3.3. Security & Governance for Data Services

💡 First Principle: Data protection requires defense in depth—multiple layers of security so that if one fails, others remain. Think of it like a medieval castle: you don't rely only on the outer wall. You have a moat, multiple walls, guards, and a keep. In database security, these layers include encryption at rest (TDE), encryption in transit (TLS), encryption in use (Always Encrypted), access control (DCL), and governance (Purview). Without layered security, a single breach exposes everything.

What breaks without proper security? A stolen backup file without TDE means all your data is readable in plain text. A rogue DBA without Always Encrypted can view every customer's credit card number. Missing governance means you can't prove to auditors where sensitive data came from or who accessed it—resulting in compliance failures and fines.

Consider a healthcare organization: they must protect patient data at rest (HIPAA), in transit (network interception), and from insider threats (curious employees). Each threat requires a different security mechanism.