Security & Privacy Layers in Snowflake
The Snowflake data cloud is used by thousands of organizations worldwide to store and process data for business analytics, data science, data application development, data engineering, and other similar functions.
Snowflake’s architecture allows storage and computation to scale independently. This enables Snowflake to process multiple workloads quickly and concurrently.
Snowflake uses a similar, layered architecture for data and infrastructure security as well. It includes actions related to data governance, data security, and infrastructure security.
Organizations store personal and sensitive data in Snowflake and process it to improve their business offerings.
What is a ‘Data Security Layer’ in Snowflake?
Data Security Layers in Snowflake can be described as a group of actions that strengthen data security in Snowflake at multiple levels. These security actions can be classified into:
- Data Governance — Row Access Controls, Column Level Security, and Object Tagging.
- Data Security — Data Encryption, Key-pair Authentication, and Sensitive Data Masking.
- Infrastructure Security — Network Access Controls and multi-location data backups.
This article discusses Data Security and Infrastructure Security Layers in Snowflake.
To learn more about Snowflake Data Governance, read our article on 5 things to know about Snowflake Data Governance.
The Data Security Layers in Snowflake
Encrypt data at rest
By default, Snowflake encrypts all stored data end-to-end, meaning only end-users or runtime components can read data. No third-parties nor Snowflake’s own computing platform can read this data. Encryption helps solidify data protection in Snowflake because even if the data is compromised in a cyberattack, the data cannot be decrypted without the encryption key.
Data Encryption Keys can be described as a set of unique characters that are used to ‘unlock’ encrypted data. Snowflake uses AES 256-bit encryption with a hierarchical key model. This model is called the Key-pair Authentication model. It adds additional layers of security by assigning account-level ‘Parent’ keys, and table/column-level ‘child’ keys. These keys are automatically renewed or ‘rotated’ every 30 days, and old keys are automatically destroyed.
Snowflake’s Tri-Secret Secure Feature Explained
This unique feature creates a master key by combining the customer’s key with a Snowflake-maintained key. If either key in the composite master key is revoked, the encrypted data cannot be decrypted. The dual-key encryption combined with Snowflake’s data access controls makes up the Tri-Secret Secure Feature.
Dynamic Sensitive Data Masking For Additional Data Security
Dynamic Data Masking is a column-level security feature that uses data masking policies to hide text data in tables and view columns at query time. Security teams enforce data masking policies based on user roles or entitlements. For example, if an analyst does not need access to SSNs, the security team can set a policy to mask the data before any analysts can access it.
Dynamic Masking also secures data before it is shared with internal or external stakeholders. This security feature ensures that sensitive data is always used by authorized parties only.
The Infrastructure Security Layers in Snowflake
Network Access Controls
Snowflake allows organizations to regulate site access through IP allow and blocklists. Any IPs that are not in the allowed list are automatically blocked from accessing the network. This feature strengthens network security significantly.
Additionally, Snowflake provides private connectivity to the Snowflake service and internal stages using AWS PrivateLink and Azure Private Link.
Multi-location data back-ups
Snowflake stores backup copies of an organization’s data and stores it in multiple locations to maintain steady service. This mitigates the risk of an organization losing its data if the servers in one location become unavailable or they are breached in a cyberattack.
Snowflake Data Security & Privacy with Securiti
Securiti combines Snowflake’s privacy and security layers with customized privacy solutions in one, powerful system; combined, the solution offers autonomous Data Intelligence, Governance, Security, and Privacy for Snowflake.