Businesses today are overflowing with data and thus are majorly dependent on big data platforms that support digital transformation through which they can streamline the flow of data for real-time insights delivery and better decision making.
- However big data brings several security risks that could negatively impact organizations and thus failing big data security can make your data vulnerable to various threats and risks, in the end, causing a data breach.
- Thus accessibility and controllability are equally important for big data security and for ensuring trust among customers.
- Snowflake is a Data Warehouse that has become an industry-leading Cloud-Based SaaS (Software-as-a-service) Data Platform.
- Snowflake is always seeking ways to improve its offerings and enhance its data sharing and security thereby, making it a Data Warehouse of choice.
This article will take you through some of the important aspects of Snowflake security and sharing practices.
Introduction to Snowflake
- Snowflake is a Cloud Data Warehousing solution provided as a SaaS offering. It is built on Amazon Web Service, Microsoft Azure, or Google Cloud infrastructure that provides an unbounded platform for storing and retrieving data.
- Snowflake Data Warehouse uses a different proprietary SQL Database Engine with a unique architecture designed for the cloud.
- The architecture of Snowflake separates its “Compute” and “Storage” units, thereby scaling it differently. This allows the customers to use and pay for both services independently.
- It means organizations that have high storage demands but less need for CPU cycles, or vice versa, do not have to pay for an integrated bundle that requires payment for both, making it very attractive to companies.
Like other popular Data Warehouses, it also uses Columnar Storage for parallel query execution.
With Snowflake, there is no hardware or software to select, install, configure, or manage, therefore, making it ideal for organizations that do not want to have dedicated resources for setup, maintenance, and support for in-house servers.
Snowflake security and sharing functionalities make it easy for organizations to quickly share and secure data in real-time using any available ETL solution. Snowflake’s architecture also allows flexibility with Big Data and is known for its scalability & relative ease of use when compared to other Data Warehouses in the market.
Best Snowflake Security and Sharing Practices
If you’re using Snowflake to store sensitive information, it’s very essential to follow certain Snowflake security and sharing guidelines to detect security risks, prevent as many threats as possible, and react to security incidents in the best way possible.
Follow the below-mentioned Snowflake security and sharing best practices for securing your data in Snowflake.
- Identity and Access Management
Snowflake authenticates the user before allowing access to its services. After the user is authenticated by Snowflake, a session is created with the roles used to authorize access.
After the user is authenticated, Snowflake creates a Database session for the user. The session can be used by the Client Application to send requests to Snowflake. Each session has an idle timeout of 4 hours. With this, you can monitor the session usage, reuse sessions, and close the session when it is no longer needed.
- Managing user and group access rights
Snowflake gives you full control to manage the roles and access rights of users. At any point in time, you can control which users or team members can see and change in the project workspace.
With Row Level Security, you can allow certain users to have restricted access to certain rows of tables with mixed data. You can use context functions to dynamically filter rows for the users.
Your sensitive information stored in Snowflake is transparently encrypted via a key hierarchy, which provides enhanced security levels by encrypting individual pieces of data using different keys.
Snowflake changes keys every 30 days, which means that new data that will be coming in after 30 days will be encrypted using the new key hierarchy. Snowflake Security and Sharing best practices also suggest users implement a Customer Controlled Key (CMK) for the encryption process using a feature called Tri-Secret Secure.
Hevo is the only real-time ELT No-code Data Pipeline platform that cost-effectively automates data pipelines that are flexible to your needs. With integration with 150+ Data Sources (40+ free sources), we help you not only export data from sources & load data to the destinations but also transform & enrich your data, & make it analysis-ready.
Start for free now!
Get Started with Hevo for Free
Row Level Security
One of the best practices to protect data is to implement “Row Level Security” (RLS) to ensure that users can only access what they are supposed to see.
Row Level Security is a Snowflake security mechanism that restricts the records from a table based on the authorization context of the user that is logged in.
Problem Statement
To understand how Row Level Security can be implemented, let’s consider the following example. Create a sample table called Flight_Load_summary, holding fictitious flight payload data for different countries with different payloads.
CREATE TABLE Flight_Load_summary (Flight_No integer, Destination text, Payload text, Label text); INSERT INTO Flight_Load_summary (Flight_No, Destination, Payload, Label)
VALUES
(1, 'Iraq', 'Weapon', 'TS'),
(2, 'Canada', 'Charcol', 'UC'),
(3, 'Japan', 'Battery', 'C'),
(4, 'Syria', 'Weapon', 'TS'),
(5, 'Israel', 'Jets', 'S'),
(6, 'India', 'Aid', 'UC');
Now that the table and the data are ready, let’s try to implement dynamic row filtering. Suppose a particular user is to see data based on their position, role, and severity tagged to their job. Follow the below-mentioned steps to implement Row Level Security.
Steps to Implement Row Level Security
Step1: Create a Row Level Security configuration table with the mapping of roles to label and access Control Settings based on severity.
CREATE TABLE rows_filtering_by_label (role_name text, Label text); INSERT INTO rows_filtering_by_label (role_name, Label) VALUES
('TS', 'TS'),
('S', 'S'),
('S', 'C'),
('S', 'UC'),
('C', 'C'),
('C', 'UC'),
('UC', 'UC');
Going with the above configuration, TS Role will only see restricted TS Data. TS is the highest on the role hierarchy followed by ‘S’, ‘C’, and then ‘UC’ being the lowest priority.
Step 2: Create an abstract view that reads data from Flight_Load_summary table in combination with the above Control Settings table & Current User role (using the CURRENT_ROLE() function).
CREATE OR REPLACE SECURE VIEW v_flight_summary AS SELECT *
FROM Flight_Load_summary
WHERE Label = (
SELECT Label FROM rows_filtering_by_label
WHERE role_name=CURRENT_ROLE()
);
Step 3: Grant access to the above-created object to the newly created role.
CREATE ROLE UC;
GRANT ROLE UC TO USER rajivgupta780184;
--Grants for UC
GRANT SELECT ON v_flight_summary TO ROLE UC;
GRANT SELECT ON rows_filtering_by_label TO ROLE UC;
In the above steps, a role for UC is created and the select privilege has been assigned on the View & Control Settings table to UC.
Now, when you use the role “UC”, you will only see the results for the label “UC”.
This is how you can implement Row Level Security for Snowflake security.
Frequently Asked Questions (FAQs)
What are the different data security layers?
Snowflake secures customer data using three different layers which are called Network Security, Identity and Access Management (IAM), and Data Encryption layers. After setting up the security controls, we can easily monitor them using the guidelines listed under the Monitoring section.
What are the key security compliances in Snowflake security?
Snowflake is committed to ensuring the privacy and confidentiality of all the users and thus it is continuously expanding its portfolio of Security and compliances for example SOC 1 Type II, SOC 2 Type II, HIPAA, and ISO/IEC 27001, PCI/DSS, etc.
Where is the database stored in Snowflake?
The actual underlying file system in Snowflake is backed by S3 in Snowflake’s account, the whole data is encrypted, compressed, and distributed to optimize performance. In Amazon S3 the data is geo-redundant and provides excellent data durability and availability.
How do Snowflake security measures secure your data while in the staging area and in transit?
The method that is used to secure data that prevents third parties from reading data while at rest or in transit to and from Snowflake and to minimize the attack surface is E2EE( End-to-end encryption). In E2EE as the message travels to its destination it cannot be read or tampered with by Internet Service Provider(ISP), ASP, hacker, or any other entity. Snowflake also runs in a secure virtual private cloud (VPC) or virtual network (VNet), depending on the cloud platform.
Learn More About:
Conclusion
In the context of a cloud, the encryption of data at rest and in transit both have become ubiquitous in the last few years to mitigate real risks to your data.
Snowflake is a major player in the Cloud Data Warehousing industry and understanding how to securely store data in it has become important.
Snowflake Encryption allows Snowflake to be one of the most secure and easiest-to-use data platforms in the marketplace, by leveraging the latest security standards, at no additional cost.
This article introduced you to Snowflake and discussed the main aspects of Snowflake security and sharing. You were later provided with a detailed guide on how to implement Row Level Security for Snowflake security.
But with multiple data sources coming in, this process may become challenging to manage at a large scale.
Snowflake has a list of tools that can be integrated into it by simply accessing its tools page and selecting the platform you need.
Hevo Data is a good data tool to integrate with Snowflake as it helps you to create efficient datasets and transforms your data into insightful actionable leads.
With Hevo you cannot just effortlessly export data from sources & load it into destinations such as Snowflake but also you can transform, enrich and make your data analysis-ready so that you can focus only on your business needs and perform insightful analysis using BI tools.
In short, Hevo can help you store your data securely in Snowflake.
Share your experience of working with Snowflake security and sharing practices in the comments section below.
Chirag is a seasoned support engineer with over 7 years of experience, including over 4 years at Hevo Data, where he's been pivotal in crafting core CX components. As a team leader, he has driven innovation through recruitment, training, process optimization, and collaboration with multiple technologies. His expertise in lean solutions and tech exploration has enabled him to tackle complex challenges and build successful services.