Happy New Year and welcome to our first newsletter of 2026!

This year, we’re doubling down on something that matters to every one of us: keeping data safe without slowing innovation. Security isn’t just a checkbox—it’s the backbone of everything we build. That’s why our database security strategy is rooted in the Zero Trust model, a simple but powerful idea: never assume, always verify.

Here’s what that means in practice:

• Identity first: Every user and workload proves who they are, every time.
• Devices matter: Only trusted endpoints get through the door.
• Networks stay clean: Segmentation and encryption keep traffic locked down.
• Apps and workloads: Least privilege isn’t optional—it’s standard.
• Data protected everywhere: Protected at rest, in transit, and under constant watch.

Driving all of this is our Security First Initiative (SFI)—a mindset that makes security part of the design, not an afterthought. It’s how we ensure that trust isn’t just a promise; it’s a practice.

2026 is about scaling this vision and making security seamless for everyone.

Feature highlights of 2025

Dynamic Data Masking in Cosmos DB

Now in public preview, Dynamic Data Masking is a server-side, policy-based security feature that automatically masks sensitive fields at query time for non-privileged users, while leaving the underlying data unchanged. Masking policies are enforced based on user roles and Entra ID identity, supporting privacy and compliance scenarios (PII/PHI) and reducing the need for custom app logic. This enables granular, real-time protection, secure data sharing, and safe testing with anonymized production data.

Auditing in Fabric SQL Database

Auditing is now in public preview for Fabric SQL Database. This feature allows organizations to track and log database activities—answering critical questions like who accessed what data, when, and how. It supports compliance requirements (HIPAA, SOX), enables robust threat detection, and provides a foundation for forensic investigations. Audit logs are stored in One Lake for easy access, and configuration is governed by both Fabric workspace roles and SQL-level permissions.

Customer-Managed Keys in Fabric SQL Database

Now in public preview, Customer-Managed Keys (CMK) let you use your own Azure Key Vault keys to encrypt data in Microsoft Fabric workspaces, including all SQL Database data. This provides greater flexibility and control over key rotation, access, and auditing, helping organizations meet data governance and encryption standards.

SQL Server 2025

SQL Server 2025 raises the bar for enterprise data protection with a suite of powerful, built-in security enhancements. From eliminating client secrets through managed identity authentication to adopting stronger encryption standards and enforcing stricter connection protocols, this release is designed to help organizations stay ahead of evolving threats. With these updates, SQL Server 2025 simplifies compliance and strengthens data security—right out of the box.

Best Practices Corner

• Don’t use passwords—use Entra instead
  Modern identity security for Azure SQL means eliminating SQL authentication wherever possible and adopting Microsoft Entra ID–based passwordless authentication. This strengthens security, simplifies identity governance, and aligns with Zero Trust and Microsoft’s Secure Future Initiative principles.
• Failover Ready? Don’t Forget Your TDE Keys
  For successful geo-replication setup and failover, all necessary encryption keys for Transparent Data Encryption must be created and available on both primary and secondary servers. It is possible and, in certain cases, required to configure different TDE protectors on replicas, as long as the key material is available on each server.
• It’s time for TLS 1.2
  Legacy TLS 1.0 and 1.1 are no longer secure and are being retired across Azure services. To avoid connection failures and strengthen your security posture, make sure all applications, drivers, and clients connect using TLS 1.2 or higher.

Blogs and Video Spotlight

Geo-Replication and Transparent Data Encryption Key Management in Azure SQL Database | Microsoft Community Hub
Everything you need to know about TDE key management for database restore | Microsoft Community Hub
Secure by default: What’s new in SQL Server 2025 security | Microsoft Community Hub
Secure by Design: Upcoming CMK and Auditing Features in Fabric SQL Database | Data Exposed
Latest progress update on Microsoft’s Secure Future Initiative | Microsoft Security Blog

Community & Events

The data platform security team will be on-site at several upcoming events. Come and say hi!
SQL Konferenz
SQLCON - Microsoft SQL Community Conference

Call to Action

Last year brought some seriously powerful updates—Dynamic Data Masking in Cosmos DB, Auditing in Fabric SQL Database, and Customer Managed Keys that give you full control over your security strategy. These features are built to help you move faster, stay compliant, and protect data without friction. Try them out and see the impact firsthand.

If this got you fired up, share it with your team and drop a comment to keep the momentum going. And don’t wait—download SQL Server 2025 today and experience the newest security capabilities in action. Let’s push data security forward together.