Snowflake: Security — Framework SSFW (Part #1)
Security is a concept that really concerns different companies. At the moment we want to identify what capabilities our data platform has, in order to compare them with our requirements, so we would like to know if these ones will be enough to fulfill our needs. In that there will be a lot of problems, some of them:
- The process of listing all these features is not always easy in a feasible way
- Many people don’t understand some aspects / capabilities
- They are worried for only ones and discard others that are really important, as well.
In this Security blog (part 1), first we will try to explain Snowflake Security framework overview (this is not official, but helps me to place each capability on his spot). SSFW contains the different blocks and features that most of the Service Cloud Platforms should provide us, in that case it is mainly based on Snowflake.
In the next Security blog series (part 2 to 4), we are going to dive for each layer and component, and give an overview about the different features on each one.
On latests Security blog series (part 5 and so on), we will check some of these layers / components using the features put into practice with examples, step-by-step.
Snowflake Security Framework — SSFW
With our goal to achieve the maximum level of security, we have to take into consideration all the different capabilities that our platform provides us.
The SSFW tries to explain an overview of the different concepts you have to take into consideration, not only to understand the security itself, but in order to enforce your data platform with the appropriate level of security for your needs.
In this case, the framework distributes their features in these 4 different Layers and 5 Segments.
SSFW — Layers
We will nagivate through the different layers that Snowflake provides different features in their security platform. These will be:
This layer is not a capability in itself, but is considered the external auditing that Snowflake pass, in order to provide the more accurate official regulatory certifications. In that process, Snowflake covers the most eligible security needs for the different companies. The certifications owned getting compliance on these audits are classified depending on the coverage that they have been based:
- Sector: Depending directly on the industries or government that use the service.
- Region: There are some specific requirements aligned with the locations based on some countries.
- Global: It will apply globally. It will be independent of Sector and Region.
The security network configuration provides the physical and logical setup, in order to allow/deny the inbound/outbund traffic for the different connections.
The main capabilities are:
- Private Connectivity: Offers the capability to establish private connectivity with the customer's VPC.
- Network Policies: Establishing policies that control the different connections allowed/blocked.
- Firewall: Provides internal Snowflake settings so that you can setup in the customer's vpc the correct redirections to Snowflake services.
- Integrations: Allows to comunicate in easy way a channel to external services/locations, managing acceptance / deny to Snowflake or outside.
The manage of your internal configurations regarding users, how to provide and maintain them, and how to expose your data to different stakeholders. This layer must be one of the most important steps in providing security to your platform. This is usually the most demanded to know it.
- Users / Roles Management: Establish methods to synchronize automatically with corporate customer users, or by default build your own structure inside Snowflake.
- Authentication: Allow compatibility with the main authentication method, providing multiple security features, or by default use Snowflake user/password settings.
- Sessions: The management of the sessions on the platform will allow you to control the life cycle of existing connections. It will provide a reliability that the sessions are not opening more connections than need it.
- Authorization Objects: An innovated privilege method to control the access to securable objects based on roles/privileges through a hierarchy, it will allow customize with an high level of security your data.
- Masking: Multiple methods to mask the data information, will be provided in order to protect your column PII data information in different levels of sensitivity.
- Row access: Determined information must be restricted to only the appropriate stakeholders. This feature will allow us to filter dynamically that information.
- Secure Data Sharing: Some companies want to be sure that their information can be shared in a safest way. Snowflake provides different methods to share your data, in order to choose the best fit in your case.
How resides the information physically on the storage, and how travel through the net, can provides an extra layer on your data platform. We don’t to discard it, at all.
- Secure Management: The transit of information need to be protected and the information at rest too. Snowflake provides both Client, Server and Internal methods of encryption to provide you the satisfaction that your data is only yours.
- Data Physical Encryption: Different features allow you that data can be encrypted outside Snowflake, or internally only with specific people.
SSFW — Segments
As we have seen along the different layers, these ones have different components inside that we can group into the different levels of the data architecture management stack. This stack is composed of the different levels that are basically:
- Laws/policies/methodology: This is more aligned with what laws must be applied to your data service platform. Takes into consideration the methodology and policies to self manage the service and its capabilities that is being provided to store, compute and provide your data.
- Physical Channel: All the configurations that apply to the physical inbound/outbound traffic data management of security data.
- Logical Channel: Contains the different logical features that provide us the capacity to manage a secure interactions, in a customized way between the connections and their users.
- Privilege: This level establishes the method you use to apply privileges to your data platform to determined objects.
- Sensitive Data: The management of your data in order to be stored and visualized by the correct person. Once you have access to the objects that store the data, these features will be in charge to show that data in a correct way.
Conclusions
The order that are you covering your security based on the SSFW, is along with the security that is being performed on the data platform and based on the above mentioned.
It is important to highlight that: The more points here cover your Data Architecture, the more secure your data will be! It doesn’t mean that you have to cover everything you have seen here, in order to be fully safest. Snowflake is already providing by default a lot of these features by default. But in some cases, there are some features that must customize, or in other cases, you have to incorporate as a new capability.
A good approach with the design of you Data Architecture is so important as the End-2-End Security itself. If there is glitch in your Security, your Enterprise will be vulnerable that this can be exploited. Maybe it will incur into a loss of prestige, economic losses and penalties in case if there was personal information filtered, including injuries for the people which their information had been affected.
Before starting ingesting and manage your data, be sure to know all the capabilities that you can use, in order to provide the appropriate security level in your Data Platform.
In the next series, we will cover the most important aspects of the 4 layers.
On the next blogs, later than these ones, we will go deeper on specific Security components in the different layers. So we will provide a more technical and practice exercise guide.
You can follow the rest of the serie parts, very soon.
I am a SME on different Data Technologies, with 20+ years of experience in Data Adventures. An experienced Snowflake Data Jedi and Data Vault Certified Practitioner.
If you want to know more in detail about the aspects seen here, or other ones, you can follow me on medium || Linked-in here.
I hope you have joined and this can help you!
