Security – Curated SQL

CIS Benchmarks for PostgreSQL

Published 2025-03-26 by Kevin Feasel

Elizabeth Christensen reviews some security guidance:

The Center for Internet Security (CIS) releases security benchmarks to cover a wide variety of infrastructure used in modern applications, including databases, operating systems, cloud services, containerized services, and even networking. Since 2016 Crunchy Data has collaborated with CIS to provide this security resource for those deploying Postgres. The output of this collaboration is a checklist for folks to follow and improve the security posture of Postgres deployments.

The PostgreSQL CIS Benchmark™ for PostgreSQL 17 was just recently released.

Click through for more information on the CIS, as well as a link to the benchmark PDF and some tips around it.

Digital Signatures on SQL Server Stored Procedures

Published 2025-03-17 by Kevin Feasel

Rick Dobson signs a procedure:

This tip introduces the basics of digital signatures based on self-signed certificates for selected T-SQL objects (stored procedures, functions, and triggers) with T-SQL samples. Learn how to detect what happens to a digital signature when a stored procedure is accidentally altered by a database administrator or intentionally modified by a bad actor.

Click through for the process.

Using the Entra ID Powershell Module

Published 2025-03-13 by Kevin Feasel

Patrick Gruenauer checks out a new module:

The new PowerShell Entra ID Module is a powerful tool designed to streamline the management and automation of Microsoft Entra resources. This module is part of the Microsoft Graph PowerShell SDK and offers a range of functionalities to enhance administrative tasks.

One of the key benefits of the Microsoft Entra PowerShell module is its focus on usability. Unlike MS Graph, the module is more user-friendly to operate. Let’s dive in.

Click through for a demonstration of what you can do with it.

Object-Level Security in Power BI Desktop

Published 2025-03-06 by Kevin Feasel

Nikola Ilic locks things down:

You’ve heard about the Oblect-level security feature in Power BI, but you’ve also heard that you CAN’T configure it directly from the Power BI Desktop? And, that you must use an external tool, such as Tabular Editor, to configure and manage OLS.

Well, this is not the case anymore! With the new TMDL view in Power BI Desktop, you can define Object-level security directly in the Power BI Desktop.

Read on for a tutorial on what it takes to implement object-level security.

Comments closed

Data Security in Snowflake

Published 2025-03-05 by Kevin Feasel

Anil Kumar Moka locks down a Snowflake instance:

In this practical guide, we’ll explore techniques to help you secure your use of Snowflake:

Foundational Security Setup

Secure Views and Their Critical Role

Row-Level Security Implementation Methods

Dynamic Data Masking Strategies

Encryption and Data Protection

Best Practices and Common Pitfalls

Read on for the full article.

Comments closed

Microsoft Fabric Permissions Models for Sharing Data with End Users

Published 2025-02-24 by Kevin Feasel

Jon Vöge builds a list:

Consider the following scenario:

I am building a data platform on Microsoft Fabric, using Lakehouses as the primary storage engine.

My end users need to consume data from the data platform as users of Power BI reports which connects to data from the Lakehouses, as developers of ad hoc models and report using data from the Lakehouses, and through ad hoc SQL queries on the Lakehouses.

I want to use DirectLake for Power BI reports to take advantage of frequency data ingestion and transformation, and improve the actionability of my reports.

My data is sensitive, and users, regardless of whether they consume reports or develop their own, need to be restricted by Row Level Security to only see some of the data.

Read on for eight different approaches to the problem and Jon’s thoughts on each approach.

Comments closed

The Challenge of TDE in PostgreSQL

Published 2025-02-24 by Kevin Feasel

Bruce Momjian shares an update:

I first blogged about Transparent Data Encryption (tde) in 2019, which was more thoroughly analyzed in a blog post in 2023. An email exchange in December 2024 summarized the most up-to-date status of this feature:

When I started focusing on tde, it was going to require changes to buffer reads/writes, wal, and require a way to store secret keys. I thought those changes would be acceptable given tde’s security value. Once file I/O changes were required, I think the balance tilted to tde requiring too many code changes given its security value (not policy compliance value).

Read on for Bruce’s take now. Coming from the SQL Server world, where TDE has been in the product since 2008, I generally agree that there are better ways to ensure regulatory compliance. It’s not like TDE is actively harmful or anything, but considering that all of the relevant keys and certificates need to be on the local server to begin with, this prevents a limited number of situations from exposing your data, and there tend to be less resource-intensive alternatives for those situations.

Comments closed

T-SQL Tuesday 183 Roundup

Published 2025-02-19 by Kevin Feasel

Steve Jones rustles up the herd:

I hosted this month’s T-SQL Tuesday party with my invitation asking about tracking permissions. I didn’t get my own post completed in time, but I’ll add it in the next week sometimes.

In any case, here’s a roundup of the posts I saw. If I missed any, ping me and I’ll add you.

Click through for the full list of respondents.

Comments closed

Backup to URL via Managed Identity in SQL Server 2022

Published 2025-02-18 by Kevin Feasel

Joey D’Antoni doesn’t trust user logins:

Backing up databases to the cloud is not a new thing. Microsoft introduced the BACKUP TO URL functionality to SQL Server 2012 SP1 CU2. I’m not going to tell you how long ago. Still, it wasn’t last month, and Microsoft recently celebrated the 15th anniversary of Azure so that you can get an idea. When the feature started—it was minimal; you could only backup a database of up to a single terabyte and couldn’t stripe over multiple files. Additionally, you had to use the access key to the storage account, which gave complete control over the storage account—that wasn’t a good thing.

Read on for a quick overview of the feature and guidance on how it all works.

Comments closed

Migrating a SQL Server Password without Knowing the Plaintext Value

Published 2025-02-18 by Kevin Feasel

Vlad Drumea rebuilds a machine:

Export-DbaLogin does a great job of exporting all logins, but it doesn’t offer a way to migrate the sa password to another instance.
In this case, I didn’t have the sa password and was required to ensure that the rebuilt instance is a 1:1 copy of the original one (edition excluded).

This also meant that the existing password used for sa had to be transferred to the rebuilt instance.

Read on to see how you can accomplish this.

Comments closed

Category: Security