Snowflake Security & Sharing Best Practices

on Data Security • October 8th, 2021 • Write for Hevo

Snowflake Security - Featured Image

Businesses today are overflowing with data and thus are majorly dependent on big data platforms that support digital transformation through which they can streamline the flow of data for real-time insights delivery and better decision making.

However big data brings several security risks that could negatively impact organizations and thus failing big data security can make your data vulnerable to various threats and risks, in the end, causing a data breach.

Thus accessibility and controllability are equally important for big data security and for ensuring trust among customers. 

Snowflake is a Data Warehouse that has become an industry-leading Cloud-Based SaaS (Software-as-a-service) Data Platform. 

Snowflake is always seeking ways to improve its offerings and enhance its data sharing and security thereby, making it a Data Warehouse of choice. 

This article will take you through some of the important aspects of Snowflake security and sharing practices.

Table of Contents

Introduction to Snowflake

Snowflake Security: Snowflake Logo
Image Source: www.en.m.wikipedia.org/wiki

Snowflake is a Cloud Data Warehousing solution provided as a SaaS offering. It is built on Amazon Web Service, Microsoft Azure, or Google Cloud infrastructure that provides an unbounded platform for storing and retrieving data. 

Snowflake Data Warehouse uses a different proprietary SQL Database Engine with a unique architecture designed for the cloud.

The architecture of Snowflake separates its “Compute” and “Storage” units, thereby scaling it differently. This allows the customers to use and pay for both services independently. 

It means organizations that have high storage demands but less need for CPU cycles, or vice versa, do not have to pay for an integrated bundle that requires payment for both, making it very attractive to companies. 

Like other popular Data Warehouses, it also uses Columnar Storage for parallel query execution.

With Snowflake, there is no hardware or software to select, install, configure, or manage, therefore, making it ideal for organizations that do not want to have dedicated resources for setup, maintenance, and support for in-house servers. 

Snowflake security and sharing functionalities make it easy for organizations to quickly share and secure data in real-time using any available ETL solution. Snowflake’s architecture also allows flexibility with Big Data and is known for its scalability & relative ease of use when compared to other Data Warehouses in the market.

Simplify Snowflake ETL and Data Integration using Hevo’s No-code Data Pipeline

Hevo Data helps you directly transfer data from 100+ data sources (including 30+ free sources) to Snowflake, Business Intelligence tools, Data Warehouses, or a destination of your choice in a completely hassle-free & automated manner. 

Hevo is fully managed and completely automates the process of not only loading data from your desired source but also enriching the data and transforming it into an analysis-ready form without having to write a single line of code. Its fault-tolerant architecture ensures that the data is handled in a secure, consistent manner with zero data loss.

It provides a consistent & reliable solution to manage data in real-time and always have analysis-ready data in your desired destination.

Get Started with Hevo for free

Best Snowflake Security and Sharing Practices

If you’re using Snowflake to store sensitive information, it’s very essential to follow certain Snowflake security and sharing guidelines to detect security risks, prevent as many threats as possible, and react to security incidents in the best way possible. 

Follow the below-mentioned Snowflake security and sharing best practices for securing your data in Snowflake.

  • Identity and Access Management

Snowflake authenticates the user before allowing access to its services. After the user is authenticated by Snowflake, a session is created with the roles used to authorize access.

  • Sessions

After the user is authenticated, Snowflake creates a Database session for the user. The session can be used by the Client Application to send requests to Snowflake. Each session has an idle timeout of 4 hours. With this, you can monitor the session usage, reuse sessions, and close the session when it is no longer needed.

  • Managing user and group access rights

Snowflake gives you full control to manage the roles and access rights of users. At any point in time, you can control which users or team members can see and change in the project workspace.

  • Row Level Access Control

With Row Level Security, you can allow certain users to have restricted access to certain rows of tables with mixed data. You can use context functions to dynamically filter rows for the users.

  • Data encryption

Your sensitive information stored in Snowflake is transparently encrypted via a key hierarchy, which provides enhanced security levels by encrypting individual pieces of data using different keys. 

Snowflake changes keys every 30 days, which means that new data that will be coming in after 30 days will be encrypted using the new key hierarchy. Snowflake Security and Sharing best practices also suggest users implement a Customer Controlled Key (CMK) for the encryption process using a feature called Tri-Secret Secure.

Row Level Security

One of the best practices to protect data is to implement “Row Level Security” (RLS) to ensure that users can only access what they are supposed to see.

Row Level Security is a Snowflake security mechanism that restricts the records from a table based on the authorization context of the user that is logged in.

Problem Statement

To understand how Row Level Security can be implemented, let’s consider the following example. Create a sample table called Flight_Load_summary, holding fictitious flight payload data for different countries with different payloads.

Snowflake Security: Create Table
Image Source: www.rajivgupta780184.medium.com

Now that the table and the data are ready, let’s try to implement dynamic row filtering. Suppose a particular user is to see data based on their position, role, and severity tagged to their job. Follow the below-mentioned steps to implement Row Level Security.

Steps to Implement Row Level Security

Step1: Create a Row Level Security configuration table with the mapping of roles to label and access Control Settings based on severity.

Snowflake Security: Configuration
Image Source: www.rajivgupta780184.medium.com

Going with the above configuration, TS Role will only see restricted TS Data. TS is the highest on the role hierarchy followed by ‘S’, ‘C’, and then ‘UC’ being the lowest priority.

Step 2: Create an abstract view that reads data from Flight_Load_summary table in combination with the above Control Settings table & Current User role (using the CURRENT_ROLE() function).

Snowflake Security: Current Role Function
Image Source: www.rajivgupta780184.medium.com

Step 3: Grant access to the above-created object to the newly created role.

Snowflake Security: Create Role
Image Source: www.rajivgupta780184.medium.com
Snowflake Security: Grant Role
Image Source: www.rajivgupta780184.medium.com

In the above steps, a role for UC is created and the select privilege has been assigned on the View & Control Settings table to UC.

Now, when you use the role “UC”, you will only see the results for the label “UC”.

Snowflake Security: Test
Image Source: www.rajivgupta780184.medium.com

This is how you can implement Row Level Security for Snowflake security.

Frequently Asked Questions (FAQs)

What are the different data security layers?

Snowflake secures customer data using three different layers which are called  Network Security, Identity and Access Management (IAM), and Data Encryption layers. After setting up the security controls, we can easily monitor them using the guidelines listed under the Monitoring section.

What are the key security compliances in Snowflake security?

Snowflake is committed to ensuring the privacy and confidentiality of all the users and thus it is continuously expanding its portfolio of Security and compliances for example SOC 1 Type II, SOC 2 Type II, HIPAA, and ISO/IEC 27001, PCI/DSS, etc. 

Where is the database stored in Snowflake? 

The actual underlying file system in Snowflake is backed by S3 in Snowflake’s account, the whole data is encrypted, compressed, and distributed to optimize performance. In Amazon S3 the data is geo-redundant and provides excellent data durability and availability.

How do Snowflake security measures secure your data while in the staging area and in transit? 

The method that is used to secure data that prevents third parties from reading data while at rest or in transit to and from Snowflake and to minimize the attack surface is E2EE( End-to-end encryption). In E2EE as the message travels to its destination it cannot be read or tampered with by Internet Service Provider(ISP), ASP, hacker, or any other entity. Snowflake also runs in a secure virtual private cloud (VPC) or virtual network (VNet), depending on the cloud platform.

Conclusion

In the context of a cloud, the encryption of data at rest and in transit both have become ubiquitous in the last few years to mitigate real risks to your data.

Snowflake is a major player in the Cloud Data Warehousing industry and understanding how to securely store data in it has become important.

Snowflake Encryption allows Snowflake to be one of the most secure and easiest-to-use data platforms in the marketplace, by leveraging the latest security standards, at no additional cost.

This article introduced you to Snowflake and discussed the main aspects of Snowflake security and sharing. You were later provided with a detailed guide on how to implement Row Level Security for Snowflake security. 

But with multiple data sources coming in, this process may become challenging to manage at a large scale. 

Snowflake has a list of tools that can be integrated into it by simply accessing its tools page and selecting the platform you need. 

Hevo Data is a good data tool to integrate with Snowflake as it helps you to create efficient datasets and transforms your data into insightful actionable leads.

Hevo supports 100+ ready-to-use integrations across Databases, SaaS Applications, Cloud Storage, SDKs, and Streaming Services. 

With Hevo you cannot just effortlessly export data from sources & load it into destinations such as Snowflake but also you can transform, enrich and make your data analysis-ready so that you can focus only on your business needs and perform insightful analysis using BI tools. 

In short, Hevo can help you store your data securely in Snowflake.

Give Hevo Data a try and sign up for a 14-day free trial today. Hevo offers plans & pricing for different use cases and business needs!

Share your experience of working with Snowflake security and sharing practices in the comments section below.

No-code Data Pipeline for Snowflake