IDC Names Securiti a Worldwide Leader in Data Privacy


Security & Privacy Layers in Snowflake – Overview

By Securiti Research Team
Published September 30, 2021 / Updated April 10, 2023


The Snowflake data cloud is used by thousands of organizations worldwide to store and process data for business analytics, data science, data application development, data engineering, and other similar functions.

Snowflake’s architecture allows storage and computation to scale independently. This enables Snowflake to process multiple workloads quickly and concurrently.

Snowflake uses a similar, layered architecture for data and infrastructure security as well. It includes actions related to data governance, data security, and infrastructure security.

Organizations store personal and sensitive data in Snowflake and process it to improve their business offerings.

What is a ‘Data Security Layer’ in Snowflake?

Data Security Layers in Snowflake can be described as a group of actions that strengthen data security in Snowflake at multiple levels. These security actions can be classified into:

  1. Data Governance - Row Access Controls, Column Level Security, and Object Tagging.
  2. Data Security - Data Encryption, Key-pair Authentication, and Sensitive Data Masking.
  3. Infrastructure Security - Network Access Controls and multi-location data backups.

This article discusses Data Security and Infrastructure Security Layers in Snowflake.

To learn more about Snowflake Data Governance, read our article on 5 things to know about Snowflake Data Governance.

The Data Security Layers in Snowflake

Encrypt data at rest

By default, Snowflake encrypts all stored data end-to-end, meaning only end-users or runtime components can read data. No third-parties nor Snowflake’s own computing platform can read this data. Encryption helps solidify data protection in Snowflake because even if the data is compromised in a cyberattack, the data cannot be decrypted without the encryption key.

Key-pair Authentication

Data Encryption Keys can be described as a set of unique characters that are used to ‘unlock’ encrypted data. Snowflake uses AES 256-bit encryption with a hierarchical key model. This model is called the Key-pair Authentication model. It adds additional layers of security by assigning account-level ‘Parent’ keys, and table/column-level ‘child’ keys. These keys are automatically renewed or ‘rotated’ every 30 days, and old keys are automatically destroyed.

Snowflake’s Tri-Secret Secure Feature Explained

This unique feature creates a master key by combining the customer’s key with a Snowflake-maintained key. If either key in the composite master key is revoked, the encrypted data cannot be decrypted. The dual-key encryption combined with Snowflake’s data access controls makes up the Tri-Secret Secure Feature.

Dynamic Sensitive Data Masking For Additional Data Security

Dynamic Data Masking is a column-level security feature that uses data masking policies to hide text data in tables and view columns at query time. Security teams enforce data masking policies based on user roles or entitlements. For example, if an analyst does not need access to SSNs, the security team can set a policy to mask the data before any analysts can access it.

Dynamic Masking also secures data before it is shared with internal or external stakeholders. This security feature ensures that sensitive data is always used by authorized parties only.

The Infrastructure Security Layers in Snowflake

Network Access Controls

Snowflake allows organizations to regulate site access through IP allow and blocklists. Any IPs that are not in the allowed list are automatically blocked from accessing the network. This feature strengthens network security significantly.

Additionally, Snowflake provides private connectivity to the Snowflake service and internal stages using AWS PrivateLink and Azure Private Link.

Multi-location data back-ups

Snowflake stores backup copies of an organization’s data and stores it in multiple locations to maintain steady service. This mitigates the risk of an organization losing its data if the servers in one location become unavailable or they are breached in a cyberattack.

Snowflake Data Security & Privacy with Securiti

Securiti combines Snowflake’s privacy and security layers with customized privacy solutions in one, powerful system; combined, the solution offers autonomous Data Intelligence, Governance, Security, and Privacy for Snowflake.

Learn more about Securiti’s solution for Snowflake, or see the solution in action by requesting a demo.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend