Snowflake Data Governance: Column Level Security Overview

In this blog, we are going to discuss on Snowflake Data Governance Feature: Column Level Security.

Dynamic Data Masking & External tokenization are the implementation of Column Level Security. This feature falls under “Protect your data” category and available for all account that are Enterprise Edition (or higher).

If you had recently viewed my blog on Row Access Policy, then it’s on the same line just that Row Access Policy protect/control row and make it visible to only authorized person or group of person whereas, Column Level Security is going to protect/mask the column data and make it visible to only authorized person or group of person.

What is Column Level Security?

Snowflake Column level Security is the Data Governance feature which help apply masking policy to a table or view. This help organization to protect sensitive data access from unauthorized person at query execution time. Data are not modified in an existing table (i.e. no static masking). Rather, when users execute a query in which a masking policy applies, the masking policy conditions determine whether unauthorized users see masked, partially masked, obfuscated, or tokenized data.

Column-level Security includes two features:

1. Dynamic Data Masking
2. External Tokenization

Dynamic Data Masking is a Column-level Security feature that uses masking policies to selectively mask plain-text data in table and view columns at query time.

External Tokenization enables accounts to tokenize data before loading it into Snowflake and de-tokenize the data at query runtime. Tokenization is the process of removing sensitive data by replacing it with an undecipherable token. External Tokenization makes use of masking policies with external functions.

Does Snowflake support nested policy ?

Yes, Snowflake support nested masking policy. Snowflake evaluates all masking policies that are relevant to a given query in the following sequence:

• The masking policy that is applicable to the table is always executed first.
• The policy for the view is executed after evaluating the policy for the table.
• If nested views exist (e.g. Table 1 → View 1 → View 2 → … View n), the policies are applied in sequential order from left to right.

Let’s see some real demo on Nested Masking:

Masking Policies at Query Runtime?

Snowflake rewrites the query to apply the masking policy expression to the columns specified in the masking policy. The masking policy is applied to the column regardless of where in a SQL expression the column is referenced, including:

• Projections.
• JOIN predicates.
• WHERE clause predicates.
• ORDER BY and GROUP BY clauses.

Let’s see some demo on Masked table behavior:

Things to Remember:

• A masking policy is deliberately applied wherever the relevant column is referenced by a SQL construct to prevent the de-anonymization of data through creative queries to include masked column data.
• If executing a query results in masked data in one or more columns, the query output may not provide the anticipated value because the masked data prevents evaluating all the query output data in the desired context.
• Snowflake recommends Query Runtime Consideration when trying to predict the effect of applying a masking policy to a column, and whether the query operator sees masked data.
• Column level Security has some limitation. Please consider before planning any masking setup.

Hope this blog help you to get insight on Snowflake Data Governance Feature: Column Level Security . If you are interested in learning more details about Dynamic Data Masking, you can refer to Snowflake documentation. Feel free to ask a question in the comment section if you have any doubts regarding this. Give a clap if you like the blog. Stay connected to see many more such cool stuff. Thanks for your support.

You Can Find me:

Follow me on Medium: https://rajivgupta780184.medium.com/

Follow me on Twitter: https://twitter.com/RAJIVGUPTA780

Connect with me in LinkedIn: https://www.linkedin.com/in/rajiv-gupta-618b0228/

Subscribe to my YouTube Channel: https://www.youtube.com/c/RajivGuptaEverydayLearning

#Keep learning #Keep Sharing #Everyday Learning.

References:-

• https://www.snowflake.com/