As more businesses migrate to cloud platforms for data management, the risks of data breaches and unauthorized access to sensitive information increase. Snowflake, the popular cloud data warehouse, addresses these challenges by providing robust data encryption, access controls, monitoring, and network security to protect your data throughout its lifecycle.

With Snowflake’s security integration features, you can create a security environment that meets your requirements. This approach helps you effectively implement security measures within the data cloud, facilitate authorized access, and reduce incident response time, enhancing your organization’s overall security.

This article is a Snowflake data security integration guide that will help you understand how to secure your data in Snowflake.

What is Snowflake Security Integration?

Security integration Snowflake involves implementing security measures according to your organization’s requirements and compliance needs. Snowflake security features are designed to be flexible and customizable, helping protect your organization’s sensitive data cohesively.

A comprehensive security integration in Snowflake defines policies and procedures for access controls, monitoring activities, establishing secure connections, and more.

By integrating these security features into the cloud environment, you can actively mitigate risks and enhance your organization’s data security capabilities, thereby enhancing resilience against threats.

Snowflake Security Architecture

Understanding the security architecture is crucial to properly configure security integration in Snowflake. This architecture ensures data confidentiality, availability, and integrity within your organization.

Snowflake security architecture uses three robust security layers that secure your data in its cloud environment.

Snowflake Security Integration: Security Architecture layer
Snowflake Security Integration: Security Architecture layer

Network Security Layer

The network security layer helps protect data in transit to prevent eavesdropping and cyber attacks. Some of the best practices for implementing network security include:

  1. Enforce network policies by setting up rules about who can access the data and how access is handled in your Snowflake account.
  2. Private connectivity options such as Azure Private Link or AWS PrivateLink should be used instead of public internet connections to enhance security.
  3. Set up a firewall to manage client applications’ communication with Snowflake.
  4. Grant Snowflake permissions, including read and write accesses, to access your data on cloud storage for data loading and unloading.

Identity Access Management (IAM)

You must set up the access controls for your Snowflake account for user authentication. The IAM layer best practices include:

  1. Create users and assign roles before granting access. 
  2. Implement authentication and sign-on measures. 
  3. Establish sessions to define specific user roles and access controls, including object-level, column-level, and row-level access controls for authorization.

Data Encryption

For transparent encryption of your data in Snowflake, you can use different implementation measures like:

  1. Use a key hierarchy system to encrypt individual data elements in your Snowflake warehouse.
  2. To enhance security, utilize Snowflake’s Tri-Secret Secure feature for the customer-managed keys (CMK).
  3. When using the Replication feature to replicate a database to another account, enable Tri-Secret Secure in the target account.
  4. Enable period rekeying if your organization requires data rekeying at regular intervals.

How to Create Security Integration in Snowflake?

A security integration in Snowflake is an object that provides an interface between a third-party service and the cloud platform.

You can create a new security integration or replicate the existing one for an account by using this syntax:

CREATE [ OR REPLACE ] SECURITY INTEGRATION [ IF NOT EXISTS ]

  <name>

  TYPE = { API_AUTHENTICATION | EXTERNAL_OAUTH | OAUTH | SAML2 | SCIM }

  ENABLED {TRUE | FALSE }

…

The parameters that are common for every integration type.

  • <name> –  Specify a unique identifier for the integration.
  • TYPE – Specifies the type of interface you are creating between Snowflake and the external service.
  • ENABLED {TRUE | FALSE} – Specifies whether the security integration is enabled or disabled.

NOTE: The parameters for implementing security integration measures in Snowflake differ based on the type of integration you want to apply to your account. Also, to create Snowflake security integration measures, you must have the role of ACCOUNTADMIN.

Snowflake provides five types of security integration, as follows:

1. Security Integration for External API Authentication

You can create security integration for external API authentication in Snowflake to validate and secure access to external services.

The list of optional parameters for this integration must be configured to match the parameters configured when creating a secret based on the chosen OAuth flow.

2. Security Integration for External OAuth

The external OAuth security integration allows the client to use third-party authorization server to obtain access tokens required for interaction with Snowflake.

The required parameters for this integration include:

  • EXTERNAL_OAUTH_TYPE: Specifies the authorization server used for authentication.
  • EXTERNAL_OAUTH_ISSUER: Specifies the URL defining the authorization server.
  • EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM: Maps the access token claims with the user record. 
  • EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE: Specifies the Snowflake user record attribute for mapping the access token with a user record.

Other than this, optional parameters define the integration components you want to add when implementing the measures.

3. Security Integration for Snowflake OAuth

The Snowflake OAuth security integration enables clients who support OAuth to redirect users to the authorization page, where they can generate access tokens for Snowflake access. 

The required parameters for this integration include the following:

  • OAUTH_CLIENT: Specifies the client type and creates an OAuth interface between Snowflake and a custom client as well as with the partner application.
  • OAUTH_REDIRECT_URI: Specifies the client’s URI. Once the authentication is complete, the browser redirects the user to this URI.

Other than this, there are optional parameters for all clients and additional parameters for custom clients, which you can add when implementing the measures.

4. Security Integration for SAML2

The SAML2 security integration measure in Snowflake facilitates single sign-on workflows. It enables you to create an interface between Snowflake and a third-party Identity Provider (IdP). 

The important parameters for this integration include:

  • SAML2_ISSUER: A string value that contains Entity ID or Issuer of the IdP.
  • SAML2_SSO_URL: A string that contains the IdP SSO URL, where the Snowflake service provider will redirect the user with a SAML authentication request message.
  • SAML2_PROVIDER: A string that describes the type of IdP.
  • SAML2_X509_CERT: A Base64 encoded signing certificate of the IdP.

Other than this, optional parameters define the integration components you want to add when implementing the measures.

5. Security Integration for SCIM 

The SCIM security integration allows you to automate the management of user roles and identities by creating an interface between Snowflake and a third-party Identity Provider (IdP).

The required parameters for this integration include:

  • SCIM_CLIENT: Specifies the type of SCIM client. 
  • RUN_AS_ROLE: Specifies the Snowflake SCIM role owning any roles and users imported from IdP to Snowflake using SCIM. 

Other than this, optional parameters define the integration components you want to add when implementing the measures.

How to Replicate Security Integration & Network Policies in Snowflake for Various Accounts 

Snowflake allows the replication of security integrations and network policies for federated authorization standards – OAuth, SSO (SAML2), and SCIM. It also provides the option to enable failover/failback for each integration and network policy.

As each security integration and network policy has different use cases, the steps involved in replication differ slightly. In some cases, you might also need to implement Snowflake alter security integration measures that help you modify the properties of your existing integration.

Replication for SAML2 Security Integration

The replication of SAML2 security integration in Snowflake links your source and target accounts to the IdP by specifying a connection URL in the security integration definition of SAML2. You need to update the identity provider and confirm that users exist in the source account. With these updates, you can ensure that the user is able to access the target account.

To replicate SAML2 security integration, follow the steps below:

Source Account Steps

  • Configure your source account for Database Failover/Failback and Client Redirect.
  • Create a Snowflake application in the IdP, specifying the connection URL.
  • Update the SAML2 security integration to specify the connection URL in the source account.
  • Assign the Snowflake application to users.
  • Verify SSO configuration for the source account.
  • Create a failover group in the source account or alter the existing one to include integrations.

Target Account Steps

  • Verify the number of security integrations and users in the target account. 
  • Create a secondary connection and failover group in your target account. 
  • Refresh the secondary failover group to verify whether the operation is successful or not.
  • Promote the secondary connection as the primary in the target account.

For detailed information, refer to the document section: replicating SAML2 security integration

Replication for OAuth Security Integration

Replication for OAuth security integration measures include Snowflake OAuth and External OAuth security integrations.

To replicate the security integration for OAuth, follow the steps below:

Source Account Steps

  • Configure your failover group in your source account to specify security integrations

Target Account Steps

  • Refresh the secondary failover to update the target account for including OAuth security integration objects.
  • Verify the connection for each Snowflake account using your choice of OAuth client. 
  • Promote the secondary failover group and secondary connection to the primary in the target account. This will make the target account the new source account. 
  • Reverify the connection to each Snowflake account.

Note:

a) With Snowflake OAuth, you do not need to re-authenticate your target account every time after replication.

b) With External OAuth, you might need to re-authenticate the target account after replication.

For detailed information, refer to the Snowflake document section: replicating OAuth security integration.

Replication of Network Policies

When you replicate a network policy from the source account to the target account, the administrators can restrict access to the target account. The restriction is based on the origin of the request in the target account.

Note: When performing replication for network policies, it includes both the network policy object and references/assignments. If the referenced object or the network policy-assigned object does not exist in the target account, then include the object type in the same replication or failover group as the network policy. 

To replicate the network policies, follow the steps below:

Source Account Steps

  • Verify that the network policies exist in the source Snowflake account using the SHOW NETWORK POLICIES command.
  • Verify the inclusion of a network policy in the Snowflake OAuth and/or SCIM security integrations using the SHOW INTEGRATIONS command followed by the DESCRIBE INTEGRATION command on the OAuth security integration.
  • Using the ALTER FAILOVER GROUP command, update the failover group to include network policies and relevant account parameters.

Target Account Steps

  • Refresh the secondary failover group to update the network policy objects in the target account and the Snowflake OAuth security integration specifying the network policy.
  • Execute a SHOW NETWORK POLICIES command to verify the network policy object exists, followed by the DESCRIBE SECURITY INTEGRATION to verify the Snowflake OAuth security integration specifies the replicated network policy.
  • Verify the activation of network policy for the target account as per the identification of a network policy activated at the account or user level
  • Verify the connection to each Snowflake account with your choice Snowflake OAuth client. 

For detailed information, refer to the Snowflake document section: replicating network policies

Challenges in Implementing Snowflake Security Integration 

Even though Snowflake creates security integration to enhance data security, some challenges are associated with implementing these measures.

  • Complex Configuration: Each type of security integration in Snowflake requires specific parameters and configurations, making the setup process complex and time-consuming.
  • Maintaining Updates: It is difficult to track the integration changes when dealing with third-party services.
  • Scalability: It can be challenging to scale large volumes of authentication requests without impacting operational efficiency.

How Does Hevo Help Streamline Your Snowflake Security Integration?

Hevo is a real-time ELT data integration platform that helps you streamline the integration of security measures within Snowflake using its no-code, flexible, and automated data pipelines. It supports integrations with 150+ data sources, including databases, file storage, and SaaS platforms; you can fetch data from the required sources and load it into a targeted destination like Snowflake. 

Benefits of Using Hevo

  • Data Transformation: Hevo offers two types of data transformation features: Python-based and drag-and-drop transformation. These features allow you to prepare your data before loading it into the destination.
  • Automated Schema Mapping: Hevo’s automated schema mapping facilitates converting the schema of your source data to match that of the targeted system. This feature helps you ensure the data structure is replicated correctly and presented within the destination.
  • Incremental Data Loading: Incremental data loading allows you to load only the modifications and changes in your source data into the targeted system. It helps you keep track of changes, minimize data loading time, and maintain data consistency.
  • Infrastructure Security: Hevo follows strict security policies to maintain a secure infrastructure. All connections interacting with Hevo are encrypted using HTTPS, and access to resources is limited to Hevo’s VPN. It ensures that your data is protected during integration.

Best Practices for Snowflake Security Integration

Implementing security in Snowflake data warehouse helps you maintain a secure data environment. Here are some of the best practices to apply robust security measures within this cloud platform: 

  • Multi-Factor Authentication(MFA): MFA requires you to verify your identity with multiple methods of authentication to gain access to the Snowflake account. Consider enabling MFA for all users in your Snowflake environment to protect sensitive data from unauthorized access.
  • Prevent Data Exfiltration: It is important to prevent your sensitive data from being copied and retrieved without permission. You can use Snowflake’s encryption features, such as customer-managed keys, role-based encryption, and private connectivity for securing connections.
  • Data Monitoring: Continuous data monitoring allows you to track data access and activities and respond to potential threats promptly. Set up automated alerts in Snowflake to identify unusual data access patterns or security breaches.

Conclusion

Snowflake security integration features offer confidentiality and data security in your cloud warehouse. The platform offers comprehensive security integration features designed to protect your data across various stages of data handling.

You can implement or replicate different types of integrations within the Snowflake environment tailored to your specific security requirements. For continuous vigilance over your security measures, you can use an ELT tool like Hevo. It facilitates the secure integration of your data in near real-time, ensuring that data transfers are handled with the highest security standards. This helps maintain data confidentiality and integrity throughout its lifecycle in Snowflake.

Want to take Hevo for a spin? Sign Up for a 14-day free trial and experience the feature-rich Hevo suite firsthand. Also checkout our unbeatable pricing to choose the best plan for your organization.

Share your experience of Snowflake Security integration in the comments section below!

FAQs

Q1. How to integrate Snowflake with security tools?

You can use OAuth to provide third-party security tools with secure delegated access to Snowflake. Alternatively, you can also enable access and query history in Snowflake to monitor data activities.

Q2. What are some of the Snowflake compliance and regulatory standards?

Snowflake follows industry standards to assure its customers of data compliance, integrity, and security. Here are some of the compliance and regulatory standards followed by Snowflake: 

  • ISO-27001, ISO-27017, ISO-27018
  • SOC 1 Type II, SOC 2 Type II
  • HITRUST CSF 
  • PCI DSS
  • C5 
  • CJIS

You can refer to the regulatory compliance document to know the complete list of compliance standards Snowflake follows.

Q3. What are the security features in Snowflake?

Some of the security features that Snowflake provides include:

  • Password and federated authentication
  • Key pair authentication in Snowpipe
  • Multi-factor authentication
  • Network policies to restrict access to and from the Snowflake network

You can refer to the security features document to get the complete list of features that Snowflake offers.

mm
Customer Experience Engineer, Hevo Data

Skand, with 2.5 years of experience, specializes in MySQL, Postgres, and REST APIs at Hevo. He efficiently troubleshoots customer issues, contributes to knowledge base and SOPs, and assists customers in achieving their use cases through Hevo's platform.

All your customer data in one place.