Snowflake Security Best Practices
Snowflake is one of the most popular cloud-based data warehousing platforms currently available. Offered in a Software-as-a-Service or SaaS model, Snowflake takes advantage of unique architecture and full support for ANSI SQL to provide unmatched features and functionality for companies seeking a versatile data platform. Migrating to Snowflake can bring many benefits to businesses of all sizes, provided you understand the security features integrated into Snowflake and follow the security best practices.
Security is a crucial aspect of any cloud-based data solution. Snowflake comes with a full suite of security features that can help you eliminate potential risks and issues. Let us take a look at some of the most important Snowflake security best practices you need to follow.
Snowflake Security Layers
Snowflake makes use of multiple techniques to secure user data. This security is divided into three concentric layers: network security, identity & access management, and data encryption. To understand and follow Snowflake security best practices, you need to understand all three of these aspects and find out the best practices for each layer applicable to your unique use case. Within each layer, there are several things you can do to enhance overall security.
With network security features, you can successfully isolate your instance of Snowflake from outside attacks and unauthorized access. These features can also be used to set up secure access for cloud storage and client applications with Snowflake.
Here are some things to do:
- Use Snowflake’s network policies only to allow connections to known clients. You can declare a specific IP address range that can connect to Snowflake while other IP addresses get blocked. You can also set policies for specific circumstances that allow for overriding the account-level policies.
- Set up private connectivity by configuring your DNS to resolve to Snowflake’s private URL. With the appropriate forwarding rules, users can securely access from the cloud and on-premises. You can then choose to exclude public endpoints or create specific rules for access public endpoints.
- Set up secure cloud storage access for Snowflake for data loading by using the relevant IDs for Azure or AWS in your storage rules.
- Configure your firewall to secure the outgoing traffic to other client applications. You can use specific firewall rules depending on whether you are using a private or public endpoint, set up an SSL passthrough if you are using a proxy, or check for correct connectivity using SnowCD.
Identity and Access Management
Creating and authorizing the right users is a crucial part of securely accessing Snowflake. You can use different security features to manage users, sessions, and authentication. Here are some pointers:
- Use SCIM or build a customized tool for Active Directory syncing users and profiles.
- Create complex passwords and change them frequently to maintain security.
- Understand the different authentication methods supported by Snowflake and allocate based on the specificity of the use case. You can use passwords, OAuth, key pairs, SAML, or external browser-based login. Snowflake also supports Okta native authentication.
OAuth is the most preferred method of authentication if you want heightened security. Snowflake supports both Snowflake OAuth and external OAuth.
- External browser-based authentication is safe to use with desktop tools and SnowSQL.
- If you do not integrate with an Identity Provider, you could use Snowflake’s built-in multi-factor authentication. Otherwise, you can enable multi-factor authentication with your Identity Provider.
- Use roles for object-level access control. You can define a set of roles, set access levels for each, and prevent access in particular cases by roles that do not need access. Through access roles and functional roles, you can create a complex access control system that can provide read-only, read-write, and admin access based on user privileges.
- Facilitate column-level access control through secure views, dynamic data masking, and external tokenization. Either create a centralized masking policy or decentralize to different teams.
- For mixed data tables, you can also restrict access to specific rows by defining access criteria and generating dynamically filtered secure views.
Data encryption is an integral part of data security. Snowflake encrypts all stored data using transparent encryption and a key hierarchy. Individual data pieces are encrypted using different keys, and the keys are automatically rotated every 30 days. Users can also opt for encryption through a customer-managed key. Here are some points to remember:
- Use Tri-Secret encryption when using Snowflake alongside Azure or AWS.
- When replicating a database to a different account, make sure that you enable the Tri-Secret feature in the destination account.
- When using customer-managed keys or CMK, use the automatic key rotation feature that comes from the cloud provider.
- Use the periodic rekeying feature in Snowflake if your organization needs the rekeying of data after specific intervals.
- Use the built-in encryption functions of Snowflake to provide additional encryption to specific columns in addition to the transparent encryption that Snowflake provides by default.
Once you have all these Snowflake security best practices in place, you need to set up proper monitoring to understand if your measures are working correctly. Monitoring can be crucial for the compliance and audit requirements of your organization.
To facilitate this, one thing that can come in handy is Snowflake’s built-in shared account usage database, which can give you access to a year’s worth of audit logs. The login history logs all connections made with Snowflake and a query history that logs every Snowflake query. You can also retain audit data for more than a year by moving this data into a custom database. You can use the user account usage view to get user-specific access information or access the grants account usage views to see where each user has access.
Remaining secure is crucial to meet compliance requirements and to keep the reputation of your business intact. While following these Snowflake security best practices might be enough to secure your data currently, it is important to remember that security threats evolve. Therefore, your strategies should evolve accordingly. Stay updated about the latest security trends and come up with proactive solutions.