Press "Enter" to skip to content

Category: Security

Third-Party Support for OneLake Security

Published 2026-03-23 by Kevin Feasel

Aaron Merrill shares some guidance:

As outlined in our technical whitepaper, ‘The future of data security is interoperability, permissions that move with data is the future of data security. As modern data lakes are built on open-source technology like Delta and Iceberg, customers expect to use the analytics engines and services that best fit their needs—without copying data or redefining security. This creates a clear requirement: security must be defined once and enforced consistently everywhere data is consumed.

OneLake security now provides API support for third-party enforcement through an authorized engine model. This release extends the same principles used across Microsoft Fabric to external engines and services. OneLake security is now closer to its vision of defined once, enforced everywhere, even beyond first-party workloads.

Click through for more information.

Leave a Comment

Protecting TDE-Enabled Databases

Published 2026-03-23 by Kevin Feasel

Jonathan Kehayias answers a question:

I have gotten a lot of email questions recently about TDE and SQL Server, specifically around the encryption hierarchy involved in protecting the encrypted data inside of a TDE enabled database in SQL Server. So, rather than continuing to write long emails that explain this fully, I figured this would be a great blog post topic for future reference as a way to reboot getting back to posting content more regularly on my blog. For an overview of TDE in SQL Server see the following topic in the Books Online (Transparent Data Encryption (TDE) – SQL Server | Microsoft Learn).

Click through to learn more about how SQL Server works with the in-built encryption system for TDE and what you need to back up in order to ensure you can correct anything that might go wrong.

Leave a Comment

What’s New in OneLake

Published 2026-03-20 by Kevin Feasel

Josh Caplan provides an update:

With shortcuts and mirroring in OneLake, you get zero-copy, zero-ETL capabilities to connect your multi-cloud data estate. Whether your data sits in Azure, AWS, Google Cloud, or Oracle, on-premises, or across platforms like SAP, Dataverse, Snowflake, and Azure Databricks, you can connect it to OneLake without data movement or duplication. No more sprawling ETL pipelines. No more out-of-date copies. No more data silos.

Today, we’re expanding mirroring to now include SharePoint lists (Preview) and adding mirroring via shortcuts for Azure Monitor and Dremio (Preview). We are also releasing mirroring for Oracle and SAP Datasphere into general availability. Beyond these core mirroring capabilities, we are now introducing extended capabilities in mirroring designed to help you operationalize mirrored sources at scale. These capabilities include Change Data Feed (CDF) and the ability to create views on top of mirrored data, starting with Snowflake and will be offered as a paid option.

Click through for more of what came out of FabCon.

Leave a Comment

Group Managed Service Accounts and Failover Cluster Instances

Published 2026-03-20 by Kevin Feasel

Deepthi Goguri covers the real value of gMSA accounts:

Failover Cluster Instance (FCI) is a SQL Server high-availability solution where multiple servers share the same storage. If the active node fails, SQL Server automatically fails over to another node with minimal downtime.

You need to follow all the steps mentioned in the first blog post, which you can find here.

From there, Deepthi covers how to change the SQL Server service account to use a gMSA if you have FCI or other high availability setups for SQL Server.

Leave a Comment

SQL Server 2025 and PBKDF2

Published 2026-03-18 by Kevin Feasel

Rebecca Lewis notes the slowdown:

You upgraded to SQL Server 2025. Your SQL auth logins are slower. This is not a bug. Microsoft did this on purpose — which is actually good news, but if you’re not using connection pooling, it’s not going to feel very good.

Read on for more details, as well as a recommendation for connection pooling. On the whole, this is a very good thing—PBKDF2 is a mature process that we’ve had available to use in applications for 15+ years, and what’s particularly neat about it is that the level of effort scales linearly. As computer hardware becomes more powerful, add more iterations of the hashing algorithm to keep a fairly consistent per-login delay.

Leave a Comment

Migrating SQL Server Service Accounts to gMSA

Published 2026-03-17 by Kevin Feasel

Deepthi Goguri takes advantage of Group Managed Service Accounts in Windows:

A Service Account is something that applications like the SQL Server, IIS, or scheduled tasks need to run under using Microsoft Active Directory. These are the regular domain user accounts, where the passwords needs to be manually managed and rotated. As these needs to be manually updated, downtime to the services are required if the password needs to be changed. Not only that but syncing these passwords across multiple servers can be an issue. This problem is resolved by using the Standalone Managed Service Account as Windows can manage the password automatically.

Read on to learn more about single MSAs and group MSAs, and some tips and limitations.

Leave a Comment

Transparent Column Encryption in PostgreSQL

Published 2026-03-13 by Kevin Feasel

Vibhor Kumar releases an extension:

This extension provides transparent column-level encryption using custom PostgreSQL datatypes so developers can read and write encrypted columns without changing their SQL queries.

And perhaps the most human part of this project is this:

the idea for this project started back in 2016.

It stayed with me for years as one of those engineering ideas that never quite leaves your mind — the thought that PostgreSQL itself could enforce encryption at the column level.

The diagram does look a bit like what you’d see for SQL Server’s Transparent Data Encryption, though the internal mechanics are a good bit different.

Leave a Comment

Certificate Validation in Power BI Report Server

Published 2026-03-13 by Kevin Feasel

Deepthi Goguri notes a change:

When trying to connect to a SQL database within Power BI Desktop January 2026 met with certificate chain trust error when trying to connect to the SQL Database using database DNS. Below is the error:

Microsoft SQL: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 – The certificate chain was issued by an authority that is not trusted.)”

The workaround for this is a bit weird, but Deepthi provides a solid explanation.

Leave a Comment

Making Row-Level Security Faster

Published 2026-03-12 by Kevin Feasel

Brent Ozar speeds up some operations:

The official Azure SQL Dev’s Corner blog recently wrote about how to enable soft deletes in Azure SQL using row-level security, and it’s a nice, clean, short tutorial. I like posts like that because the feature is pretty cool and accomplishes a real business goal. It’s always tough deciding where to draw the line on how much to include in a blog post, so I forgive them for not including one vital caveat with this feature.

Click through for that caveat, as well as how you can mitigate its performance impact.

Leave a Comment

Major Security Update for SQL Server

Published 2026-03-12 by Kevin Feasel

Rebecca Lewis digs into an important patch:

Yesterday was Patch Tuesday, and this month we’ve got a good one. CVE-2026-21262 was already publicly disclosed before Microsoft shipped the fix – and it lets an authenticated SQL Server user escalate straight to sysadmin. SQL Server 2016 through 2025, Windows and Linux. No physical access required. No user interaction required. Just a valid login and a network path to your instance. Go patch!

If you’re a SQL Server DBA or consultant and you’re reading this before patching, stop reading and go patch.

Read on for more information about the vulnerability and how to make sure you’re on the latest CU or GDR for SQL Server.

Also, the fact that there are fixes going back to 2016 doesn’t mean that 2014 and earlier are fine. It just means that Microsoft is serious about not patching versions 10+ years out of date.

Leave a Comment