Ensuring your data platform is secure, well-governed, and compliant involves more than just reviewing a few security settings. When looking at the big picture, you should consider user and role management, identity management supporting Single Sign-On (SSO) and Multi-Factor Authentication (MFA), data masking and access policies, audit logging, and more.
That said, a quick and straightforward first step is reviewing key Snowflake Data Cloud account settings that can significantly improve your data security. In this blog, we’ll explore five of the most important Snowflake settings.
Checking and Setting Account Parameters
Before we dive in, we thought it would be helpful to show how a Snowflake user can easily check the set values of parameters in a Snowflake account using the below statement:
SHOW PARAMETERS IN ACCOUNT;
Changing those parameters requires an admin role but is as simple as:
ALTER ACCOUNT SET
1. Periodic Rekeying
This feature periodically changes the encryption keys used to secure your data, reducing the risk of unauthorized access through compromised keys. Regular key rotation aligns with best practices for maintaining robust encryption, helping to ensure compliance with various data security standards and regulations.
By frequently updating encryption keys, this setting helps proactively mitigate risks associated with long-term key exposure and evolving cybersecurity threats, thereby maintaining the integrity and confidentiality of your data in Snowflake’s cloud environment. (Documentation).
ALTER ACCOUNT SET PERIODIC_DATA_REKEYING = true;
2. Data Unloading
This configuration prevents users from unloading data directly to inline URLs, which can be a significant security risk. Inline URLs, unlike controlled storage destinations, may not have the same level of security and can expose data to potential interception or unauthorized access.
Additionally, they could contain access settings directly in the statement or URL. Enabling this setting ensures that data unloading operations are restricted to secure, authenticated storage locations. (Documentation)
ALTER ACCOUNT SET PREVENT_UNLOAD_TO_INLINE_URL = true;
3. Secure Storage Integrations
This configuration mandates the use of storage integrations when creating external stages, ensuring that data is transferred and stored in a secure and controlled environment. Storage integrations provide a layer of security by managing and centralizing storage credentials rather than embedding them in stage definitions.
This approach not only enhances security by abstracting access details away from the end users but also streamlines credential management and ensures adherence to organizational policies and compliance standards. (Documentation)
ALTER ACCOUNT SET REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION = true;
ALTER ACCOUNT SET REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION = true;
4. Strong Client Side Encryption
A key size of 256 bits is used for Advanced Encryption Standard (AES) 256-bit encryption, which is one of the most secure encryption methods available. Choosing a 256-bit key size enhances the security of data handled within Snowflake, safeguarding it against potential cryptographic attacks and meeting high standards for data privacy and compliance with various security regulations.
This setting is particularly vital for organizations dealing with highly sensitive or regulated data. (Documentation)
Note: If you are using the JDBC driver, additional JCE policy files must be installed on each client machine from which data is loaded/unloaded.
ALTER ACCOUNT SET CLIENT_ENCRYPTION_KEY_SIZE = 256;
5. Clients Logging Data
When this setting is disabled, Snowflake does not log detailed statement parameters in the query logs. This precaution is essential for preventing the unintentional exposure of sensitive data, such as personal identifiers or confidential business information, which might be included in SQL statement parameters.
By opting to keep this setting turned off, you strengthen data privacy and compliance with data protection regulations, ensuring that potentially sensitive details are not stored in accessible logs. (Documentation)
ALTER ACCOUNT SET CLIENT_ENABLE_LOG_INFO_STATEMENT_PARAMETERS = false;
Congratulations on taking the first step toward securing Snowflake!
Of course, many more opportunities exist to improve your account’s security, performance, operations, and cost-efficiency. To easily get a comprehensive report of all of our best practices and ensure the parameters above stay compliant going forward, try our Snowflake Advisor tool with one click in the Snowflake Marketplace or via the phData Toolkit today!