Press "Enter" to skip to content

Category: Security

OneLake Security and the Fabric SQL Analytics Endpoint

Published 2025-10-24 by Kevin Feasel

Freddy Santos takes us through the latest with respect to security in OneLake:

OneLake Security centralizes fine-grained data access for Microsoft Fabric data items and enforces it consistently across engines.
Currently in Preview and opt-in per item, it lets you define roles over tables or folders and optionally add Row-Level Security (RLS) and Column-Level Security (CLS) policies. These definitions govern what users can see across Fabric experiences.

Read on to see what you can do.

Leave a Comment

Updates to sp_CheckSecurity

Published 2025-10-16 by Kevin Feasel

Jeff Iannucci has been busy:

It’s been a while since we made some improvements to the public version of sp_CheckSecurity, but internally we’ve been busy fine tuning checks and adding even more to discover potential vulnerabilities in your SQL Server instances.

Today we’re announcing a new version that includes additions, corrections, and a few other adjustments that should be helpful. Here’s what new!

Read on to see what has changed.

Leave a Comment

Customer-Managed Keys in Microsoft Fabric

Published 2025-10-16 by Kevin Feasel

Sumiran Tandon makes an announcement:

Customer managed keys were launched in preview, offering workspace administrators the ability to use keys in Azure Key Vault and Managed HSM, to protect data in certain Fabric items. Now, we are extending the encryption support to more Fabric workloads. You can now create Fabric Warehouses, Notebooks and utilize the SQL Analytics Endpoint in workspaces enabled with encryption using your keys. The changes are rolling out and should be available in all regions over the next few days.

Freddie Santos digs into what this means for Fabric Warehouse and the SQL analytics endpoint:

Fabric already ensures that your data is encrypted at rest using Microsoft-managed keys. But for many organizations—especially in regulated industries—encryption alone isn’t enough. They need the ability to control and manage the keys that protect their data, aligning with internal compliance requirements, regulatory standards, and governance best practices.

I know that there are enough companies where this is absolutely necessary for adoption of a product, but I should point out that even without bringing your own key, Microsoft does use their own generated keys to encrypt your data at rest.

Leave a Comment

Automating Semantic Model Security via Semantic Link

Published 2025-10-15 by Kevin Feasel

Marc Lelijveld writes a script:

You may be using standardized solutions like Fabric Unified Admin Monitoring (FUAM) or any other templated solution that comes with a semantic model. As part of transparency within your organization, you decided to share the insights gathered with others in the organization by adjusting the solution to apply your own security setup on top.

However, after running an update of the template, you’ve overwritten your custom security configuration and reapplying costs a lot of time, again and again after each update. Why don’t we just script this security? In this blog I will share how you can deploy security configurations to semantic models and assign users to these roles.

Click through for an example script and details on how it works.

Leave a Comment

Fun with SQL Firewall in Oracle

Published 2025-10-09 by Kevin Feasel

Brendan Tierney follows up on a SQL Firewall post:

In a previous post, we’ve explored some of the core functionality of SQL Firewall in Oracle 23ai, In this post I’ll explore some of the other functionality that I’ve had to use as we’ve deployed SQL Firewall over the past few weeks.

Sometimes, when querying the DBA_SQL_FIREWALL_VIOLATIONS view, you might not get the current up to-date violations, or if you are running it for the first time you might get now rows or violations being returned from the view. This is a slight timing issue, as the violations log/cacbe might not have been persisted to the data dictionary. If you end up in this kind of situation you might need to flush the logs to to data dictionary. To do this, run the following.

Click through for that command, as well as a few other scenarios and commands that may be of interest.

Leave a Comment

Evading Data Access Auditing in SQL Server and How to Stop It

Published 2025-10-09 by Kevin Feasel

Andreas Wolter brainstorms:

The methods that I will share here allow an attacker to either conceal his identity or even evade auditing completely.

Most of these commands require sysadmin privileges. However, if your goal is to audit every access to sensitive data, this typically means “all users”  –  not with an exception for administrators. Because of this, it’s important to understand these methods so you can make an informed decision about whether to include them in your auditing scope.

Some of these are wildly impractical, but they do work and Andreas has mitigations for each.

Leave a Comment

Updates to Fabric Data Factory

Published 2025-10-06 by Kevin Feasel

Abhishek Narain has a list of updates:

Workspace Private Link Support for Data Factory (Preview): Microsoft Fabric enables secure data integration through Private Link support in Dataflows Gen2, Pipelines, and Copy jobs. This ensures that inbound data access remains isolated and compliant within protected workspaces. By leveraging VNet data gateways, organizations can securely connect to data sources across Private Link-enabled environments—eliminating exposure to public networks and reinforcing enterprise-grade security for sensitive data operations.

Most of these are security-related updates, with a mixture of things now GA, things currently in preview, and a pair of items coming soon.

Leave a Comment

Tokenization in SQL Server

Published 2025-09-29 by Kevin Feasel

Sebastiao Pereira demonstrates a combination of encryption and redirection to store sensitive data:

As privacy regulations tighten like General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI DSS) organizations and more, there is an increased focus to protect sensitive information within databases. Tokenization is an option to adhere to those regulations. Let’s see how to implement SQL tokenization in SQL Server.

This is a reasonably clever solution, though if you need to search on any of the tokenized (i.e., encrypted and moved to a separate table) values, performance would be miserable. Even displaying the results for a moderately sized result set would run into serious performance issues. I suppose that if you, for some regulatory reason, need to keep these tokens stored elsewhere from the data, then you manage expectations the best you can.

Comments closed

Viewing Security Settings in OneLake Catalog

Published 2025-09-26 by Kevin Feasel

Aaron Merrill announces a new preview feature:

Introducing the Secure tab in the OneLake catalog—your central place to understand and manage access across Fabric items. From a single view, you can workspace roles with the View users experience and inspect or modify role OneLake security roles with View security roles. The Secure tab brings a streamlined view for governance teams and workspace owners to quickly validate permissions and tighten least‑privilege access.

Click through to see how it looks.

Comments closed

SQL Firewall in Oracle

Published 2025-09-19 by Kevin Feasel

Brendan Tierney tries out the SQL Firewall feature in Oracle:

SQL Firewall allows you to implement a firewall within the database to control what commands are allowed to be run on the data. With SQL Firewall you can:

  • Monitor the SQL (and PL/SQL) activity to learn what the normal or typical SQL commands are being run on the data
  • Captures all commands and logs them
  • Manage a list of allowed commands, etc, using Policies
  • Block and log all commands that are not allowed. Some commands might be allowed to run

Read on to see how it works. It’s an interesting approach that can supplement traditional firewall and web application firewall systems.

Comments closed