Press "Enter" to skip to content

Category: Security

Principles of Synapse Security

Published 2023-02-22 by Kevin Feasel

Liliam Leme provides an overview of security options in Azure Synapse Analytics:

This blog post will provide an overview of the Synapse security environment focused on Dedicated SQL Pool, Serverless SQL Pool, and Spark.

Security has many layers and frequently it will determine how you build your process. I start this post by reviewing several important security considerations which you can later apply to your Synapse environment. 

This is a fairly lengthy post and it still only covers a moderate amount of what you’d want to do for Azure Synapse Analytics. This is the downside to having a complex interplay of several products: there’s a lot to secure and a lot to think about along the way.

Comments closed

Object Ownership in Postgres

Published 2023-02-22 by Kevin Feasel

Ryan Booz divvies up ownership rights:

In the first security article, PostgreSQL Basics: Roles and Privileges, I discussed how roles (users and groups) are created and managed in PostgreSQL Depending on your background with permissions, particularly in other database products, some of those nuances in how permissions work may have been surprising.

Understanding how roles and privileges work in Postgres is key to understanding the next, and often more confusing part of security, object ownership. Although there are many privileges that can be assigned in Postgres, object ownership comes with a specific level of privilege that cannot be transferred to other roles. Understanding the implications of this is essential to the management of your database schema, and access to the objects it contains, over time.

Click through to learn more about how Postgres handles object ownership and defines who gets access to which objects.

Comments closed

Checking for Permissions on a Database User

Published 2023-02-21 by Kevin Feasel

Chad Callihan keeps misplacing those permissions:

I recently encountered an unusual permissions issue with multiple databases. New databases were not including all of the permissions that were supposed to be set following database restores. At the time, I wasn’t sure if the permission was being granted and then revoked or not granted at all. I wanted a script I could run to definitively show that permissions did exist and also have proof for myself that, if permissions seemingly vanish later on while testing, I know they were present at one point in time.

Click through to see what Chad plans to use to see if permissions disappear later. This will work with directly granted permissions on a user, so you will miss out on some chained permissions coming as a result of being in a Windows group or user-defined application/database role.

Comments closed

Azure Defender for SQL Overview

Published 2023-02-16 by Kevin Feasel

Deepthi Goguri looks at an Azure security offering:

Azure Defender for SQL, once you enable it will alert you for any SQL injection attacks, brute force attacks or any breached identities trying to access the data of your database. It also provides the vulnerability assessments. Vulnerability assessments give you alerts about the configurations of your database. If your database configuration is not following the standards of Azure, you will receive the alerts in the vulnerability assessment report.

You can enable the Azure Defender at the subscription level or at the Server level or at the resource level as well. Under the recommendations in the security center in the Azure portal, check for the Remediate security configuration. This will show if the Azure defender is configured properly.

I like Azure Defender for SQL, especially the advanced threat protection element. It’s based on IP address location and has caught me in different locations as I’ve traveled.

Comments closed

Security Updates for SQL Server 2014 and Up

Published 2023-02-16 by Kevin Feasel

Harvey Mora notes that Microsoft has been busy:

The Security Update for SQL Server 2022 RTM GDR is now available for download at the Microsoft Download Center and Microsoft Update Catalog sites. This package includes the new security fixes detailed in the KB Article.

This link is specifically for SQL Server 2022 but there are other posts for 2019, 2017, 2016, and 2014. This includes fixes to several security problems and is something you should install post-haste. Because this is a GDR, you’re also liable to find it in Windows Update if your update admins haven’t shut that channel off already.

Comments closed

Disabling Public Network Access in Synapse

Published 2023-02-10 by Kevin Feasel

Ryan Adams builds a private endpoint:

If you disable public access to your Azure Synapse Workspace you will get the following error message when attempting to open Synapse Studio. 

“Failed to load one or more resources due to forbidden issue, error code 403.” 

Click through for more information about routing for Synapse resources and what you’d need to do in order to disable public network access entirely.

Comments closed

Data Protection in Azure

Published 2023-02-10 by Kevin Feasel

Deepthi Goguri enumerates the ways:

Data needs to be protected no matter where it lives, On-prem or in Azure. Data can be protected by using the encryption that Azure provides. What are the types of encryption we have in Azure?

In addition to specific encryption options, Deepthi also provides an overview of Dynamic Data masking and Ledger tables.

Comments closed

Adaptive Protection and More in Microsoft Purview

Published 2023-02-10 by Kevin Feasel

Victoria Holt summarizes some Microsoft Purview updates:

 Yesterday a lot of changes were announced for Microsoft Purview at the Microsoft security event securing your data with a multilayered defense.  Microsoft Purview is about managing data security risks across hybrid multi-cloud data estates that have a defense in depth strategy to mitigate risk. The recording can be watched at this link

Read on for a summary of what went down.

Comments closed

Rotating TDE Certificates

Published 2023-02-06 by Kevin Feasel

Matthew McGiffen switches out a certificate:

In terms of encryption, Key Rotation is the process of replacing your encryption keys on a periodic basis. This is considered good practice and is required by many security certifications.

In practice, if you had to rotate/replace the key that is used to encrypt your data then that would be an intensive activity requiring all your data to be decrypted with the old key before being replaced with the new. This could also create a vulnerability where data sits in an unencrypted state during the process.

Instead, see what SQL Server does by reading Matthew’s blog post.

Comments closed