Press "Enter" to skip to content

Category: Security

The Complexity of Cloud Security

Published 2026-01-28 by Kevin Feasel

Rebecca Lewis shares a tale of woe:

Cloud-based SQL Server security isn’t simpler. It’s different — and the learning curve is brutal if you grew up on-prem.

If you’ve spent years working Windows authentication, SQL logins, role memberships, and the occasional certificate, you may assume cloud security is more of that, just with a portal. Not. The SQL Server/Cloud permission models are layered differently, the terminology shifts depending on the platform, and the people who ‘own’ security are spread across teams that don’t always speak the same language.

Read on for an example of the kinds of challenges you can run into. Adding to that complexities around managed identities and authorization mechanisms and things can get very convoluted, even when the intent is to simplify matters.

1 Comment

Granular REST API Support for OneLake Security Role Management

Published 2026-01-23 by Kevin Feasel

Aaron Merrill announces a new preview offering:

Microsoft Fabric continues to expand the OneLake security surface with new granular REST API support for role management, giving developers and platform teams far more control over how security policies are created, retrieved, and managed programmatically. In addition to the existing batch role API, Fabric now offers discrete Create, Get, and Delete role APIs, making it easier to build incremental, automation-friendly security workflows that align with modern DevOps and governance practices.

Click through for a quick explanation of how things did work and how they will work going forward.

Comments closed

Hosting Azure SQL Databases over an Azure VPN

Published 2026-01-22 by Kevin Feasel

Aleksey Vitsko doesn’t want public database access:

You have an Azure Point-to-Site (P2S) VPN configured and can successfully connect to your virtual network over VPN. Your SQL resources – such as Azure SQL Database, SQL Managed Instance, or SQL Virtual Machine – are hosted within the virtual network. Your goal is to eliminate the use of public endpoints and rely solely on private connectivity.

Click through to see how.

Comments closed

Homomorphic Encryption in SQL Server

Published 2026-01-20 by Kevin Feasel

Sebastiao Pereira tries to preserve privacy:

Homomorphic encryption is a cryptographic algorithm that lets computations be performed directly on encrypted data without needing to decrypt it. This enables secure outsourcing of computations on sensitive data while preserving privacy.

Is it possible to have homomorphic encryption in SQL Server?

There’s a lot of effort and a CLR module involved, but it is possible. Now, my next question is, how well does it perform in practice? 10 patients is fine for a demonstration, but at what point does this tip over?

Comments closed

Recent Security Updates for SQL Server

Published 2026-01-19 by Kevin Feasel

John Deardurff puts together a list:

Here is a roundup of recent security updates for SQL Server from the SQL Server Blog announcements.

Read on for links to recent security updates, as well as end of support dates for SQL Server versions 2016 and 2019. John forgot to include 2017 in there, but we’ve still got another year of extended support for that one.

John also clarifies the difference between the CU and GDR paths for SQL Server and when you might choose one versus the other.

Comments closed

Security and High Availability Checklist for Database Application Vendors

Published 2026-01-16 by Kevin Feasel

Andreas Wolter has a new version of a checklist:

As a database application vendor, the security and reliability of your software are key competitive differentiators. As a Database Administrator, your priority is ensuring that hosted databases do not expose data or the environment to risk. To support this, we have developed a checklist designed as a blueprint for building secure-by-default, resilient data applications. Following this guidance not only helps you align with ISO 27001 controls but also ensures that your customers can trust your product against the backdrop of a demanding enterprise environment and an evolving threat landscape.

Click through for the list, as well as a PDF version of it. I had a couple of quibbles in my immediate reaction (especially avoiding CLR and triggers), but in fairness, as I thought about whether I’d trust rando vendor XYZ to get it right, I decided that this is good advice.

Comments closed

Data Correlation Optimization and Cross-Database Data Leaks

Published 2026-01-08 by Kevin Feasel

Fabiano Amorim shows off a vulnerability:

This vulnerability involves restoring a database into a DBaaS and uses a “corrupted” internal view, effectively turning the engine’s own intelligence against itself.

The exploit is elegant in a disturbing way, since there’s no need for xp_cmdshell, CLR, or any of the usual suspects – just a carefully crafted .bak file and SQL Server’s unwavering belief in its own metadata integrity.

The payload hides where no DBA would look – system tables that are supposed to be immutable – and executes under a context that was never meant to be controllable by the user.

This is not a misconfiguration or a permission trick – it’s a design flaw rooted in how the SQL Server engine trusts its persisted metadata, and how that trust persists across the boundary between a user-managed instance and a cloud-managed environment.

This kind of fits in the “Neat, but not incredibly practical” bucket for me, so I can understand Microsoft marking this as a low-risk security issue.

Comments closed

An Overview of Fabric Security Insights

Published 2026-01-07 by Kevin Feasel

Yael Biss lays out some changes:

We want to update on a strategic evolution in how you can access and utilize security insights within Microsoft Fabric! The powerful reports you’ve relied on in the Microsoft Purview Hub are officially transitioning and being significantly enhanced within the new Admin Report in the Govern tab of the OneLake Catalog, as was announced at Ignite in November and explained in the Govern in OneLake Catalog for Fabric admins (Preview) blog post.

This isn’t just a relocation; it’s a consolidation and elevation of your most critical governance data. This move is a direct response to your feedback and a key step in providing a more unified, intuitive, and action-oriented governance experience right where your data lives.

There’s a bit too much marketing hype in the blog post for me not to roll my eyes a bit, but the security insights themselves are useful.

Comments closed

Object-Level Security in Power BI

Published 2025-12-31 by Kevin Feasel

Vin Mai Quang lays out an explanation:

For a POC project, my team lead asked me to practice and build a demo Power BI report that applied OLS (Object Level Security). Although it sounded simple at first, I was surprised by how OLS actually behaves in Power BI. In this blog, I would like to share my findings with you.

Click through for a demonstration of how it all works, including how to deal with scenarios in which customers shouldn’t get access to specific columns but should still be able to see others.

Comments closed

Privilege Escalation via Replication Job

Published 2025-12-23 by Kevin Feasel

Fabiano Amorim makes note of a security concern:

Privilege escalation in SQL Server isn’t just theory – it can happen through everyday maintenance jobs. This article demonstrates how a user with roles like db_owner or db_ddladmin can exploit replication cleanup processes to gain sysadmin rights, and why monitoring trigger creation and job behavior is critical for security.

Replication is one of those things people tend not to understand very well, including the necessary permissions. It’s a lot easier simply to say, “Here’s sysadmin” because that actually works instead of giving you a cryptic error you can barely troubleshoot and that’s only thanks to a Repltalk article from 2009. And heaven help you if you’re looking at merge replication.

But as far as the article goes, I won’t say that it’s much ado about nothing. What I will, however, say is that your account needs to be db_owner or db_ddladmin first, and that does mitigate a fair amount of the risk.

Comments closed