How Snowflake can help organisations to secure their data
This is the fourth blog in Slalom’s Snowflake series.
In our last blog, we explored access control in Snowflake and how to get it right, first time.
In this post, we’ll be covering how Snowflake can help organisations to secure their data.
GDPR is the European General Data Protection Regulation that governs the capture, retention and the use of Personally identifiable information (PII).
When it comes to PII, organisations have the following responsibilities:
- PII must be stored securely and its confidentiality maintained
- Access to PII must be on a need-to-know or need-to-use basis
- PII must be removed from database systems when no longer needed
Individuals, such as employees or customers also have the following rights when it comes to their PII:
- Individuals must give informed consent before organisations can use their PII
- Individuals have the right to correct or request data held on them
- Subject to rules, individuals can have their PII removed from an organisation’s database
Snowflake Solution
Snowflake provides many ways to secure sensitive data, thereby helping organisations to comply with the GDPR regulations.
The following features can help secure data in Snowflake:
Security:
- Encryption of data in transit and at rest by default when using the PUT and COPY commands
- User control through Multi-Factor Authentication (MFA) and single sign-on
Access Control:
- Providing simple RBAC (Role Based Access Control) that is easy to maintain and audit
- Secure Views to help limit data access
- Control access across accounts through data sharing
Data Architecture:
- Making it easy to isolate sensitive data, and secure it
- Enabling you to anonymise data on-demand or when a data retention period expires
- Making it easy to support data ageing and eventual removal from Snowflake
How should sensitive data be stored in Snowflake?
There are two ways to store sensitive data in Snowflake.
Integrated
- Sensitive data is stored in existing tables
- Row-based views are used to dynamically mask sensitive data
Pros:
- Simple to implement — single table
- Works well for raw data through masking view
- Data classification is easy
Cons:
- Data removal is difficult if data is duplicated
- If data is cloned, access view must be reapplied
or
Isolated
- Sensitive data (PII) is isolated and stored in separate tables
- RBAC is used to secure data
Pros:
- Sensitive data is explicitly defined
- There is a single point of access and security
- There is a single copy of data to anonymise or remove
Cons:
- New tables are required to store sensitive data
- Not suitable for a raw data lake
How can I access sensitive data in Snowflake?
There are two ways to access sensitive data in Snowflake:
Fixed Masking
- Uses dual views — Plain text and masked views
- Access control is through RBAC and schema
- Default schema determines user authority
Pros: It is explicit and uses fixed schema access
Cons: Fixed access with each table and less flexible
or
Dynamic Masking
- Sensitive data is accessed from a single location
- Access control is through row-based view dynamic masking
- Snowflake column level dynamic data masking
Pros:
- Simple access through single view
- Dynamic access within each table
- Controlled by metadata and it is immediately applied
Cons:
- It requires CURRENT_USER() in session which can create problems for BI tools
- Access control is implicit and not obvious
Failure to comply with GDPR can have serious consequences. Breaking GDPR regulations can leave your organisation open to enforcement action that can damage both public reputation and bank balance. But to quote Elizabeth Denham, UK Information Commission Officer: “There’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.”
See Managing Security in Snowflake for more information.
How Slalom can help
Slalom has the experience to help your business make the most of Snowflake and set the stage for long-term growth and sustainability.
Our Snowflake credentials include:
- Snowflake Partner of the Year for three consecutive years — 2018, 2019 and 2020
- Over 200 Snowflake certified consultants
- Over 300 Snowflake projects delivered
In our next blog, we explore Snowflake Streams and Tasks.
David Oyegoke is a Data & Analytics Consultant based in Slalom’s London, UK office. Ashish Billore is a Data & Analytics Solution Architect, also based in Slalom’s London, UK office.
Slalom is a modern consulting firm focused on strategy, technology, and business transformation.
