Press "Enter" to skip to content

Category: Security

Securing PostgreSQL Containers

Published 2025-08-15 by Kevin Feasel

Mercy Bassey grabs a certificate:

Running Postgres in Docker is great for a quick test but what if you want it to behave like a proper, production-style setup with SSL encryption, certificate-based authentication, persistent volumes, and custom configurations? In this article, we’ll find out how, tackling the various tasks involved such as:

  • Generating and using self-signed SSL certificates with Postgres.
  • Setting up a PostgreSQL Docker container that uses those certs for encrypted client connections.
  • Configuring authentication for both automated services and human users.
  • Controling the behavior of your Postgres instance using mounted config files.

Read on to see how.

Comments closed

A Primer on TMDL Security Risks in Power BI

Published 2025-08-12 by Kevin Feasel

John Kerski gives us the low-down:

The Tabular Model Definition Language (TMDL) provides a simpler way of defining Power BI Semantic Models. Unlike the JSON-based Tabular Model Scripting Language (TMSL), TMDL uses a more accessible tab-based format for specifying DAX measures, relationships, and Power Query code.

Click through for the various ways things could go wrong, as well as how to mitigate those risks.

Mind you, “security risks” is a very broad concept and is not an indictment of the product, but rather something to keep in mind as you attempt to write secure code. For example, did you know that bad guys could potentially access all of your data in your database by using a series of SELECT statements?

Comments closed

Customer-Managed Keys in Microsoft Fabric Workspaces

Published 2025-08-12 by Kevin Feasel

Sumiran Tandon makes an announcement:

We’re excited to share that customer-managed keys (CMK) for Microsoft Fabric workspaces are now available in public preview in all public regions! This expansion makes it easier for customers worldwide to meet compliance requirements and implement robust data protection strategies.

Note: This feature was released in public preview in a limited set of regions earlier this year and here’s the step-by-step guide for setup.

I personally tend not to be a stickler about customer-managed versus Microsoft-managed keys, as your data is encrypted either way. That said, I know that there are environments in which this matters a lot.

Comments closed

No More TLS 1.1 in Microsoft Fabric

Published 2025-08-05 by Kevin Feasel

Nisha Sridhar makes an announcement:

We have officially ended the support for TLS 1.1 and earlier on the Fabric platform. As previously announced, starting July 31, 2025, all outbound connections from Fabric to customer data sources must use TLS 1.2 or later.

This update follows our earlier announcement in the TLS Deprecation for Fabric blog, where we outlined the rationale and timeline for this transition.

Read on to see what you might need to do to keep up to date.

Comments closed

The CU+GDR Path in SQL Server’s Service Model

Published 2025-08-04 by Kevin Feasel

Jon Russell clarifies the situation:

SQL Server administrators often encounter Microsoft updates labeled as “CU + GDR”, and understandably, this can cause confusion — especially when trying to stay on a consistent CU-based servicing path. This post clarifies what “CU + GDR” really means and why it’s not something to worry about.

Read on for an overview of the different security models, as well as the odd duck in SQL Server 2016.

Comments closed

Oracle Password-Related Profile Settings

Published 2025-08-01 by Kevin Feasel

David Fitzjarrell takes a look at some settings:

Passwords expire, and, depending upon how various profiles are configured, accounts are either locked or provided a grace period during which the old password can be changed. In any recent enterprise password verification functions are provided to police new passwords to ensure a modicum of security. Let’s dig into what Oracle provides to assist in password security.

Basic elements of password security that Oracle provides start with the profile; listed below are the associated resources:

Read on for the available options you can set on a per-profile basis.

Comments closed

Building a Snowflake Dashboard that Uses Filters

Published 2025-07-30 by Kevin Feasel

Kevin Wilkie does a bit of filtering:

Snowflake Dashboards can do a lot more than just show pretty numbers. Today, let’s focus on something that every data pro eventually has to deal with—filters that make navigating your dashboards less painful, especially when it comes to everyone’s favorite task: AUDITING.

Ah yes, auditing—because nothing says “data dream job” like tracing permissions. Whether it’s quarterly compliance checks or a sudden request from an overly curious auditor, somebody, at some point, will ask, “Who has access to what in Snowflake?” So let’s make that answer easy to deliver.

Click through for the process, using the development of a permissions auditing dashboard as the example.

Comments closed

Ownership Chaining in SQL Server

Published 2025-07-28 by Kevin Feasel

Jon Russell breaks the chain:

Designing a reporting layer that protects sensitive data takes more than hiding tables behind a view. You must understand how schema permissions and ownership chaining interact, or a well‑meant deny can suddenly block your users—or worse, let them see columns you thought were private. The walk‑through below shows the entire life‑cycle of a common scenario:

  1. Build an HR table that holds confidential columns.
  2. Expose a summary view in a separate schema.
  3. Grant a reporting role access to the view but explicitly deny access to the HR schema.
  4. Break the ownership chain, observe the failure, diagnose the cause, and repair it by realigning ownership.

Read on to learn more. Note that this is all within a single database, so we aren’t talking about the cross-database ownership chaining setting. That setting being on immediately raises red flags for me.

Comments closed

Installing SQL Server CUs via dbatools

Published 2025-07-18 by Kevin Feasel

David Seis updates an instance or thirty:

Keeping your SQL Server instance up to date with the latest service packs and cumulative updates is one of the key components of SQL Server security. In this blog post, we will audit the dbatools command Update-DbaInstance, which can save you hours every month and help keep your environment more secure.

I will test, review, and evaluate the script based on a series of identical steps. Our goal is to provide insights, warnings, and recommendations to help you use this script effectively and safely. Update-DbaInstance is powerful tool to automate the update of one or many SQL server instances without needing to log in.

Click through for David’s thoughts on the cmdlet.

Comments closed

Fixing Slow Row-Level Security Policies in PostgreSQL

Published 2025-07-15 by Kevin Feasel

Dian Fay troubleshoots some row-level security slowness:

At my day job, we use row-level security extensively. Several different roles interact with Postgres through the same GraphQL API; each role has its own grants and policies on tables; whether a role can see record X in table Y can depend on its access to record A in table B, so these policies aren’t merely a function of the contents of the candidate row itself. There’s more complexity than that, even, but no need to get into it.

Read on for a dive into row-level security and several tips to make the operation faster.

Comments closed