Join our webinar on democratizing data in the cloud with Forrester, Snowflake and TIAA - Sign up hereStart Now
Published on September 30, 2021 AUTHOR - Privacy Research Team
The Snowflake data cloud is used by thousands of organizations worldwide to store and process data for business analytics, data science, data application development, data engineering, and other similar functions.
Snowflake’s architecture allows storage and computation to scale independently. This enables Snowflake to process multiple workloads quickly and concurrently.
Snowflake uses a similar, layered architecture for data and infrastructure security as well. It includes actions related to data governance, data security, and infrastructure security.
Organizations store personal and sensitive data in Snowflake and process it to improve their business offerings.
Data Security Layers in Snowflake can be described as a group of actions that strengthen data security in Snowflake at multiple levels. These security actions can be classified into:
This article discusses Data Security and Infrastructure Security Layers in Snowflake.
To learn more about Snowflake Data Governance, read our article on 5 things to know about Snowflake Data Governance.
By default, Snowflake encrypts all stored data end-to-end, meaning only end-users or runtime components can read data. No third-parties nor Snowflake’s own computing platform can read this data. Encryption helps solidify data protection in Snowflake because even if the data is compromised in a cyberattack, the data cannot be decrypted without the encryption key.
Data Encryption Keys can be described as a set of unique characters that are used to ‘unlock’ encrypted data. Snowflake uses AES 256-bit encryption with a hierarchical key model. This model is called the Key-pair Authentication model. It adds additional layers of security by assigning account-level ‘Parent’ keys, and table/column-level ‘child’ keys. These keys are automatically renewed or ‘rotated’ every 30 days, and old keys are automatically destroyed.
This unique feature creates a master key by combining the customer’s key with a Snowflake-maintained key. If either key in the composite master key is revoked, the encrypted data cannot be decrypted. The dual-key encryption combined with Snowflake’s data access controls makes up the Tri-Secret Secure Feature.
Dynamic Data Masking is a column-level security feature that uses data masking policies to hide text data in tables and view columns at query time. Security teams enforce data masking policies based on user roles or entitlements. For example, if an analyst does not need access to SSNs, the security team can set a policy to mask the data before any analysts can access it.
Dynamic Masking also secures data before it is shared with internal or external stakeholders. This security feature ensures that sensitive data is always used by authorized parties only.
Snowflake allows organizations to regulate site access through IP allow and blocklists. Any IPs that are not in the allowed list are automatically blocked from accessing the network. This feature strengthens network security significantly.
Additionally, Snowflake provides private connectivity to the Snowflake service and internal stages using AWS PrivateLink and Azure Private Link.
Snowflake stores backup copies of an organization’s data and stores it in multiple locations to maintain steady service. This mitigates the risk of an organization losing its data if the servers in one location become unavailable or they are breached in a cyberattack.
Securiti combines Snowflake’s privacy and security layers with customized privacy solutions in one, powerful system; combined, the solution offers autonomous Data Intelligence, Governance, Security, and Privacy for Snowflake.
PO Box 13039,
Coyote CA 95013