would need to have row or column based permission. I could probably do it with table based permission too. Technically speaking as administrator I could add permission back, but so long as it kept a history of permission changes this should be fine.