A Fine Slice Of SQL Server
Pieter Vanhove explains what secure enclaves are and why they’re useful:
Encryption is a vital technique for protecting sensitive data from unauthorized access or modification. SQL Server and Azure SQL Database offer two encryption technologies that allow you to encrypt data in use: Always Encrypted and Always Encrypted with secure enclaves. In this blog post, we will compare these two technologies and highlight their benefits and limitations.
Read on to learn more.
Comments closedJeff Iannucci talks about a role that might as well be sysadmin:
Based on the name, you probably can guess that members of the securityadmin role can make dangerous changes to the permissions of other server principals. What many folks don’t realize is that this role is simultaneously less dangerous and more dangerous than you might think.
Allow me to explain, or better yet show you what that means.
Click through for the explanation.
Comments closedJeff Iannucci has a series on security in SQL Server:
The CONTROL SERVER permission has been around since SQL Server 2005, and is the most powerful permission granted as part of membership in the sysadmin role. What many folks don’t realize is that this permission can be granted to a login or group without including them in the sysadmin role. And that can become problematic if, as an administrator, you aren’t aware of logins or groups that don’t have this permission.
Jeff points out how CONTROL SERVER isn’t quite the same as sysadmin, but why you should still treat it that way.
Shaun Thomas takes us through GRANT operations and roles in Postgres:
Not every database-backed application needs to be locked down like Fort Knox. Sometimes there are even roles that leverage blanket access to large swathes of available data, if not every table, simply for auditing or monitoring purposes. Normally this would require quite a bit of preparation or ongoing privilege management, but Postgres came up with a unique solution starting with version 14: predefined roles.
This topic comes up relatively frequently in Postgres chats like Discord, Slack, and IRC. Usually it’s along the lines of: “We have a low security application but have separated read and write access from the table owner to avoid accidents. That user should still be able to read or write any table in the database. What do I do?”
This is an area where Postgres and SQL Server are using the same terms but aren’t quite speaking the same language.
Comments closedGreg Nokes gives us the options:
Operating system or disk-level encryption protects entire file systems or disks. This method is application-agnostic and offers encryption with minimal overhead. Think technologies like
luksin Linux or FileVault in MacOS.
Read on for four options. They’re very similar to options available in SQL Server, so it’s easy enough to compare implementation ideas.
Comments closedUmair Shahid goes through the list:
For any financial company that handles sensitive data as part of its operations, the protection of personally identifiable information (PII) is paramount. With the increasing frequency and sophistication of cyberattacks, it is crucial for these companies to implement robust security measures to safeguard PII.
This includes ensuring that even in the event of a breach, unauthorized individuals cannot read or misuse the data. One of the most effective ways to achieve this is through the encryption of data both in motion and at rest.
This blog will delve into the importance of encryption, the methods used to secure data in PostgreSQL databases, and the compliance regulations that mandate these practices.
Click through for the article. The set of capabilities are rather similar to what we have in SQL Server as well.
Comments closedEduardo Pivaral does some work:
Healthy code should not include passwords, keys, or secrets in the source code. Sometimes, developers hard-code sensitive information while testing new features but forget to remove it afterward.
How can we validate code without including sensitive information so we can take action before we publish or share code?
Click through for a couple of options. If you do have GitHub Advanced Security (part of GitHub Enterprise Cloud), you can also create a custom pattern for secret scanning that can include passwords, database connection strings, and the like.
Comments closedErin Chapple opens a can of worms:
This July, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA). Establishing this security baseline at the tenant level puts in place additional security to protect your cloud investments and company.
MFA is a security method commonly required among cloud service providers and requires users to provide two or more pieces of evidence to verify their identity before accessing a service or a resource. It adds an extra layer of protection to the standard username and password authentication.
The problem is, there are a lot of good questions people are asking in the comments and currently, there are no answers.
Comments closedGilbert Quevauvilliers links everything together:
I have been doing a fair amount of work lately with Fabric Notebooks.
I am always conscious to ensure that when I am authenticating using a Service Principal, I can make sure it is as secure as possible. To do this I have found that I can use the Azure Key Vault and Azure identity to successfully authenticate.
Read on for some of the advantages of using Azure Key Vault for this sort of credential management, as well as how to get it all working.
Comments closedTo manage expectations, Microsoft do openly state during the introduction that this white paper was created by combining multiple online security documents together.
Which probably explains some of the repetition. However, multiple references are better than none.
Plus, in the introduction they provide a link to the main Microsoft Fabric security page. Which is good starting point if you know what security feature you are looking for.
Anyway, the content itself is good. It provides some really good explanations and diagrams relating to certain areas. To help demystify certain aspects of security for some people.
Read on for Kevin’s first impressions of the whitepaper.
Comments closed