Snowflake provides a set of predefined roles (such as SYSADMIN and ACCOUNTADMIN), but the use of these powerful roles should be limited to appropriate personnel. Instead, snowflake security best practices encourage customers to create a custom role hierarchy that reflects the security requirements of the data community and users in each Snowflake account.
What is Access Control?
Access organize is a technique of ensuring that users are who they are and that they have suitable access to corporation data. At a high level, access control is selectively restricting access to data. It has two major mechanisms: verification and approval, “says Daniel Crowley, head of research at IBM X-Force Red, which specializes in data security.
Identity and access management
Once your Snowflake account is available, the next step in gaining access to Snowflake is to authenticate the user. Consumer must be formed in Snowflake previous to any access. After the user is authenticated, a session is created with the roles used to authorize access in Snowflake.
Managing user and group access rights
At any time, you can change what users or team members can see and change in the project workspace. To manage the roles and access rights of users and groups, go to the Users section of the Home menu. The consumer part lists all users and group with their present role and access rights.
Groups are marked with a blue title bar in the group image. To learn how to manage groups, read Managing Groups and Members. To enable or disable permission management for a group, read here.
Authentication and single sign-on (SSO)
Snowflake security best practices support several authentication methods depending on the interface used, such as client applications using drivers, the user interface, or Snowpipe.
Snowflake clients (drivers and SnowSQL) support username / password, OAuth, key pair, external browser and native Okta authentication. Snowflake supports two types of OAuth:
- Snowflake OAuth where it accepts tokens from the built-in OAuth server
- External OAuth where it accepts tokens from a third party OAuth server.
External browser authentication only works for client applications running on the user’s computer. It must have browser access as the driver opens the system browser, redirecting the user to the Snowflake login page for authentication. Snowflake’s user interface supports password-based and federated SAML authentication. If you are using Snowpipe to receive data, it supports key pair authentication. Single sign-on (SSO) from client applications is achieved using SAML, OAuth, external browser, and Okta authentication methods.
After authenticating the user, snowflake security best practices creates a database session for the user. The client application can then use the session to send requests to Snowflake. Each session has an idle timeout of 4 hours. Using a session, you can create new child sessions. For example, the classic Snowflake UI creates child sessions, one per sheet. Best practices for session management are as follows:
- Reusing sessions
- Close the connection when it is no longer needed
- Avoid using CLIENT_SESSION_KEEP_ALIVE
- Monitoring session usage
Site-level access control
Snowflake security best practices Roles are used to authorize access to objects such as tables, views and functions in Snowflake. Roles can contain other roles and have a hierarchy. When a database session is created for a user, a primary role is associated with it. All roles in the primary role hierarchy are activated in the session to perform authorization. Take time to establish the correct role hierarchy model ahead of time.
Snowflake recommends following best practices for access control in addition to looking at the access control section in the Snowflake documentation:
- Define functional and access roles
- Avoid giving access roles to other access roles
- Use future grants
- Set default role property for user
- Create a role for each user for database connection usage scenarios
- Use a managed access scheme for centralized grant management
Column-level access control
If you want to restrict access to sensitive information contained in certain columns, such as PII, PHI, or financial data, Snowflake recommends using the following data management features to restrict access to columns for unauthorized users.
Dynamic Data Masking: This is a built-in feature that can dynamically hide column data depending on who is requesting it.
External tokenization: integrates with partner solutions to detokenize data at request time for authorized users.
Safe Browsing: You can completely hide columns from unauthorized users.
Both dynamic data masking and external tokenization use masking policies to restrict access to sensitive data to authorized users. In addition to looking at the considerations section of the documentation, Snowflake recommends the following best practices for masking policies:
Row Level Access Control
You can have tables with mixed data to restrict access to certain rows to only certain users. For example, you can limit the visibility of rows based on the user’s country, for example, US employees can only view US order data, while France employees can view order data only from France. To solve this problem, you can create safe views using the CURRENT_ROLE () or CURRENT_USER () context functions to dynamically filter rows for the user requesting the view.
All data stored in Snowflake is transparently encrypted using a key hierarchy (with a root of trust supported by the cloud HSM), which provides increased security by encrypting individual pieces of data using a different key. Snowflake security best practices also suggests using a customer controlled key (CMK) in this encryption process using a feature called Tri-Secret Secure. Regardless of the Tri-secret security feature, Snowflake changes keys every 30 days, ensuring that new data received after 30 days will be encrypted using the new key hierarchy.