Row Level Security in Snowflake

Row Level Security in Snowflake is about is preventing the attacks on the rows. When (if) the attacker manages to get into the first page, he will be prevented by row-level security in Snowflake. We can use two algorithms to do this.

The first algorithm is named as BLOWLIS. It is a part of the SQL Server executes while we are working on the statement “create table”. In here, the attacker is allowed to insert any data into the table. Only those data that are meant for the current transaction will be inserted, and thus we can say that only those rows that should be updated will get updated. If an update for one row failed, the row would be rollbacked.

The second algorithm is named as ignoring. It is the same thing as before, but it will ignore any data that has not been updated or that is not needed for the current transaction. An attacker can only make use of this algorithm when the current role is ‘read-only’. Otherwise, the attacker will get an error message.

If your company is looking to get row level security in Snowflake, it is important that you also get some form of column security too. In this case, there is an additional column in the view of the table that contains the list of users and their privileges. If there is any attempt to write to any of these columns, an error will be thrown. It is advisable to lock the privileges of the tables that do not contain sensitive information as well. This will ensure that all the information here remains confidential.

For the BLOWLIS algorithm to work, there should be at least three user tables on the server or else it will block access from the attacker. We need to add the latest security restrictions for the application on the row level. This will ensure that any data that is not required for the transaction will be denied access on the server. The next thing that we need to do is to add a_priv_change’ on the views of the’sth’ table.

In earlier versions of SQL server, no module allows to set ‘db_priv_change’ on views. Only advanced database administrators that are aware of locking and updates on views can use this method to update the row. However, even with such advanced capabilities, a simple administrator will still be unable to add or delete rows that have already been updated. The only option for this is to restart the SQL server.

In most of the cases, the application or database that we are dealing with is quite secure. However, there are certain rare cases where external threats have penetrated the application and can create an environment where security is non-existent. In such cases, we may find that we have to resort to Row Level Security. Since we are dealing here with sensitive data, it is vital to protect this data even further by performing secure logon procedures. For this to work, we can again use the latest security updates from Windows OS. For the application and database to be able to update securely, we need to unlock the encrypted files and view the secure folder’s current settings. We can easily do so by using Windows Defender. We just need to go to Control Panel > Add Remove Programs and click on the ‘Unlock tab’ next to the ‘SQL Server’. We then click on the new button and enter our UserID and password to access our secure area.

Share your love
Christophe Rude

Christophe Rude

Articles: 15889

Leave a Reply

Your email address will not be published. Required fields are marked *