It’s been 4 weeks that I left Microsoft, and many, way more people than I expected contacted me privately expressing their surprise or regret (some even used the word “shocked”) and wondered how come.
Why on earth would I give up my role in the security team for Azure Data? After all it seems to be a perfect place to make a difference, and do what I love: help making the product more secure.
I am also flattered by the amount of praise I received for the changes to the permission system in SQL, improving its granularity with about 50 more permissions and at the same time opening it up to an external policy-based authorization model.
While I am humbled and thankful for being remembered for my work, I do think, it could have been more. But in the majority of the last year there just wasn’t enough for me to work on that would have made a big impact. At least not for my taste.
Given the high interest in my decision, especially given the current security landscape, I thought some may find it interesting to hear a bit more about my motives of both joining and then leaving.
However, I do not want to focus on reasons for quitting my role. Rather I would like to use this opportunity to express what made my position as program manager, responsible for security features in a database management system attractive to me. And some of these aspects may have remained until the end, some others may have gotten lost over time. Which fall in which category is not relevant for a public blog.
Note: Throughout this article I will use the term Program Manager which was my official title or abbreviated as PM. One could replace this with Product Manager as some other companies call it. The differences are marginal for the purpose of this blog.
If you want to know more about the role of a program manager, I recommend this article and video by Matthew Roche: Being a Program Manager at Microsoft
What is great about being a Program Manager for DBMS security features at a large corporation with millions of customers
First of all, there is the obvious chance to impact a large number of customers, essentially the whole customer base at once, by creating new security functionalities or improving existing ones. The same applies to any other area of course. In fact, back in 2018 I faced the tough decision between joining a team focused to work on performance impacting features vs security. I decided to go for security, which I believe is always being undervalued and underfunded, hoping to make a difference.
Improving the Authorization model in the SQL engine
In concrete terms, in Microsoft Azure Data, which encompasses both SQL Server as well as the different cloud-based flavors of Azure SQL, it was promising to have a chance to make fundamental changes or even replace or rebuild the existing SQL permission system as a whole.
The reasons for that may not be obvious for everyone: While the permission system of SQL Server has a reputation of being rock-solid and immensely large, there are still many areas where it lacks granularity that is necessary to eliminate common violations of PoLP. (Here you can read more about The Principle of Least Privilege (POLP) )
But another aspect is the growing need to have a scalable solution to manage authorization at scale. Most notably in big cloud-environments, but not only. And this is where policy-based authorization systems thrive.
We took the chance to take a stab at making the SQL engine authorization work at scale, beyond the sever-scope to govern masses of servers at once, by working with the Microsoft Purview team to implement the first version of RBAC for Azure SQL and SQL Server. It is based on policies created in Purview that can be applied at any level of an Azure subscription. (Provision access to system metadata in Azure SQL Database using Microsoft Purview DevOps policies )
The architecture behind it also serves the current and first Implementation of label-based deny-policies, a form of ABAC (Attribute Based Access Control): Public preview: Label-based access control for Azure SQL Database using Microsoft Purview policies
Personally, if I have had the time or chance to undergo cloning, ABAC and its cousin MAC (Mandatory Access Control) is the space I see the greatest potential I terms of authorization due to their flexibility and scalability to enable tight and yet simple, policy-based access control.
Furthermore, since the architecture is meant to be open for external providers, it is also being used for the enforcement of workspace roles for SQL datawarehouse and soon SQL database in Fabric. (Workspace roles in Fabric data warehousing)
I dearly hope that a successor in my role will find ways to further extend the RBAC permissions while keeping the promise of granularity and scalability at the same time. 🙂
Integrating real-world knowledge of processes and job-responsibilities
Given my background as a consultant, database systems architect and also having been a trainer for hundreds of people in database skills including data security in addition to being one of just 7 professionals worldwide to have reached the Microsoft Certified Solutions Master for Data Platform certification, it was only natural to assume that I would be able to integrate my vast experience to advice and steer security decisions based on knowledge and not only having to rely on surveys and similar.
This is however not the most common approach as a PM. It is vital to understand the difference between a specific concrete customer wish vs accumulating multiple asks from different customers of all sizes and coming to a grand vision that not only serves a specific need perfectly, but ideally everyone in some way.
This for me is one of the most exciting aspects in such a role. While working as an architect for designing database and datawarehouse systems, having an understanding of the broader picture and also anticipate future requirements not just in functionality and usability but also maintenance was always close to my heart.
Those who look closely at the RBAC integration for SQL Server will hopefully recognize my footprint as it comes with proper metadata support and a design meant to scale. 🙂
What I have had the opportunity and honor to work on
Being versatile in any aspect of SQL Server, I was given the opportunity to help out in many areas where security meets other functionalities.
One outcome was as complete overhaul of I believe about 85 rules for VA (Vulnerability Assessment), which – another positive aspect – allowed me to work together with the super-motivated security team in Israel. (שָׁלוֹם עֲלֵיכֶם)
Another great way of staying on top of the latest development and at the same time improve the security posture was to be part of the security review board and improve some of its methodology.
In the end I was also able to reconnect security with my other area of expertise: performance analysis, by making sure that the database watcher which just went into Public Preview (Introducing database watcher for Azure SQL) shortly before my resignation, can be used in compliance with the Principle of Least Privilege, by making use of 3 of the new server roles which I had implemented during my time.
Being in regular touch with customers and peers
As a Program or Product Manager, it is also expected to have a close ear on the customer base. At Microsoft there are multiple channels one can utilize. One of the is the worldwide MVP community. Here I had the advantage that I came from the community, in other words I used to be among those experts who, being recognized by Microsoft as Community leaders, have a dedicated channel to Microsoft, which Program Managers such as myself could use. As a former member I did enjoy the trust and thus open talks with many of the data professionals who care deeply about data security.
Thank you to all of you who stuck with me over the last 5.5 years and supported my work by actively giving feedback on security functionalities, be it via the official MVP channel or in private conversations!
But there are more ways to interact with customers. Another on would be public conferences. However, for various reasons, not just Covid, these types of activities became rarer for PM’s.
Besides customers, working at Microsoft gave me the opportunity to listen first-hand to industry experts and just an amazing number of super smart people. It is immensely valuable to be in such a position to interact, learn and even collaborate with others, each a luminary in its field!
This human factor, not just sitting in an echo chamber but actually talking and interacting with other people, both customers and team mates, is something which I value extraordinarily and is something a PM can build on if it fits to the role’s duties This can but do not have to include public speaking, aka evangelizing. This however is definitely an area which not only was I already used to but also suffered through the Covid pandemic.
After all, I do strongly believe that the best output comes from a “team”, that has a sense of togetherness, and also enjoys the trust of leadership which manifests in open communication to allow people to understand decisions. It is up to each organization to allow team building to occur naturally and be supportive of it. It that sense it was definitely a learning how this can work at such a large organization and if not, what makes the difference.
The future
I am really pleased to see the recent push for “security first” as a new strategy at Microsoft. This are hopefully just the right conditions for a PM in security to thrive and make a difference. I am definitely watching this space and hope that not only Microsoft pulls through with it (it is a multi-year effort after all) and by that also influences other companies out there to keep a clear focus on tight security. There are a lot of great ideas and concept out there, and we can push each other to improve iteratively across vendor boundaries and learn from each other. Be it Snowflake, PostgreSQL, Oracle or SQL Server.
For me, it is time to “hit refresh” 😉
be safe and thank you for reading
Andreas
The new Microsoft Campus on my last visit to Redmond, Nov 2023
Leave a Reply
Want to join the discussion?Feel free to contribute!