Security Archives - Zorost Intelligence | AI, Cloud & Data Experts https://zorost.com/tag/security/ Production AI systems for aviation, manufacturing, pharma, government, finance, freight, and geopolitical intelligence. Wed, 20 May 2026 18:52:39 +0000 en-US hourly 1 https://wordpress.org/?v=7.0 https://zorost.com/wp-content/uploads/2025/08/ZOROST-Intel-Logo3_512-150x150.png Security Archives - Zorost Intelligence | AI, Cloud & Data Experts https://zorost.com/tag/security/ 32 32 81719879 Unity Catalog: Governance Done Right https://zorost.com/unity-catalog-governance-done-right/ Tue, 13 Jan 2026 09:00:00 +0000 https://zorost.com/unity-catalog-governance-done-right/ Most governance projects fail because they start with policy. The good ones start with structure. Here is a reference Unity Catalog deployment that supports both governance and data-mesh patterns.

The post Unity Catalog: Governance Done Right appeared first on Zorost Intelligence | AI, Cloud & Data Experts.

]]>

Pull-quote: “Governance that the team can’t navigate is governance that the team will route around.”

Why this matters

Most data-governance projects fail because they start with policy. The good ones start with structure. Unity Catalog’s hierarchy (Catalog → Schema → Table) is the structural foundation that makes policy enforceable.

Reference layout (data-mesh)

catalog: zorost
├── domain_aviation
│   ├── flights_silver
│   ├── delays_gold
│   └── safety_rag
├── domain_manufacturing
│   ├── spc_silver
│   └── capability_gold
├── domain_freight
│   ├── corridors_silver
│   └── emissions_gold
├── domain_finance
│   └── ...
└── domain_governance       ← cross-cutting
    ├── audit_logs
    ├── pii_register
    └── data_quality_metrics

Permission model

Principal What they get
Domain Steward OWNER on domain_X.*
Domain Engineer USAGE on parent catalog + USE_SCHEMA on domain_X. + CREATE on domain_X.
Cross-domain Analyst SELECT on Gold tables only
Auditor SELECT on domain_governance.*
Service Principal (apps) SELECT on specific Gold tables · scoped by token

Row and column security with dynamic views

Unity Catalog supports dynamic views — views whose behavior depends on the current user. A typical pattern:

CREATE VIEW domain_aviation.flights_secure AS
SELECT
  flight_id,
  origin_airport,
  destination_airport,
  CASE WHEN is_member('phi_authorized') THEN passenger_count ELSE NULL END
    AS passenger_count,
  ...
FROM domain_aviation.flights_silver
WHERE
  CASE
    WHEN is_member('all_regions') THEN TRUE
    ELSE region IN (SELECT region FROM domain_governance.user_region_grants
                     WHERE user = current_user())
  END;

is_member(), current_user(), mask(), and filter() together cover row-level, column-level, and full-fledged ABAC patterns.

Tags and classification

Every column and table can carry tags. We standardize a tag taxonomy:

Tag Values Use
pii_class pii, pii_sensitive, phi, pci, none Drives masking and access policy
data_owner domain steward email Clear accountability
freshness_sla realtime, 1h, 1d, 1w Drives monitoring
retention 30d, 1y, 7y, permanent Drives lifecycle

Tags make policy queryable: “show me all PII-tagged columns in domain_finance” returns a row, not an email thread.

Lineage and audit

Unity Catalog captures column-level lineage across SQL, Python, ML, and BI consumption. Audit logs go to a sink the security team owns. Both are queryable via system.access.audit and system.lineage.column_lineage.

Closing

Governance done right starts with structure. Unity Catalog’s hierarchy + permission model + tagging + dynamic views + lineage + audit are the primitives. The implementation is workshop-driven, but the building blocks are stable and the patterns are reproducible.

The post Unity Catalog: Governance Done Right appeared first on Zorost Intelligence | AI, Cloud & Data Experts.

]]> 24304