Press "Enter" to skip to content

Category: Security

Interoperability and OneLake Security

Published 2026-02-10 by Kevin Feasel

Aaron Merrill introduces a new whitepaper:

In our whitepaper, The future of data security is interoperability, we make the case for a different data foundation: interoperable security that’s defined once and enforced everywhere your data is used. Using OneLake security as the lens, it walks through the core concepts and architectural choices behind centralized policy definition with distributed, engine-level enforcement, and explores how fine-grained access controls and enterprise governance fit into a multi-engine world.   

Click through for Aaron’s summary and check out the link for the whitepaper itself, in PDF format.

Leave a Comment

Mirroring to OneLake without Public Internet Access

Published 2026-02-09 by Kevin Feasel

Paul Hernandez builds a (virtual) network:

Mirroring has been a transformative technology for data integrations tasks since the early Microsoft Fabric days. Moreover, this feature has been called “pain killer as a service” in community posts. In many projects, data sources to be mirrored are behind private networking and for security reasons they are not accessible using public internet. If you want to mirror, for example, an Azure SQL database, you’ll need a data gateway. According to the official docs: “If your Azure SQL Database is not publicly accessible and doesn’t allow Azure services to connect to it, you can set up virtual network data gateway or on-premises data gateway to mirror the data”.

In this post I’ll show you step-by-step how to set up connectivity to be able to use mirroring when Azure SQL allows only private access.

There are several steps involved, but the end result is worth it compared to not having the data at all or needing to make it accessible over the Internet.

Leave a Comment

SQL vs Azure Permissions

Published 2026-02-04 by Kevin Feasel

Rebecca Lewis continues a series on how Azure permissions and SQL Server (or Azure SQL Database) permissions are not the same thing:

Welcome to cloud permissions, where ‘Contributor’ doesn’t mean you can contribute and ‘Reader’ doesn’t mean you can read.

In my last post, I explained the management plane vs data plane split. This post is the promised follow-up for the minimum permission combinations for common DBA tasks. aka, what you need, how to verify it, and how to fix it when it fails.

I’m the guy pushing up my no-longer-existent glasses and saying “Well, actually…” to the first sentence, though stylistically, it’s a good one. But getting past the first sentence, there are some nice breakdowns of what it takes to do what you need to do on a cloud-hosted database.

2 Comments

SIDs and Distributed Availability Groups

Published 2026-02-02 by Kevin Feasel

Evan Corbett troubleshoots an issue:

After building a contained availability group in SQL Server, a customer was experiencing intermittent issues connecting to their primary database. Our investigation revealed that the SQL Authentication login being used had been created both within the context of the contained AG as well as directly on the primary node but had different SIDs in each location.  

This is a pretty common issue when using SQL authentication, and it always seems to bite at the least opportune times.

Leave a Comment

Local Admin and SQL Server

Published 2026-02-02 by Kevin Feasel

Rebecca Lewis follows Betteridge’s Law of Headlines:

“Does a DBA need local administrator membership to manage SQL Server?”

The answer is simple: Local admin group membership is not required. In fact, best practices dictate that Database Administrators (DBAs) and SQL service accounts should not have local administrator rights on the host server.  This change was introduced as far back as SQL Server 2008 with a ‘secure by design, secure by default, and secure in deployment’ strategy.

Read on for the caveat of what happens when you don’t provide local admin access to your DBAs.

Leave a Comment

Management Plane and Data Plane Permissions

Published 2026-01-30 by Kevin Feasel

Rebecca Lewis continues a series on cloud data platform security:

My last post ended with a promise to explain the management plane vs. data plane split in practical terms. The short story? There are two separate permission systems — one for managing resources, one for accessing data — and they don’t talk to each other. The good news: you already understand this model. You just don’t recognize it yet.

Click through for the explanation and a simile involving SQL Server’s security model.

Leave a Comment

How SQL Server Uses the Service Master Key

Published 2026-01-30 by Kevin Feasel

Greg Low provides an explanation:

The Service Master Key (SMK) is one of the most misunderstood security components in SQL Server.

It is frequently described as:

  • The root of all encryption
  • The key that protects everything
  • Something you must back up constantly

Those statements are not entirely wrong – but they are incomplete, and in some cases actively misleading.

It’s important to understand what the Service Master Key actually does, when it matters, when it doesn’t, and why many operational decisions around it are based on myth rather than mechanics.

Read on to learn more about what the key is, what exactly it protects, and some practical guidance around managing it.

Leave a Comment

SQL Server and January 2026 Patch Tuesday

Published 2026-01-29 by Kevin Feasel

Rebecca Lewis takes a look at a recent security vulnerability:

Microsoft’s January 2026 Patch Tuesday included a security fix for SQL Server: CVE-2026-20803, an elevation of privilege vulnerability with CVSS score 7.2 (Important).

The vulnerability is classified as CWE-306: Missing Authentication for Critical Function. An attacker who already has high-level privileges on the SQL Server instance could exploit this flaw to escalate further — gaining debugging privileges, dumping system memory, and potentially extracting sensitive data or credentials.

Read on for more information about the CVE, what it requires to exploit, and how you can patch SQL Server to prevent it from being an issue. It’s interesting that this only affects SQL Server 2022 and 2025.

Leave a Comment

Setting up Azure SQL Mirroring to Microsoft Fabric

Published 2026-01-28 by Kevin Feasel

Olivier Van Steenlandt troubleshoots an issue:

When setting up database mirroring from Azure SQL to Microsoft Fabric for one of my demo databases, I ran into an issue while trying to connect to my Azure SQL database.

As you can see in the screenshot above, it seems that a setting on my logical SQL Server in Azure is misconfigured. Let’s resolve that in a couple of steps.

Click through for the screenshot, the specific error, and how Olivier was able to get things working.

Leave a Comment

The Complexity of Cloud Security

Published 2026-01-28 by Kevin Feasel

Rebecca Lewis shares a tale of woe:

Cloud-based SQL Server security isn’t simpler. It’s different — and the learning curve is brutal if you grew up on-prem.

If you’ve spent years working Windows authentication, SQL logins, role memberships, and the occasional certificate, you may assume cloud security is more of that, just with a portal. Not. The SQL Server/Cloud permission models are layered differently, the terminology shifts depending on the platform, and the people who ‘own’ security are spread across teams that don’t always speak the same language.

Read on for an example of the kinds of challenges you can run into. Adding to that complexities around managed identities and authorization mechanisms and things can get very convoluted, even when the intent is to simplify matters.

1 Comment