Governance That Drives AI From Pilot to Reality — with Atlan + Snowflake. Watch Now →

Snowflake Data Security: A Complete Guide for 2024

Updated October 28th, 2024

Share this article

A data platform like Snowflake manages core operations, such as ingestion, transformation, quality, and consumption. Since these involve data storage and movement, securing data during these processes is essential. Snowflake offers robust data security features, including data masking, access policies, and fine-grained access controls.

Scaling AI on Snowflake? Here’s the playbook - Watch Now

Snowflake also integrates with many data ecosystem tools for data quality, advanced transformation, and business intelligence. However, maintaining consistent security across these tools can be challenging without a unified security model—hence the need for a data control plane.

This article explores Snowflake’s data security features and how an organization-wide control plane for data can enhance them.

Table of contents #

  1. Snowflake’s data security features
  2. Enhancing Snowflake data security with Atlan
  3. Summary
  4. Snowflake data security: Related reads

Snowflake’s data security features #

Snowflake provides data security through authentication, authorization, private networking, encryption, and auditing, with additional privacy and governance tools to support industry or regional compliance requirements.

Most of these features are bundled into its Continuous Data Protection (CDP) offering, which safeguards data throughout its lifecycle.

Here’s a look at Snowflake’s key security features across different stages:

  • Authentication : Snowflake supports all the major authentication mechanisms, including federated SSO, OAuth, and MFA. It also supports all the popular identity providers, such as Okta, Microsoft AD FS, Microsoft Entra ID, OneLogin, and Ping Identity.
  • Access control: Snowflake offers fine-grained control over all your data assets with role-based access control (RBAC) and discretionary access control (DAC).
  • End-to-end encryption: To ensure that your data is encrypted at rest and in transit, Snowflake offers end-to-end encryption in internal and external stages. You can use a tool that supports client-side encryption to access the data. Note that you’ll need access to the stage credentials and the encryption key to do that.
  • Network rules: To restrict inbound network traffic from unidentified systems and locations, you can create network rules and enforce them via network policies. This feature also allows you to restrict access to external network locations when working with UDFs and stored procedures.
  • Private networking: Snowflake offers private networking to the core services, internal stages, and also external services. Most of the private networking features are available for all three major cloud platforms – AWS PrivateLink, Azure Private Link, and Google Cloud Private Service Connect.
  • Object tagging and classification: While object tags are primarily used for discovery and governance, they also automatically provide a foundation for enforcing advanced security controls. You can use tags as the basis for masking data in specific tables and columns. Meanwhile, classification is a process you can invoke to create system-defined or custom-made tags for handling PII and PHI data.
  • Data masking and row-level security: Snowflake gives you the option to either use its native data masking feature or outsource it to an external compute resource (AWS Lambda function) using the external tokenization feature.
  • Differential privacy: With the help of privacy domains, budgets, and policies, you can set up differential privacy to help reduce the risk of data exposure. This is achieved by techniques such as noisy aggregates and privacy loss budgeting.
  • Aggregation and projection policies: In addition to data masking and row-level access policies, Snowflake also provides you with the option to prevent certain data from being displayed in the results of a SQL query. Projection policies help you protect certain columns, while aggregation policies help you enforce a specific degree of group by clause for you to get the result.

All these features form a solid foundation for securing data within Snowflake. However, a typical data ecosystem usually consists of tools besides Snowflake that handle the storage and movement of data, such as cloud storage accounts, third-party data transformation tools, etc.

To ensure that consistent data security standards are applied to all the tools in the data ecosystem, including Snowflake, having a control plane of data is important, as it integrates and cuts across all of the tools in your data ecosystem.

Let’s look at how such a control plane for data would enhance your data security and governance posture while giving you consistent experience managing it.

Enhancing Snowflake data security with Atlan #

Like Snowflake, Atlan is also committed to data security and prioritizes it with a well-documented security-first approach. This gives you full control over how you manage access, restrictions, and other security considerations with your Snowflake data assets.

Atlan tightly integrates with Snowflake’s metadata layer, capturing the metadata for all the security-related features you learned about in the previous section. Atlan, then, layers those with another set of security features, which include (but aren’t limited to):

  • No caching or storing of data : Atlan allows you to preview data and run queries from the UI, but it never caches or stores any of the data. Atlan stores only the metadata (table structure, roles, groups) it collects in a secure VPC and various backend databases.
  • Advanced authentication and authorization: Atlan lets you manage identity and authentication using SSO with SAML 2.0 and SSO with SCIM. It supports all the popular identity providers, while also allowing you to use your custom IdP.
  • Data access control: Atlan implements its own fine-grained role-based access control model adhering to the principle of least privilege by denying access by default. Access to data assets in Atlan is controlled by defining three types of access policies: data, metadata, and glossary. Additionally, Atlan’s Transparency Center helps you monitor and control access to data, enforce policies, and even drive other areas of data governance from a singular place.
  • Personas and purposes: Atlan enables you to define policies based on the data governance model that you have in place at your organization. For instance, you can create team-based personas. Doing so helps curate and control access to the data assets better. You can also use purposes to define domains and enable tag-based data protection, especially when you have to protect data assets containing PII and PHI data.
  • Infrastructure security guarantees: Atlan has advanced networking and security controls with several lines of defense to ensure that all your data assets are secure. On top of that, Atlan also provides security monitoring, which you can access using a Grafana endpoint.
  • Encryption: Atlan applies encryption at rest and in transit. It encrypts moving data over HTTPS using TLS. It also encrypts any data stored in object-based storage in your cloud platform with their native server-side storage using the industry-standard AES-256 data encryption.

Also, read → Data governance policy enforcement 101 | The unified control plane in action

Summary #

By using Atlan as a data control plane, you can manage consistent security across Snowflake and other tools in your data ecosystem, creating a stronger, unified security posture.

To learn more about the benefits, visit the Atlan + Snowflake connectivity documentation. You can also explore how Atlan helps with better data governance in Snowflake.

Share this article

[Website env: production]