Today we’re announcing Column-Level Security (CLS) for Azure SQL Data Warehouse, an additional capability for managing security for sensitive data. Azure SQL Data Warehouse is a fast, flexible and secure cloud data warehouse tuned for running complex queries fast and across petabytes of data.
As you move data to the cloud, securing your data assets is critical to building trust with your customers and partners. With the introduction of CLS, you can adjust permissions to view sensitive data by limiting user access to specific columns in your tables without having to redesign your data warehouse. This simplifies the overall security implementation as the access restriction logic is located in the database tier itself rather than away from the data in another application. CLS eliminates the need to introduce views to filter out columns for access control management.
Some examples of how this is being used today:
- A financial services firm allows only account managers to have access to customer social security numbers (SSN), phone numbers, and other personally identifiable information (PII).
- A health care provider allows only doctors and nurses to have access to sensitive medical records while not allowing members of the billing department to view this data.
Access to the table columns can be controlled based on the user’s execution context or their group membership with the standard GRANT T-SQL statement. To secure your data, you simply define a security policy via the GRANT statement to your table columns. For example, if you would like to limit access to PII data in your customers table, you can simply GRANT SELECT permissions on specific columns to the ContractEmp role:
GRANT SELECT ON dbo.Customers (CustomerId, FirstName, LastName) TO ContractEmp;
This capability is available now in all Azure regions with no additional charge. Azure SQL Data Warehouse continues to lead in the areas of security, compliance, privacy and auditing. For more information, refer to this whitepaper on Microsoft Trust Center.