Press "Enter" to skip to content

Category: Security

Azure SQL DB ARM Template Conflicts with Azure AD Administration

Published 2022-05-06 by Kevin Feasel

Joao Antunes points out a potential timing issue around combining Azure Active Directory administration with Azure SQL Database ARM templates:

ARM templates are widely used when we need to repeatedly deploy solutions/infrastructures in the cloud. Leveraging the concept of infrastructure as code ARM templates are a powerful resource to ease our daily job, however we might face some challenges when using them.

When we are creating several resources within the same template – using Json or Bicep – it’s crucial to make sure that all resources are created in the right order, ensuring that all depending on resources are fully provisioned before you move to the next operation.

Error (internal server errors) and conflicts  can occur during our ARM template deployment and it could be difficult to troubleshoot or understand the root cause of them.

Read on for one annoying error and its fix.

Comments closed

Transparent Data Encryption in RDS

Published 2022-05-04 by Kevin Feasel

Tom Collins enables Transparent Data Encryption in AWS’s RDS:

Does AWS RDS SQL Server support built-in SQL Server Transparent Data Encryption (TDE)?  Yes , is the short answer , but there are some limitations  . 

Before I dive into the AWS SQL Server RDS TDW limitations , in this post  we’re discussing SQL Server TDE as opposed to RDS Encryption covering Aurora, MySQL, MariaDB, PostgreSQL, Oracle, SQL Server

Read on for the limitations Tom mentions.

Comments closed

Securing Azure Storage

Published 2022-05-03 by Kevin Feasel

Craig Porteous continues a series on Azure Data Platform security:

This is the third in a series where I look at all of the resources common to a Data Lakehouse platform architecture and what you need to think about to get it past your security team.

Building upon Azure Databricks, I’ll move from the compute engine to our blob and data lake storage. Things are a little simpler to secure but the plethora of options available can have significant impacts on usability and cost so it’s important to understand the impact before baking them into your design.

Read on for some good advice around securing Azure storage accounts.

Comments closed

S3 and Redshift Data Movement with Role Chaining

Published 2022-04-29 by Kevin Feasel

Sudipta Mitra, et al, talk AWS security:

This post presents an approach that you can apply at scale to achieve fine-grained access controls to resources in S3 buckets and Amazon Redshift schemas for tenants, including groups of users belonging to the same business unit down to the individual user level. This solution provides tenant isolation and data security. In this approach, we use the bridge model to store data and control access for each tenant at the individual schema level in the same Amazon Redshift database. We utilize ASSUMEROLE and role chaining to provide fine-grained access control when data is being copied and unloaded between Amazon Redshift and Amazon S3, so the data flows within each tenant’s namespace. Role chaining also streamlines the new tenant onboarding process.

Read on for an overview and tutorial.

Comments closed

A Power BI Report for Power BI Report Access

Published 2022-04-28 by Kevin Feasel

Gilbert Quevauvilliers sets up an infinite loop:

In this blog post I show the final part which is how I created the Power BI report which takes the previous 3 steps and then creates the Power BI Report.

I am going to show you how I got the data in using Power Query and then created the Power BI report.

Read on for the process. But now I want a report to see who has access to the report for who has access to reports. And I think I need a report for that layer. And that layer. And…

(Shh, yes, I know you can get that all from the same report but it’s so rare I get to make a “Turtles the whole way down” reference).

Comments closed

Azure Databricks Security Considerations

Published 2022-04-26 by Kevin Feasel

Craig Porteous provides some advice on configuring Azure Databricks:

Azure Databricks is an analytics platform and often serves as the central compute component of a data platform, to process ETL/ELT data pipelines and data science workloads. As Databricks is a third-party platform-as-a-service offering securing it works differently to most other first-party services in Azure; for example, we can’t use private endpoints. (More on these in the Azure Storage post)

The two main approaches to working with Databricks in our secure platform are VNet Peering or VNet Injection

Click through to learn the difference between these two, as well as a few other factors to keep in mind as you’re deploying Databricks.

Comments closed

Keeping Secrets in Azure DevOps

Published 2022-04-25 by Kevin Feasel

Kevin Chant has a secret:

In this post I want to cover how you can keep your Azure Synapse secrets secret in Azure DevOps. Because you need to do this if you are working with production deployments.

With this in mind, I want to raise more awareness about it and make sure others avoid putting secrets directly in their pipelines like in the below example.

Read on to understand what options are available to you. My preference involves Key Vault references but there are alternatives available.

Comments closed

SQL Audit for STIG Compliance

Published 2022-04-19 by Kevin Feasel

Tracy Boggiano has proof of existence:

Recently I spent months of my lift working on STIG and CIS compliance at my job and one of those tasks was setting up SQL Audit for STIG.  Now, that might seem like a trivial task after all don’t you just have to create an audit and audit specification and let it run.  If only it were that easy, some of the specifications can have a significant performance impact on your system depending on the type of activity happening and if you happened to lucky enough to have a monitoring software setup your will be logging even more data that doesn’t make sense to log.  In addition, on my system we are using SQL replication and that activity due to volume doesn’t make sense to log.  So, let’s walk through my setup and how I got there, the how I got there being the most important part so you can figure out how to use filters to setup a SQL audit that does that kill your performance.

Read on for the audit specification and server audit scripts, as well as some details on how to read from server audits.

Comments closed

Securing Cloud-Native Applications

Published 2022-04-18 by Kevin Feasel

Samir Behara has some advice:

Enterprises are rapidly adopting cloud-native architectures and design patterns to help deliver business values faster, improve user experience, maintain a faster pace of innovation, and ensure high availability and scalability of their products. Cloud-native applications leverage modern practices like microservices architecture, containerization, DevOps, infrastructure-as-code, and automated CI/CD processes. 

Cloud-native application security is a cloud-first approach used to deploy applications securely at scale by embedding security into the software development lifecycle to detect vulnerabilities earlier. This article will walk through the critical challenges of cloud-native application security, demonstrate how to build security into the CI/CD pipeline, and introduce the core practices of cloud-native security.

This stays at a fairly high level but provides good information to act as a starting point for deeper research.

Comments closed

Role-Based Access Controls in Redshift

Published 2022-04-12 by Kevin Feasel

Milind Oke, et al, describe RBAC in Amazon Redshift:

Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. With Amazon Redshift, you can analyze all your data to derive holistic insights about your business and your customers. One of the challenges with security is that enterprises don’t want to have a concentration of superuser privileges amongst a handful of users. Instead, enterprises want to design their overarching security posture based on the specific duties performed via roles and assign these elevated privilege roles to different users. By assigning different privileges to different roles and assigning these roles to different users, enterprises can have more granular control of elevated user access.

In this post, we explore the role-based access control (RBAC) features of Amazon Redshift and how you can use roles to simplify managing privileges required to your end-users. We also cover new system views and functions introduced alongside RBAC.

Read on to learn about system-defined roles as well as creating user-customizable roles.

Comments closed