Don’t Fear the Cloud: A Snowflake Security Solution
Written by Jonathan Sander, Security Field CTO at Snowflake & Atalia Horenshtien, Director of Sales Engineering at SecuPi
With the combination of a great Data Platform and Security Solution, there is no need to be afraid of the cloud anymore.
The new standard – Cloud data platform
Cloud computing has changed enterprise systems as we know them and is the inevitable alternative for next-generation IT. Over the last five years, data warehouse architecture has seen a huge shift towards cloud-based warehouses and data platforms. It is much easier to scale, cheaper to set up, easy and quick to deploy, and the performance is optimized for analytics. There have been challenges as customers look to migrate to the cloud, though. I asked Jonathan Sander, Security Field CTO at Snowflake, about what he sees customers struggling with.
Jonathan: “When a CIO or CDO approaches the board and says they’re going to move their whole data platform to the public cloud, you can be sure the security and compliance folks sitting in the room do a double-take and speak up. They are going to ask a predictable line of questions. They want to know who will be managing the information. Who will have access? How can they control the encryption? Will this platform meet the organization’s regulatory burdens? How is any incident that could potentially involve the platform handled? Snowflake has answers to these questions, and we work with our customers closely to educate them on the vision of how Snowflake can help them achieve a better security posture.”
Meet SecuPi – a leading Security and Privacy Product in the Market
So meet SecuPi! Data-centric, single platform for protecting sensitive data, whether applied for compliance or security purposes (or both), SecuPi secures data on applications with no code changes/API in just a matter of days. SecuPi believes in Customers’ Flexibility; therefore, the product is AGNOSTIC – working with ANY cloud data platform, ANY cloud host, ANY Applications and ANY ETL tool.
Jonathan: “Snowflake builds in data protection from the very first moment information crosses the threshold of our driver’s on your systems all the way through to the moment it’s consumed again in your analysis. All customer data is encrypted at rest, in transit, at all times without exception. Some customers also want the information itself tokenized, masked, encrypted, or otherwise anonymized across the whole life cycle of the data from creation, to staging, to processing in Snowflake, through to the very moment it ends up in front of the eyes of the authorized data consumer. Snowflake will always provide robust protection for the information it manages, but we also always knew that protection for the customer’s broader ecosystem would come from partners who could touch all the platforms around Snowflake as well as integrate to ensure Snowflake was managed by the same broad policies and protective controls so everything is managed consistently.”
Choose the best GTM partners that share the same values and HAS an impact
One of our favorites Go-to-Market cloud data platform Partner is Snowflake. We evaluate great technology, and Snowflake completely has that! Like SecuPi, Snowflake was developed in the cloud and for the cloud, and with the specific problems and challenges increasingly digital organizations face. Both companies are driven by putting the Customer in the Center, meet the customer needs, and providing the up-to-date, best product. At the moment, SecuPi is the only security vendor that integrates straight forward to Snowflake and even supports Snowflake Web Tool and SnowSQL. SecuPi is making sure to work closely with Snowflake’s product team and to support all Snowflake’s features. Jonathan spells out the reasons why clearly.
Jonathan: “One of Snowflake’s core values is thinking big, and that means Snowflake is always taking on the largest, most complicated organizations as customers and helping them with their most crucial workloads. Just as important as thinking big is the Snowflake value that drives much of these features: own it. If Snowflake was going to be the platform for this extremely important information, then we had to deliver world class data protection. So they built security in from the foundations of the platform at the very start. Those security fundamentals and the excellent operating record of the Snowflake team have gained us certifications like PCI, HIPAA, ISO-27001, and many more. More important than that, it allows our customers to trust that we’re protecting their information every day.”
SecuPi-Snowflake integration Architecture Diagram
About Cloud Data Platform Security
As we mentioned earlier, when it comes to the cloud, you can’t take your eyes off about security.
Snowflake encrypts all customer data by default, using the latest security standards, at no additional cost. Snowflake provides best-in-class key management, which is entirely transparent to customers. Despite that, many customers need more safeguards since they have PI/PII/PHI data, and they want to be more secure in the cloud; moreover, the regulation is knocking on the door.
There is Nothing like real Business use cases
In the SecuPi Product, there are three main Modules additional to Snowflake’s Security layers. These modules help our joint customers to comply with regulations, especially early cloud adopters with sensitive data. Let’s talk about use cases from the field:
SecuPi Security Module
Customers want absolute control over the encryption of the data before it leaves their on-prem and VPC, and go to the data platform. As well, they don’t want to lose ‘useability’ on the data (e.g., filtering, grouping, etc.)
– SecuPi has the capability to protect the data at rest and in motion with generating dynamic views.
– The flexibility to enforce policies, decide how each column, row, and field going to look like
– Which encryption technique to use (dynamic masking, FPE functions, tokenization, anonymization, and any 3rd party encryption) so you can still work on the data – this is also how the data is encrypted before it is loading to Snowflake
Need to keep the policies and keys on-prem while your data is in the cloud?
– With SecuPi’s ‘HYOK’ (Hold your own keys), the key is segregated from the cloud data platform and the decryption applied only on apps/tools for users/roles on a ”need-to-know” basis. This is exactly the difference between ‘BYOK’ (Bring your own key) – decryption key resides on the cloud data platform, which all users can access the decrypted data.
‘BYOK’ VS. ‘HYOK’
You can manage multiple keys, even a key per column, and be sure that you are in control of who has access to what.
Fully integrated with a long list of leading HSM tools and KMS solutions
SecuPi Governance Module
Did someone say regulation? Compliance? CCPA, GDPR, HIPAA, etc…
SecuPi can help you with simple complete solutions for compliance with an ever-increasing list of complex data privacy regulation (e.g., “the right to be forgotten,” “geo-fencing”)
SecuPi Privacy Module
Who is trying to access sensitive data?
Is someone trying to steal the data?
– Most of the breaches are internally, coming from the inside of the organization, with SecuPi data loss prevention, you can get a full forensic with Statistics and User behavior Analytics which is monitored in real-time.
– Fine-grained access control – the ability to calculate a risk score for EVERY interaction of data based on ANY combination of user and session attributes. and to enforce relevant actions (e.g., block, alert) – so even if someone has the authority to run a query, if it is suspicious, you can decide what to do with that request.
– Dynamically Filtering out the results set based on policies and ANY attribute – from the initial session, Global, external (REST API call) and integration with the familiar IDP platforms (e.g., Okta, LDAP and Active directory)
Curious to hear more? Want to see a Demo?
Contact us at firstname.lastname@example.org
This post was originally published as a Snowflake’s Blog Article on May 28th, 2020