There are technical means of trying to prevent access. Data encryption outside the database is probably the best for keeping a DBA away from data, but even that may have weaknesses if your Data Access Layer can be compromised.
Somewhere along the way, you have to decide whether you're going to trust someone, or you're going to be better off with the data potentially being lost forever.
Even something like Oracle Vault, someone has to be responsible for security administration on the database server. That person can, theoretically, grant someone access to data their job duties do not require. Audit tracking might catch this, but someone has to administer the audit system. If the security admin and the audit admin are both compromised, then the data can be accessed in an unauthorized manner, without an audit trail being generated/flagged/alerted.
There's an old comment that applies, "a secret known by two people, is only a secret if one of the people is dead". There are variations on the wording of that, but they all boil down to, it's not secure if two people have access.
If only one person has access, then the data can be lost forever if that person dies, suffers certain head injuries or brain tumors, forgets part of the access methodology, or has a strong motive to block access to the data indefinitely.
Block all human control of the security (which can be done, through such things as partial security keys), and the data can be made so that it absolutely cannot be compromised, but so that it can be, again, lost forever, if a part of the system breaks. This includes things like decryption keys being stored on media that goes bad.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon