Press "Enter" to skip to content

Category: Security

Troubleshooting Always Encrypted Certificate Errors

Published 2023-01-30 by Kevin Feasel

Chad Callihan swears this is the right key:

The benefit of SQL Server Always Encrypted is to encrypt sensitive data in specified columns to prevent it from being seen by unauthorized users. It is a great feature, but there are some steps to consider besides the SQL setup side. What if you are one of the lucky (or unlucky) users who should have access to query that data unencrypted but get blocked by an error? Or, what if you’re setting up Always Encrypted and your application encounters issues decrypting data?

Let’s step through an example of one error you may come across that prevents authorized access.

Read on for the error and its root cause.

Comments closed

Limiting Data Factory Users to Trigger Pipelines

Published 2023-01-27 by Kevin Feasel

Koen Verbeeck doesn’t want people running amok:

Typically you have a bunch of pipelines that are started by one or more triggers. Sometimes, a pipeline needs to be manually triggered. For example, when the finance department is closing the fiscal year, they probably want to run the ETL pipeline a couple of times on-demand, to make sure their latest changes are reflected in the reports. Since you don’t want them to contact you every time to start a pipeline, it might be an idea to give them permission to start the pipeline themselves.

This can obviously be done by tools such as Azure Logic Apps or a Power App, but in my case the users also wanted to view the progress of the pipeline (did something crash? Why is it taking so long? etc.) and developing a Power App with all those features seemed a bit cumbersome to me. Instead, we gave them permission on ADF itself so they can start the pipelines. There’s one problem though, there’s only one role for ADF in Azure, and it’s the contributor role. A bit too much permission, as anyone with that role can change anything in ADF. You don’t want that.

So what can you do? Click through to find out.

Comments closed

Notes on DBATools’s Get-DecryptedObject

Published 2023-01-26 by Kevin Feasel

Sean Gallardy explains an issue:

Let me start off by saying that DBATools is a great tool that is immensely helpful to the community, if you haven’t heard about it or tried it, please give it a shot! I personally believe that the SQL Server community is truly the best out there, with so many people helping each other and developing great, free, tools that benefit all. Having said that, I’ve been asked quite a few times to look into a “SQL Server Bug” decrypting data.

This is not an issue with SQL Server nor is it a bug/feature/whatever. It is, in fact, a bug in the source material for DBATools.

Read the whole thing.

Comments closed

PostgreSQL Sans Superuser in v16

Published 2023-01-25 by Kevin Feasel

Robert Haas doesn’t wear a cape:

As I’ve written about before, a PostgreSQL superuser always has the ability to take over the operating system account in which PostgreSQL is running, but sometimes you’d like to have a role that can administer the database but not break out of it. In existing releases, there’s no good way to accomplish that. You can either make a new role so weak that it can’t perform ordinary administration tasks, or you can make it so strong that it can easily break into the operating system account and thus take over the superuser role as well. Unless you hack the source code, which some people have done, there’s no real way to set up an account that has enough power to usefully administer the database in meaningful ways but yet not enough power to take over everything. I’ve committed a number of patches to v16 to try to improve the situation, and I think that we can look forward to big improvements in this area once it is released.

Read on for some of the implications of this change.

Comments closed

Roles and Privileges in Postgres

Published 2023-01-23 by Kevin Feasel

Ryan Booz gives us an introduction to Postgres security:

Recall that in PostgreSQL both users and groups are technically roles. These are always created at the cluster level and granted privileges to databases and other objects therein. Depending on your database background it may surprise you that roles aren’t created as a principal inside of each database. For now, just remember that roles (users and groups) are created as a cluster principal that (may) own objects in a database, and owning an object provides additional privileges, something we’ll explore later in the article.

For the purposes of this article, all example user roles will be created with password authentication. Other authentication methods are available, including GSSPI, SSPI, Kerberos, Certificate, and others. However, setting up these alternative methods is beyond what we need to discuss object ownership and privileges.

Read the whole thing if you’re doing anything with Postgres.

Comments closed

Securing Temporal Tables

Published 2023-01-19 by Kevin Feasel

Daniel Hutmacher does a little locking down:

You may have already discovered a relatively new feature in SQL Server called system-versioned temporal tables. You can have SQL Server set up a history table that keeps track of all the changes made to a table, a bit similar to what business intelligence people would call a “slowly changing dimension”.

What happens behind the scenes is that SQL Server creates a separate table that keeps track of previous versions of row changes, along with “from” and “to” timestamps. That way, you can view the contents of the table as it was at any given point in time.

But how to you version the contents of a table, while hiding things like deleted records from prying eyes?

There’s not a whole lot we can do, but Daniel shows what we are able to do.

Comments closed

Networking Options with Azure SQL DB

Published 2023-01-18 by Kevin Feasel

Deepthi Goguri looks at four options:

Securing data in Azure is an important part and there are different security layers available in Azure. Below diagram shows you the different layers of Security we have in Azure to reach the customer data.

In this post, let’s focus on the Network security.

Click through for a table covering the four options in the columns list and a quick comparison of the highlights in the rows. Private link is definitely the best corporate option, though it also requires a fair amount of preparatory work.

Comments closed

Comparing Encryption Options in SQL Server

Published 2023-01-18 by Kevin Feasel

David Fowler has a table for us:

The question of encryption seems to be coming up a lot recently. I’ve had a number of people asking me about how to go about encrypting SQL Server.

SQL can encrypt our data at a number of different levels and gives us a quite a few options when doing so. I want to use this post to put together a matrix so you can easily see which method of encryption suits your purpose. I’ll look in to each method in more detail in a future series of posts.

Click through for a rather comprehensive table and remember that “several of these all at once” is usually the correct answer for which to choose.

Comments closed

The Cost of Ignoring GDPR

Published 2023-01-16 by Kevin Feasel

Matthew McGiffen looks at the fines:

The biggest fines (both individually and in total) have been levied for improper use of data, with Amazon, WhatsApp, Google and Facebook topping the list. After that though we have fines for insufficient protection of data. In most cases this is where companies have had some form of data breach and the safeguards in place weren’t deemed sufficient. The largest fine in this case was against British Airways who were hacked in 2018 and they received a fine of over 22 million euros for the lack of safeguards. That was calculated as 1.5% of the company’s turnover in 2017.

Read on for a summary of fines by violation type, more detail, and a link to the core data.

Comments closed