Overview
Data Security is a foundational element within the Colrows architecture, prioritized across all its supported features and functionalities. Colrows boasts an advanced data security framework, anchored by a zero-trust policy. It provides integrated controls to safeguard your data at every stage of processing and storage within your pipeline.
Furthermore, Colrows offers seamless integration with various third-party identity management services, enhancing security and streamlining control. Some of the available integrations include:
- SSO
- LDAP
- Active Directory
- OAuth
- Native
Within Colrows, a ‘Permission' is a foundational construct, comprising the specific type of permissions granted and the corresponding datasets to which these permissions apply. Meanwhile, an ‘Access Policy' document serves to document the correlation between users and their associated set of permissions. In other words, ‘Access Policy' is a higher level construct which contains a set of permissions and map those permissions to a set of users in the system. Both ‘Permission’ and ‘Access Policy’ definitions are captured and stored in JSON format. An 'Access Policy’ document looks like below-
{
"name": "sample-policy", // string literal identifying this policy.
"datasourceId": "ds-123", // unique datasource Id.
"schema": "sample-schema", // optional schema nam.
"type": "FIXED/REGEX/CLASS", // type of permissions in this policy document
"permissions":[], // set of permissions.
"users":[], // set of users which this policy applies to
"groups":[] // set of user groups that this policy applies to
}
Although the structure of the 'Access Policy' document remains consistent, the collection of permissions it encompasses varies from one use case to another.
Fixed Permission
A fixed access permission is a static metadata that grants access to a predetermined set of columns within a dataset. This type of permission applies exclusively to a single dataset. Since the dataset name and the set of column names are defined statically and remain unchanged, the permission is referred to as a Fixed Access Permission. Here's an illustration of a Fixed Access Permission:
[
{
"dataset": "table-name", // table name on this permission has to apply
"rowPredicates": [], // row level permissions details
"columnExclusion": [] // column level permission details
}
]
Lets define Fixed Access Permission for a sample scenario given below.
Grant access to all columns in the database table cust_account except columns acct_balance & acct_open_date.
[
{
"dataset": "cust_account",
"rowPredicates": [],
"columnExclusion": ["acct_balance","acct_open_date"]
}
]
'Fixed Access Permission' also allows row-filtering to filter a set of rows based on a set a predicates. A row predicate is defined as an expression in string format; for example-
[
{
"dataset": "cust_account",
"rowPredicates": [ "balance > 100000", "cust_name like '%sha%'"],
"columnExclusion": []
}
]
All the predicates defined as part of a permission are applied with 'AND' operator. For the example above the row filter will be applied as below-
balance > 100000 AND cust_name like '%sha%'
Both row-filtering and column access can be combined into a single access permission definition.
Regex Permission
The 'RegEx Access Permission' operates on regular expressions, offering a dynamic alternative to the 'Fixed Access Permission.' Unlike the latter, this type of permission does not support row filters. In the definition of regex access permissions, either 'allButTheseColumns' or 'onlyTheseColumns' can exist, depending on whether the user wishes to grant access to all columns except specific ones or to only specific columns.
[
{
"dataset": "table-name-regex", // regex to match table names
"allButTheseColumns": [], // set of regex matching column names that will not be accessible
"onlyTheseColumns": [] // set of regex matching column names that will be accessible
}
]
A sample use case to allow access to all columns in the database table cust_account except
columns
acct_balance & acct_open_date can be illustrated as below:
[
{
"dataset": "cust_account",
"allButTheseColumns": ["acct_*"],
"onlyTheseColumns": []
}
]
The dynamic nature of 'Regex Permission' makes it difficult to track the permissions for a large database. And hence it is advised to define smaller and simple definition instead of a single large definition encompassing many datasets.
Class Permission
The 'Class Access Permission' operates according to data sensitivity classification. Colrows offers support for four distinct data sensitivity classes: PUBLIC, INTERNALLY PUBLIC, CONFIDENTIAL, and HIGHLY CONFIDENTIAL. Provisioning access through the 'Class Access Permission' is contingent upon the configuration of sensitivity-related metadata within Colrows. As Colrows adheres to a 'zero-trust' data access policy, data lacking sensitivity-related metadata remains inaccessible to users.
Sample Access Policy Definitions
Lets take some sample scenarios and define the access permissions for them.
- Allow access to all tables and all columns in a schema to a group of users names
'tech-leads' - Allow access to columns whose name starts with _meta in all tables in a schema to
tech-leaduser group. - Allow access to
tech-leaduser group to rows wherecountry = 'India'incust_accounttable - Allow access to rows in a table
cust_accountin whereacct_balance < 100000 and country = 'India' - Users should get access to all the columns of tables whose name starts with
'perm'inside a schema. - Allow access to all columns but
'acct_balance'in table'cust_balance'to a group of users and a bunch of individual users.
{
"name": "sample-policy",
"datasourceId": "ds-123",
"schema": "sample-schema",
"type": "REGEX",
"permissions":[{
"dataset": "*",
"allButTheseColumns": [],
"onlyTheseColumns": []
}],
"users":[],
"groups":['tech-lead-id']
}
{
"name": "sample-policy",
"datasourceId": "ds-123",
"schema": "sample-schema",
"type": "REGEX",
"permissions":[{
"dataset": "*",
"allButTheseColumns": [],
"onlyTheseColumns": ["_meta*"]
}],
"users":[],
"groups":['tech-lead-id']
}
{
"name": "sample-policy",
"datasourceId": "ds-123",
"schema": "sample-schema",
"type": "FIXED",
"permissions":[{
"dataset": "cust_account",
"rowPredicates": ["country = 'INDIA'"],
"columnExclusion": []
}],
"users":[],
"groups":['tech-lead-id']
}
{
"name": "sample-policy",
"datasourceId": "ds-123",
"schema": "sample-schema",
"type": "FIXED",
"permissions":[{
"dataset": "cust_account",
"rowPredicates": ["country = 'INDIA'", "acct_balance < 100000"],
"columnExclusion": []
}],
"users":[],
"groups":['tech-lead-id']
}
{
"name": "sample-policy",
"datasourceId": "ds-123",
"schema": "sample-schema",
"type": "REGEX",
"permissions":[{
"dataset": "perm*",
"allButTheseColumns": [],
"onlyTheseColumns": ["*"]
}],
"users":[],
"groups":['tech-lead-id']
}
{
"name": "sample-policy",
"datasourceId": "ds-123",
"schema": "sample-schema",
"type": "REGEX",
"permissions":[{
"dataset": "cust_balance",
"allButTheseColumns": ["acct_balance"],
"onlyTheseColumns": ["*"]
}],
"users":["user-id1", "user-id2"],
"groups":['tech-lead-id']
}
Zero Trust Data Access
Zero Trust Data Access is a security concept and approach that assumes that no one, whether inside or outside an organization's network, should be trusted by default to access sensitive data. Instead, access to data is restricted and controlled on a per-user and per-device basis, and it is granted only when necessary, based on various factors and contextual information.
Zero Trust Data Access is a critical component of modern cybersecurity strategies, as it helps organizations protect their sensitive data in an increasingly complex and interconnected digital environment. By assuming that no entity, whether internal or external, can be trusted by default and implementing robust access controls, organizations can enhance their data security and reduce the risk of data breaches.
Colrows provides various options to configure access policies which provide granular control over data.