top of page

Foundational practices for Snowflake Security Framework

Establishing a solid foundation within a data platform is paramount in ensuring the strength and security of the underlying data lake or warehouse. If you find yourself grappling with issues pertaining to Role and User mismanagement within your Snowflake platform, here are some recommended practices that can be scaled very easily, with our assistance.


The Snowflake Cloud Data platform boasts unparalleled security, scalability, elasticity, and cost-effectiveness, provided the architecture and security framework is optimized to truly leverage these features.


Roles within Snowflake serve as pivotal account-level entities, governing every aspect of user and application connectivity to Snowflake. They dictate user privileges, delineating what actions users are authorized to perform vs. being restricted. Achieving this level of security requires collaboration between seasoned Snowflake Subject Matter Experts (SMEs) and the Business Data Governance team, drawing from each of their extensive experiences in implementing multiple Snowflake projects to implement efficiencies in Roles management. This collaboration ensures not only the security of the Snowflake account but also safeguards the data within the Snowflake Organization or Account.


At indigoChart, we've delivered bespoke solutions to our clients, specializing in Snowflake platform architecture and role management. At a strategic level, the security framework for any enterprise customer can be outlined as follows:



The above diagram is a mere depiction of how Roles can work within a Snowflake Account. This is an extensive exercise and is driven by the Organization’s Data Governance Model. However, we can assist by automating most of RBAC models while at the same time taking care of your custom data classification, giving you flexibility and freedom to apply tags and policies on your data, with very minimal to zero IT intervention. This is especially useful during the implementation of Data Mesh projects wherein Business and Domain owners brainstorm on access management.


Configuring ADMIN roles in Snowflake must be a well thought process based on enterprise requirements. Custom Admin roles like POLICY, TAG or CUSTOM CLASSIFICATION, AD PROVISIONER etc. must be created carefully and assigned to relevant databases or schemas which do NOT essentially store any data. At the same time, databases that store your DWH data must be created under custom roles and not SYSADMIN which most enterprise fail to understand due to recommendations from their existing service providers or due to lack of knowledge.


With our experience working in early stages of such projects and as certified Snowflake platform ADMINS and Architects, we can help propose solutions that are foundational to the Snowflake data platform to scale as well as help secure your Snowflake platform, using best practices. Here’s how we can help:


  • Establishing a Robust Architecture: Crafting a resilient architecture forms the bedrock of a secure Snowflake platform, ensuring its ability to withstand potential challenges. Having said this, all custom admin roles are isolated from each other’s work, and they do not overlap. For e.g. setting up TAGS on account is the task of TAGADMIN, setting up policies is responsible by POLICYADMIN.

  • Implementing Granular Role Management: Fine-tuning role permissions and access controls is crucial for maintaining data integrity and enforcing security protocols. Most of the time while creating schemas, MANAGE GRANTS is not considered. With our approach, we ensure that only SECURITY ADMIN or SCHEMA OWNER can grant privileges on objects within schema and not the OBJECT OWNER of schema.

  • Regular Security Audits and Updates: Conducting periodic security audits and staying abreast of updates ensures that your Snowflake platform remains fortified against emerging challenges, both in terms of scale and security requirements. Custom dashboards in Streamlit to show geographic logins, failed logins, MFA failed logins, unusual user query patterns, user using most truncates and drops etc.

  • Continuous Monitoring: Implementing real-time monitoring tools and establishing a robust incident response plan enables swift action in the event of usage and security breaches or anomalies. For e.g. a) Auto disabling user if trying to login from unknown network if IP whitelisting not done, b) Checking user level costing and pattern for credit consumptions etc.


Conclusion:

By adhering to these principles and leveraging our expertise, we empower enterprises to fortify their Snowflake environments and uphold the highest standards of data security.


With our extensive knowledge in Snowflake Security Frameworks, we can assist your business in implementing best practices to help secure your data and make the process scalable. We execute on areas of Data and Analytics by embracing and organically expanding your current skills, whether it's developing new solutions or supporting your operations. Contact us right off the bat and we'll take it from there.


Visit us at www.indigoChart.com or drop us a line at hello@indigochart.com


 


Comments


bottom of page