Column level security in snowflake allows the application of a masking policy to a column within a table or view.
Currently, column-level security involves two features: dynamic data masking and external tokenization.
1. Dynamic Data Masking
Snowflake supports masking policies as a schema-level object to protect sensitive data from unauthorized access while allowing authorized users to access sensitive data at a query runtime.
Masking policies as a schema-level object will provide flexibility in choosing a hybrid management, centralized or decentralized approach. This means that applying masking policy, we have to choose between a centralized, decentralized or hybrid management approach.
Masking policies can also include functions and conditions to transform the data at query runtime if the conditions are met.
A policy-driven approach supports segregation of duties, which allows security teams to define policies that can limit sensitive data exposure, even to the owner of an object, that usually has full access to the underlying data.
The masking policies are applied when the policy admin chooses to create a masking policy, which will involve a policy condition and a masking function. The masking policy is then applied to resources such as databases.
Inside a database, we have tables and columns, so the masking policy can be applied to one or more columns in the table view that is secured.
The same masking policy can be applied to more than one database (to multiple databases).
Amasking policy administrator can implement a masking policy, such that analysts (users having a custom analyst role) can only view the last three or four digits of a phone number and none of a social security number.
Customer support representatives (users having the custom support role) can view the entire phone number and the entire social security number (SSN), which is useful in case that a customer needs to be verified.
The user with the authorized role (support) can see the entire data in the table and columns, while the unauthorized role (analyst), can't see the social security number, and only a few digits in the column of the phone number.
Managing Column Level Security
In order to establish a column level security, you have to choose between a centralized, decentralized or hybrid management.
Centralized management: uses a security officer to create policies and to apply policies to columns.
Hybrid management: uses a security officer to create policies and individual teams to apply policies to columns.
Decentralized management: uses individual teams to create policies and to apply policies to columns.
2. External Tokenization
Tokenization is an industry standard and is more or less required by the PCI DSS for all organizations that accept credit cards.
You can become PCI DSS compliant without tokenization, however it does become more challenging without it.
Tokenization is an industry-wide technology developed to ensure that cardholder data is kept secure.
This is accomplished by the receiver of the cardholder data, by assigning a random string of characters, and returning that string to the provider of the cardholder data.