

























I have SQL Server databases with top secret, secret and unclassified data. How can we establish custom SQL Server data classification schemes for implementing "need to know" access to data in specific tables? Check out this tip to learn more.
With current regulations such as SOX, HIPAA, etc., protecting sensitive data is a must in the enterprise. In this tip we will see how to implement Row Level Security (RLS) and Cell Level Security (CLS) with the help of SQL Server Label Security Toolkit which you can download from CodePlex http://sqlserverlst.codeplex.com/.
A security label is a marking that describes the sensitivity of an item, in this case, information. It consists of a string containing defined security categories of the information available.
|
ID |
Name |
CreditCardNo |
Classification |
|---|---|---|---|
| 1 | Ken Sánchez | 1010101 | SECRET |
| 2 | Terri Duffy | 8498489 | TOP SECRET |
| 3 | Rob Walters | 4884556 | UNCLASSIFIED |
In order to access the information the users need to have a clearance defined.
|
User |
Clearance |
|---|---|
| Alice | TOP SECRET |
| Bob | SECRET |
| David | UNCLASSIFIED |
So, in this case, assuming a hierarchical security scheme, if Alice performs a SELECT * FROM Table1 he will get all of the three records, because she has TOP SECRET clearance and that includes SECRET and UNCLASSIFIED clearances. And if Bob is the one who performs the previous query, he will get only the records 1 and 3.
This toolkit consists of a framework composed by:
It is important to note that the approach used by this Toolkit makes the assumption that applications using the database will connect by using a specific identity for each end user. This identity could be either a Windows account or a SQL Server login. That's because the security labels are associated to database roles or Windows groups. On SQL Server 2012 you can use the Contained Database feature to create a user without a login.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。