Press "Enter" to skip to content

Category: Security

Management Plane and Data Plane Permissions

Published 2026-01-30 by Kevin Feasel

Rebecca Lewis continues a series on cloud data platform security:

My last post ended with a promise to explain the management plane vs. data plane split in practical terms. The short story? There are two separate permission systems — one for managing resources, one for accessing data — and they don’t talk to each other. The good news: you already understand this model. You just don’t recognize it yet.

Click through for the explanation and a simile involving SQL Server’s security model.

Leave a Comment

How SQL Server Uses the Service Master Key

Published 2026-01-30 by Kevin Feasel

Greg Low provides an explanation:

The Service Master Key (SMK) is one of the most misunderstood security components in SQL Server.

It is frequently described as:

  • The root of all encryption
  • The key that protects everything
  • Something you must back up constantly

Those statements are not entirely wrong – but they are incomplete, and in some cases actively misleading.

It’s important to understand what the Service Master Key actually does, when it matters, when it doesn’t, and why many operational decisions around it are based on myth rather than mechanics.

Read on to learn more about what the key is, what exactly it protects, and some practical guidance around managing it.

Leave a Comment

SQL Server and January 2026 Patch Tuesday

Published 2026-01-29 by Kevin Feasel

Rebecca Lewis takes a look at a recent security vulnerability:

Microsoft’s January 2026 Patch Tuesday included a security fix for SQL Server: CVE-2026-20803, an elevation of privilege vulnerability with CVSS score 7.2 (Important).

The vulnerability is classified as CWE-306: Missing Authentication for Critical Function. An attacker who already has high-level privileges on the SQL Server instance could exploit this flaw to escalate further — gaining debugging privileges, dumping system memory, and potentially extracting sensitive data or credentials.

Read on for more information about the CVE, what it requires to exploit, and how you can patch SQL Server to prevent it from being an issue. It’s interesting that this only affects SQL Server 2022 and 2025.

Leave a Comment

Setting up Azure SQL Mirroring to Microsoft Fabric

Published 2026-01-28 by Kevin Feasel

Olivier Van Steenlandt troubleshoots an issue:

When setting up database mirroring from Azure SQL to Microsoft Fabric for one of my demo databases, I ran into an issue while trying to connect to my Azure SQL database.

As you can see in the screenshot above, it seems that a setting on my logical SQL Server in Azure is misconfigured. Let’s resolve that in a couple of steps.

Click through for the screenshot, the specific error, and how Olivier was able to get things working.

Leave a Comment

The Complexity of Cloud Security

Published 2026-01-28 by Kevin Feasel

Rebecca Lewis shares a tale of woe:

Cloud-based SQL Server security isn’t simpler. It’s different — and the learning curve is brutal if you grew up on-prem.

If you’ve spent years working Windows authentication, SQL logins, role memberships, and the occasional certificate, you may assume cloud security is more of that, just with a portal. Not. The SQL Server/Cloud permission models are layered differently, the terminology shifts depending on the platform, and the people who ‘own’ security are spread across teams that don’t always speak the same language.

Read on for an example of the kinds of challenges you can run into. Adding to that complexities around managed identities and authorization mechanisms and things can get very convoluted, even when the intent is to simplify matters.

1 Comment

Granular REST API Support for OneLake Security Role Management

Published 2026-01-23 by Kevin Feasel

Aaron Merrill announces a new preview offering:

Microsoft Fabric continues to expand the OneLake security surface with new granular REST API support for role management, giving developers and platform teams far more control over how security policies are created, retrieved, and managed programmatically. In addition to the existing batch role API, Fabric now offers discrete Create, Get, and Delete role APIs, making it easier to build incremental, automation-friendly security workflows that align with modern DevOps and governance practices.

Click through for a quick explanation of how things did work and how they will work going forward.

Leave a Comment

Hosting Azure SQL Databases over an Azure VPN

Published 2026-01-22 by Kevin Feasel

Aleksey Vitsko doesn’t want public database access:

You have an Azure Point-to-Site (P2S) VPN configured and can successfully connect to your virtual network over VPN. Your SQL resources – such as Azure SQL Database, SQL Managed Instance, or SQL Virtual Machine – are hosted within the virtual network. Your goal is to eliminate the use of public endpoints and rely solely on private connectivity.

Click through to see how.

Leave a Comment

Homomorphic Encryption in SQL Server

Published 2026-01-20 by Kevin Feasel

Sebastiao Pereira tries to preserve privacy:

Homomorphic encryption is a cryptographic algorithm that lets computations be performed directly on encrypted data without needing to decrypt it. This enables secure outsourcing of computations on sensitive data while preserving privacy.

Is it possible to have homomorphic encryption in SQL Server?

There’s a lot of effort and a CLR module involved, but it is possible. Now, my next question is, how well does it perform in practice? 10 patients is fine for a demonstration, but at what point does this tip over?

Leave a Comment

Recent Security Updates for SQL Server

Published 2026-01-19 by Kevin Feasel

John Deardurff puts together a list:

Here is a roundup of recent security updates for SQL Server from the SQL Server Blog announcements.

Read on for links to recent security updates, as well as end of support dates for SQL Server versions 2016 and 2019. John forgot to include 2017 in there, but we’ve still got another year of extended support for that one.

John also clarifies the difference between the CU and GDR paths for SQL Server and when you might choose one versus the other.

Leave a Comment

Security and High Availability Checklist for Database Application Vendors

Published 2026-01-16 by Kevin Feasel

Andreas Wolter has a new version of a checklist:

As a database application vendor, the security and reliability of your software are key competitive differentiators. As a Database Administrator, your priority is ensuring that hosted databases do not expose data or the environment to risk. To support this, we have developed a checklist designed as a blueprint for building secure-by-default, resilient data applications. Following this guidance not only helps you align with ISO 27001 controls but also ensures that your customers can trust your product against the backdrop of a demanding enterprise environment and an evolving threat landscape.

Click through for the list, as well as a PDF version of it. I had a couple of quibbles in my immediate reaction (especially avoiding CLR and triggers), but in fairness, as I thought about whether I’d trust rando vendor XYZ to get it right, I decided that this is good advice.

Leave a Comment