An Overview of Security and Compliance Features in Snowflake

Security is the protective shield that guards your data against hackers and unauthorized access, while Compliance is a set of rules and guidelines that ensures data is handled correctly by following laws, ethics, and industry standards.

Together, they ensure your data is protected while not breaking any rules.

In this blog, we’ll equip you with an overview of the security and compliance features in the Snowflake Data Cloud that help keep your data safe while following best practice compliance rules.

What are the Security Features in Snowflake?

Encryption Mechanisms for Data at Rest and in Transit

End-to-end Encryption (E2EE) is a fantastic way to keep your data safe in Snowflake. It ensures that no one else can read your data when it’s stored or while it’s being moved to and from Snowflake.

Snowflake is a system with different parts: your data, Snowflake itself, and a secure network. You can store your data in other places provided by Snowflake or your organization.

Client-side encryption is similar to having a secret code for your data before it goes to the storage area. Only you and Snowflake know the code; others can’t see your data in the storage area keeps your data safe. Snowflake makes it easy to use this encryption method when moving data between your storage and Snowflake using a master key.

Access Controls and User Authentication

Access control regulates who can interact with various database objects, such as tables, views, and functions. This access control system combines elements of both Discretionary Access Control (DAC) and Role-based Access Control (RBAC).

In Snowflake, securable objects (representing database resources) are controlled through roles. Roles are entities to which specific privileges are assigned, and these roles, in turn, can be assigned to users.

Roles can also be granted to other roles, creating a hierarchical structure. This hierarchy plays a significant role in privilege inheritance, where roles higher in the hierarchy inherit the privileges of roles lower in the hierarchy.

In addition to this, Snowflake uses primary roles for initial authorization and secondary roles to add more privileges, making access control flexible and easy to manage, which is especially useful for organizations with complex security needs.

Federated authentication and Single Sign-On (SSO) allow users to log in securely and efficiently. This setup separates user authentication from access, using identity providers (IdPs) for authentication. Snowflake serves as the service provider (SP). Users can log in through Snowflake or the IdP, and logout can be standard or global, depending on IdP support. Snowflake also supports SSO with private connectivity, but you can use the public or private account URL simultaneously. Additionally, SSO configurations can be replicated for consistency between source and target accounts.

Secure Data Sharing Capabilities

Secure Data Sharing allows you to share specific objects like tables and secure views with other Snowflake accounts. This sharing is read-only, meaning no changes can be made to the shared objects. The process involves creating a share in the provider’s account and granting access to objects, and then consumer accounts can access these shared objects.

It’s important to note that no actual data transfer occurs, which can save on storage costs for both providers and consumers. The provider controls this real-time access, which can be revoked, with various sharing options like listing, direct sharing, and data exchange.

Compliance Frameworks Supported by Snowflake

Snowflake takes special care to follow the rules set by different industries, making sure it meets their specific requirements to ensure its customers have confidence in their data’s safety, security, and effective management.

It has earned certifications that act as a seal of approval, affirming their commitment to high security and compliance standards. These certifications include:

SOC 1 Type II and SOC 2 Type II:
Proving they handle financial and security matters properly.
PCI-DSS (Payment Card Industry Data Security Standard):
Ensuring your credit card information is securely managed.
HITRUST:
Meeting stringent standards for safeguarding healthcare data.
CSA STAR Level 1 (Cloud Security Alliance):
Following best practices for security assurance in cloud computing.
ISO/IEC 27001, ISO 27017:2015, and ISO 27018:2019:
Adhering to international standards for information security.
FedRAMP Moderate:
Certified for a standardized security approach for government agencies.
DoD Impact Level 4 (IL4):
It is authorized to operate at a high-security level for U.S. Department of Defense data.
StateRAMP and TxRAMP:
Participating in state-specific programs and adapting to diverse regulations.
GxP:
Compatible for secure data management in life sciences.
ITAR (International Traffic in Arms Regulations):
Compliance with regulations for handling sensitive defense-related information.
IRAP (Protected):
Meeting Australian Government security standards.
CJIS (Criminal Justice Information Services):
Complying with the FBI’s standards for criminal justice data protection.
IRS Publication 1075:
Adhering to stringent regulatory requirements for Federal Tax Information (FTI) protection.

These certifications collectively showcase Snowflake’s dedication to providing a secure, trustworthy, and compliant environment for data management across various industries and regulatory landscapes.

Data Protection and Privacy in Snowflake

Snowflake simplifies identifying and protecting sensitive data in three steps: analyzing, reviewing, and applying system tags. It accurately recognizes diverse data types and supports various table structures, excluding certain data types like GEOGRAPHY and BINARY. The process computes costs based on data volume.

It enhances data governance by introducing a tagging mechanism. In this context, tags act as metadata labels that users can affix to various data objects within the platform, such as tables and columns. These tags play a pivotal role in overseeing sensitive data for compliance, discovery, and protection purposes, aligning with centralized or decentralized data governance management approaches.

Snowflake also supports masking policies at the schema level to secure sensitive data from unauthorized access. This allows authorized users to view sensitive data at query runtime based on masking policy conditions, offering options like masking, partial masking, obfuscation, or tokenization. This schema-level approach provides flexibility in management, supporting centralized, decentralized, or hybrid strategies.

Auditing and Monitoring

Audit Trail keeps a record of every action, whether it’s a user running a query, making changes to data, or trying to access information. When you need to figure out who did what to your data and precisely when they did it, the Audit Trail is your go-to source. It logs user activities, query details, database tweaks, and more.

While Snowflake has its own monitoring mechanism, sometimes additional tools like Splunk, DataDog, or ELK Stack (Elasticsearch, Logstash, and Kibana) provide a broader perspective. These tools are supercharged assistants, offering advanced visualizations, intelligent alerts, and in-depth log data analysis.

They complement Snowflake by creating a central hub for managing logs, monitoring performance, and assessing overall data health. This is especially valuable for complex data setups or large datasets that require extra attention.

Disaster Recovery and Business Continuity

Snowflake offers powerful features for disaster recovery. One of the key aspects is replication, which lets you create replicas of crucial account objects, such as user data and databases, in different locations or cloud platforms. This strategic replication ensures that even if an issue arises in one area, your data remains accessible from another, creating a safety net for your critical information.

In the face of unexpected events or outages, Snowflake introduces failover mechanisms. If there’s a problem in one region or cloud platform, Snowflake smoothly transitions to a backup, allowing uninterrupted access to your data.

Snowflake doesn’t stop at replication and failover; it also simplifies backup and restore procedures. This is as simple as regularly saving versions of your work.

Snowflake allows you to refresh and restore your replicated data, keeping it up-to-date and ready for action. It lets you roll back to a stable and secure state, minimizing any potential data loss.

Best Practices for Security and Compliance in Snowflake

One of the best practices in Snowflake revolves around the effective utilization of roles and role-based security. This involves defining roles with specific privileges and hierarchies and ensuring that users are appropriately assigned to these roles.

Well-defined role structures facilitate the implementation of the principle of least privilege, granting users the minimum access necessary for their tasks. Regular review and role assignment adjustments enhance the security posture, ensuring access privileges align with evolving business requirements.

The platform transparently encrypts all stored data, and organizations can enhance security by implementing additional encryption measures. Utilizing features like Tri-Secret Secure provides an added layer of protection, allowing customer-managed keys (CMKs) to be used in the encryption process. Proper key management, including automatic rotation of keys and enabling periodic rekeying, contributes to robust data protection strategies.

Regular security assessments and vulnerability scans ensure strong security and compliance in Snowflake. Organizations can stay ahead of emerging threats by conducting periodic security assessments, adhering to compliance requirements, and implementing timely security patches or updates. Vulnerability scans protect the Snowflake environment against potential exploits and support the system’s overall resilience.

Customer Success Stories and Use Cases

Snowflake’s security and compliance features are having a real impact across diverse industries for our customers. Listed below are a few notable examples:

Financial Institutions:
Discover how phData helped a global investment firm build a testing process into their data pipelines that makes it easier to onboard new data providers while maintaining data security and compliance. Read the full story here
Healthcare Providers:
Explore how phData empowered a leading medical device company to enhance efficiency by automating onboarding and managing service requests and alerts. This was achieved by setting up Snowflake with best practices, providing guidance around the creation of Secure Views, and configuring row-by-row security access. Read the full story here.
Manufacturing Entities:
Unpack how phData helped successfully migrate data to Snowflake for a celebrated engineering and construction company that was running into limitations with its existing on-premise Teradata data warehouse. To maximize the power of its data and make it more easily accessible throughout the organization, phData applied Snowflake best practices around security and compliance that backed the data management strategy. Read the full story here.

Closing

Snowflake’s security and compliance capabilities provide a foundation for organizations to build and maintain a secure data environment. With features like native encryption, role-based access control, and comprehensive governance tools, Snowflake empowers users to safeguard sensitive data and achieve regulatory compliance.

Have any additional questions about security and compliance? Need help to succeed with Snowflake? phData can help! Reach out today with your most pressing questions on Security and Compliance in Snowflake.

FAQs

What does Snowflake's security and authentication include?

Snowflake's security and authentication features include access control and user authentication through a hierarchical role-based system, federated authentication, and single sign-on (SSO). It ensures data security through end-to-end encryption (E2EE) for data at rest and in transit, along with client-side encryption options. Snowflake’s secure data sharing capabilities allow read-only sharing of specific objects between the accounts, and a suite of data protection tools, including column-level security and row-level security, ensures control and privacy.

How does Snowflake address data protection and privacy concerns, especially regarding sensitive information?

Snowflake provides several tools for controlling and protecting data, including Column-level Security, Row-level Security, Object Tagging, Data Classification, Access History, and Object Dependencies. These tools allow users to hide sensitive information, decide who can see specific rows, track important data, identify data that needs special protection, keep a data access record, and understand data dependencies. In Snowsight, the Data Governance area acts as a dashboard, providing insights into how data is used and protected.