Join our webinar on democratizing data in the cloud with Forrester, Snowflake and TIAA - Sign up here

Start Now
04 November 2021 10:00–11:00 AM PDT

Democratize your data without compromising security and privacy

Register Now
Noel Yuhanna

Noel Yuhanna

VP, Principal Analyst, Forrester Research, Guest Speaker

Oleg Aspis

Oleg Aspis

Managing Director, TIAA

Raja Balakrishnan

Raja Balakrishnan

Data Governance Product Lead, Snowflake

Rehan Jalil

Rehan Jalil

CEO and Founder, Securiti


The Snowflake data cloud is used by thousands of organizations worldwide to store and process data for business analytics, data science, data application development, data engineering, and other similar functions.

Snowflake’s architecture allows storage and computation to scale independently. This enables Snowflake to process multiple workloads quickly and concurrently.

Snowflake uses a similar, layered architecture for data and infrastructure security as well. It includes actions related to data governance, data security, and infrastructure security.

Organizations store personal and sensitive data in Snowflake and process it to improve their business offerings.

What is a ‘Data Security Layer’ in Snowflake?

Data Security Layers in Snowflake can be described as a group of actions that strengthen data security in Snowflake at multiple levels. These security actions can be classified into:

  1. Data Governance - Row Access Controls, Column Level Security, and Object Tagging.
  2. Data Security - Data Encryption, Key-pair Authentication, and Sensitive Data Masking.
  3. Infrastructure Security - Network Access Controls and multi-location data backups.

This article discusses Data Security and Infrastructure Security Layers in Snowflake.

To learn more about Snowflake Data Governance, read our article on 5 things to know about Snowflake Data Governance.

The Data Security Layers in Snowflake

Encrypt data at rest

By default, Snowflake encrypts all stored data end-to-end, meaning only end-users or runtime components can read data. No third-parties nor Snowflake’s own computing platform can read this data. Encryption helps solidify data protection in Snowflake because even if the data is compromised in a cyberattack, the data cannot be decrypted without the encryption key.

Key-pair Authentication

Data Encryption Keys can be described as a set of unique characters that are used to ‘unlock’ encrypted data. Snowflake uses AES 256-bit encryption with a hierarchical key model. This model is called the Key-pair Authentication model. It adds additional layers of security by assigning account-level ‘Parent’ keys, and table/column-level ‘child’ keys. These keys are automatically renewed or ‘rotated’ every 30 days, and old keys are automatically destroyed.

Snowflake’s Tri-Secret Secure Feature Explained

This unique feature creates a master key by combining the customer’s key with a Snowflake-maintained key. If either key in the composite master key is revoked, the encrypted data cannot be decrypted. The dual-key encryption combined with Snowflake’s data access controls makes up the Tri-Secret Secure Feature.

Dynamic Sensitive Data Masking For Additional Data Security

Dynamic Data Masking is a column-level security feature that uses data masking policies to hide text data in tables and view columns at query time. Security teams enforce data masking policies based on user roles or entitlements. For example, if an analyst does not need access to SSNs, the security team can set a policy to mask the data before any analysts can access it.

Dynamic Masking also secures data before it is shared with internal or external stakeholders. This security feature ensures that sensitive data is always used by authorized parties only.

The Infrastructure Security Layers in Snowflake

Network Access Controls

Snowflake allows organizations to regulate site access through IP allow and blocklists. Any IPs that are not in the allowed list are automatically blocked from accessing the network. This feature strengthens network security significantly.

Additionally, Snowflake provides private connectivity to the Snowflake service and internal stages using AWS PrivateLink and Azure Private Link.

Multi-location data back-ups

Snowflake stores backup copies of an organization’s data and stores it in multiple locations to maintain steady service. This mitigates the risk of an organization losing its data if the servers in one location become unavailable or they are breached in a cyberattack.

Snowflake Data Security & Privacy with Securiti

Securiti combines Snowflake’s privacy and security layers with customized privacy solutions in one, powerful system; combined, the solution offers autonomous Data Intelligence, Governance, Security, and Privacy for Snowflake.

Learn more about Securiti’s solution for Snowflake, or see the solution in action by requesting a demo.

Share this

Our Videos

View More

China’s PIPL

China has drafted its new data protection law, Personal Information Protection Law (PIPL) that will strengthen the regulatory framework for privacy and data protection in China.

Learn More
View More

South Africa’s POPIA

The video gives an overview of South Africa's Protection of Personal Information Act (POPIA).

Learn More
privacy policy and notice management View More

Dynamic Privacy Policies & Notices

Automatically Update & Refresh Your Policies and Notices

Learn More
View More

Universal Consent & Preference Management

Simplify and automate universal consent management

Learn More
View More

Cookie Consent Management

Automate and manage the entire consent life cycle with efficiency for various cookie compliance regulations around the world.

Learn More
View More

Sensitive Data Intelligence

Discover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs

Learn More

Democratize your data without compromising security and privacy
Register Now