A Fine Slice Of SQL Server
Victoria Holt summarizes some Microsoft Purview updates:
Yesterday a lot of changes were announced for Microsoft Purview at the Microsoft security event securing your data with a multilayered defense. Microsoft Purview is about managing data security risks across hybrid multi-cloud data estates that have a defense in depth strategy to mitigate risk. The recording can be watched at this link.
Read on for a summary of what went down.
Comments closedDeepthi Goguri enumerates the ways:
Data needs to be protected no matter where it lives, On-prem or in Azure. Data can be protected by using the encryption that Azure provides. What are the types of encryption we have in Azure?
In addition to specific encryption options, Deepthi also provides an overview of Dynamic Data masking and Ledger tables.
Comments closedMichael Bourgon shares some thoughts on Azure SQL Database Auditing:
A couple of notes when using Azure SQL DB Auditing
1) this is actually kinda cool, overall. I plan on mining this in the future for code changes, etc.
2) You can filter it! predicateexpression is the term you’re looking for, available via the powershell module
Read on for more thoughts on the topic.
Comments closedMatthew McGiffen switches out a certificate:
In terms of encryption, Key Rotation is the process of replacing your encryption keys on a periodic basis. This is considered good practice and is required by many security certifications.
In practice, if you had to rotate/replace the key that is used to encrypt your data then that would be an intensive activity requiring all your data to be decrypted with the old key before being replaced with the new. This could also create a vulnerability where data sits in an unencrypted state during the process.
Instead, see what SQL Server does by reading Matthew’s blog post.
Comments closedReza Rad shares some recommendations with us:
Power BI workspaces are not like the old days when we had Edit access and View access only. You have more options for roles in a workspace, and in my courses, I have found that many people have chosen the incorrect role without knowing what the role does. In this article, I’ll explain all the roles in the workspace, and what is the best way to set them up to have a secure workspace.
Click through for the article, as well as an accompanying video. Or a video and an accompanying article, if that’s how you roll.
Comments closedKoen Verbeeck waxes about managed identities:
This however presented me with the opportunity to review what users were actually necessary in the ETL. Turns out, not that many. In many cases, one Azure resource (for example, an Logic App) can use a managed identity to access another Azure resource (such as an Azure SQL DB). For those of you not familiar with the concept, a managed identity is basically a service principal in Azure AD with the same name as your resource. If your Azure Data Factory instance is called myADF, you’ll have an entry in AAD with the name myADF (it’s very much alike the SQL Server service account used on-premises). You can then assign role permissions to this managed identity.
Read on to see how you can use these managed identities to grant permissions without having to set (or reset or store) passwords.
Comments closedMatthew McGiffen helps us recover from a big oopsie:
If you don’t have the backups of the certificate and private key from the old server, as well as the password used to encrypt the private key backup then you could be in a lot of trouble. There is one scenario where you have a way out. I’m going to assume you don’t have the possibility to recover your old server from a complete file system backup – if you do then you can do that and access all the keys you require. If the two following things are true though then you can still recover your database:
Read on to see what those requirements are and how you can, in specific circumstances, recover that database.
Comments closedMatthew McGiffen notes how to restore a database with transparent data encryption:
When encrypting a database with Transparent Data Encryption (TDE), a vital consideration is to make sure we are prepared for the scenario where something goes wrong. For instance, if the server hosting our SQL instance goes belly-up, can we recover the data that we have encrypted with TDE?
Click through to learn what you’ll need to have.
Comments closedEmin Atac gets a scary message:
When you type the following
Get-EventLog-SourceMicrosoft-Windows-Kernel-General-Newest20-LogNameSystem-InstanceId1 | Select-ExpandPropertyMessageYou get
Possible detection of CVE: 2023-01-09T09:08:23.5000000Z
Additional Information: 2023-01-08T19:56:29.1492612Z
This Event is generated when an attempt to exploit a known vulnerability (2023-01-09T09:08:23.5000000Z) is detected.
This Event is raised by a User mode process.
Read on to learn what this error message means, why it pops up, and what you can do to avoid it in the future.
Comments closedMatthew McGiffen pulls out the magnifying glass with a built-in light:
The encryption of your existing data occurs as a background process referred to as the encryption scan, but it will consume resources while it runs, so if you are implementing TDE against a system with large databases where performance is critical then you will want to either run it in a period of quiet (or down time), or you will want to monitor to check that encryption isn’t impacting your system too much. Experience suggests that it shouldn’t be a problem unless your server is already under strain.
There are a few things to look out for if you are monitoring during the encryption scan:
Click through for a list of items you might want to keep in mind, as well as some important tips about suspending or stopping the encryption process.
Comments closed