I have spent most of my career working on SQL Server systems – covering architecture, performance, and availability – with security always as a central consideration—first as a consultant, then inside Microsoft, and now again working directly with organizations.

Background

At Microsoft, I was a Senior Program Manager for Azure SQL and SQL Server, working on core security features of the platform.

My work included:

• Leading the SQL Server 2022 permission system redesign, introducing granular system-level permissions aligned with least privilege
• Designing the external authorization framework behind Microsoft Purview policies and Fabric integration
• Contributing to SQL Server Vulnerability Assessment (Microsoft Defender for SQL)
• Participating in security reviews and threat modeling for SQL Server and Azure SQL
• I led Microsoft’s response for SQL Server environments to the Log4j vulnerability

Beyond product development, my work has focused on practical security guidance and original research in the SQL Server space, including Microsoft’s security playbook for Azure SQL and Managed Instance, schema-based security boundaries, and privilege escalation and lateral movement patterns.

Experience

I have over 25 years of experience working with Microsoft database systems across consulting, architecture, and product engineering.

• One of seven Microsoft Certified Solutions Masters (MCSM) worldwide in the Data Platform track
• Former Microsoft MVP (2014 – 2018)
• Regular speaker at international conferences across Europe, North America, and the Middle East

Today

Today, I’m the founder of Sarpedon Quality Lab LLC.

I am based in Phoenix, Arizona, and work with clients across the United States and internationally.

I work with organizations operating complex, business-critical SQL Server environments where security, availability, and compliance are non-negotiable.

My work focuses on helping organizations understand how their SQL Server environments behave in practice – especially where assumptions about security, availability, and architecture break down.

This includes uncovering privilege escalation paths, improving permission models, strengthening high availability architectures, and identifying opportunities to reduce cost and complexity through consolidation and migration.

Security is often approached as a checklist.
In practice, the most relevant risks come from how systems are used and how components interact over time.

If you want to understand where real risks exist in your SQL Server environment – not just what a checklist shows – I’m happy to connect.