Open in app

Sign in

Write

Sign in

Snowflake Trust Center: A Framework for Security Compliance

Photo by krakenimages on Unsplash

In this blog we are going to see another layer of governance on security scrutiny. As the title emphasizes both security and trust, which are crucial aspects for any platform.

This is currently in Public preview and open to all contract or capacity account.

Note: Not available in any trial account.

What Is Snowflake Trust Center?

The Snowflake Trust Center is a comprehensive framework designed to assess and monitor security compliance within your Snowflake account. It leverages metadata-based rules derived from the CIS Snowflake Benchmarks document, ensuring that your Snowflake environment adheres to industry best practices.

Key Features of the Snowflake Trust Center:

  1. Metadata-Based Framework:
  • The Trust Center operates as a metadata-driven system. It executes predefined rules against your Snowflake account, evaluating security configurations and practices.
  • Each rule corresponds to a specific security check, covering aspects such as access controls, encryption, authentication, and data protection.

2. Severity-Based Alerts:

  • When a violation is detected, the Trust Center raises alerts based on severity levels:

Low: Minor issues that require attention.

Medium: More significant issues that need prompt resolution.

High: Critical issues that demand immediate action.

Critical: Severe vulnerabilities that pose a significant risk.

  • These alerts help prioritize remediation efforts.

3. Serverless Compute:

  • The Trust Center leverages serverless compute resources to execute its rules.
  • This ensures efficient and scalable processing without the need for manual intervention.

4. Check Points and Recommendations:

  • Currently, the Trust Center evaluates 39 check points, as detailed in the CIS benchmark documents.
  • For each violation, it provides actionable recommendations on how to address the issue.
  • Additionally, it generates a summary list of objects (e.g., tables, views, roles) that violate the rules.

5. Focus on Metadata:

  • The Trust Center relies on Snowflake metadata to assess security measures.
  • It checks whether requested setups (e.g., user roles, access policies, encryption keys) exist and are correctly configured.
  • However, it does not validate the effectiveness of the security measures in achieving their intended goals.

6. No Guarantee of Effective Implementation:

  • It’s essential to recognize that the absence of a violation does not guarantee optimal security implementation.
  • While the Trust Center ensures compliance with specified rules, it does not evaluate the overall security posture comprehensively.
  • Organizations must still consider context-specific factors and industry-specific requirements.

In summary, the Snowflake Trust Center provides a systematic approach to security compliance, offering insights into potential vulnerabilities and actionable steps for improvement. By enabling this framework into your Snowflake environment, you can enhance your data security and maintain alignment with industry standards.

How To Enable Trust Center?

Trust center is available to all accounts. You just need capacity or contract or paid account to play with this feature.

You can find trust center under Monitoring > Trust Center

Trust center has 2 tab which takes care of all.

  1. Finding Tab — This tab take care of all outcomes of security scan. To get access to this tab you need to either have ACCOUNTADMIN role privilege or do have access to below application role:
SNOWFLAKE.TRUST_CENTER_VIEWER or  SNOWFLAKE.TRUST_CENTER_ADMIN

Finding tab also builds a predefined graph to showcase the CIS Benchmark violation on a day-to-day basis with separate color coding per severity.

This tab also shows you recommendation & Summary when particular violation is selected.

2. Scanner Packages — This tab take care of enabling the scanner service. You have to enable this scanner package to get them run every 24 hours (default setup).

You can always change the schedule as per your choice. The moment you click on Enable button it will ask you for a schedule of your choice.

In above screenshot you can see that there are predefined 39 rules which will get executed on desired schedule and gives you the active violation under finding tab.

You can always modify the existing schedule following below sequence of activity

To get access to this tab you need to either have ACCOUNTADMIN role privilege or do have access to below application role:

SNOWFLAKE.TRUST_CENTER_ADMIN

How Can I Enable Trust Center For Custom Role?

Below is the code sample which can help you set up the custom role with required privilege.

USE ROLE ACCOUNTADMIN;

--This is how you can setup trust center admin custom role.
CREATE ROLE SECURITY_ADMIN;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE SECURITY_ADMIN;

--This is how you can setup trust center viewer custom role.
CREATE ROLE SECURITY_VIEWER;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE SECURITY_VIEWER;

GRANT ROLE SECURITY_ADMIN TO USER RAJIV_ADMIN;

GRANT ROLE SECURITY_VIEWER TO USER ROB;

How To Monitor Cost For Trust Center?

As I said above, Trust Center rules got executed using serverless compute. Virtual Warehouse which we used at Trust Center is being used to display the result in UI and not to execute the rules.

You can view this serverless cost using below query using ACCOUNTADMIN role only.

SELECT SUM(CREDITS_USED)
  FROM snowflake.account_usage.serverless_task_history
  WHERE
    DATABASE_NAME = 'SNOWFLAKE' AND
    SCHEMA_NAME = 'TRUST_CENTER_STATE' AND
    START_TIME BETWEEN '2024-05-23 00:00:00.000 -0700' AND '2024-05-22 11:59:59.000 -0700';

How To Run Trust Center Immediately?

You can always execute this on demand following below sequence of activity

How To Disable Trust Center?

You can always disable Trust Center following below sequence of activity

Hope this blog helps you to get insight into the Trust Center feature. If you are interested in learning more details about Trust Center, you can refer to Snowflake documentation. Feel free to ask a question in the comment section if you have any doubts regarding this. Give a clap if you like the blog. Stay connected to see many more such cool stuff. Thanks for your support & love.

You Can Find Me:

Subscribe to my YouTube Channel: https://www.youtube.com/c/RajivGuptaEverydayLearning

Follow me on Medium: https://rajivgupta780184.medium.com/

Follow me on X (formerly known as Twitter): https://twitter.com/RAJIVGUPTA780

Connect with me in LinkedIn: https://www.linkedin.com/in/rajiv-gupta-618b0228/

#Keep learning #Keep Sharing #Everyday Learning.

References:-

Snowflake
Superhero
Security
Rajiv Gupta
Trust Center

--

--

Rajiv Gupta
Snowflake Builders Blog: Data Engineers, App Developers, AI/ML, & Data Science

Written by Rajiv Gupta

1.3K Followers
Writer for

Sr. Architect at Cognizant, Snowflake Data Super Hero, Snowflake SME

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams