SecuPi is part of the Snowflake Horizon Partner Ecosystem

22 Jan, 2024
3 min read

Co-authored by:

Ravi Kumar
Senior Partner Sales Engineer, Snowflake

Avihai Segal
Head of Partnerships and Alliances, SecuPi

SecuPi is pleased to be a part of the Snowflake Horizon partner ecosystem. Snowflake Horizon is Snowflake’s built-in governance solution with a unified set of compliance, security, privacy, interoperability, and access capabilities. Snowflake Horizon makes it easy for customers to govern and take immediate action on data, apps, and more across clouds, teams, partners, and customers — both inside and outside of organizations.

With Snowflake Horizon’s, customers have access to SecuPi providing enhanced interoperability and flexibility with native enforcement of data access policies, real-time visibility, security, privacy & sovereignty use cases across data platforms. Customers can use the SecuPi’s central Policy Management Server and policy administration GUI with the additional choice of having the SecuPi enforcer essentially embedded within Snowflake.

SecuPi supports three major advancements in Snowflake Horizon:

  1. Expansion of Snowflake to become the enterprise data security event hub of all Cloud workloads with its expansion of sensitive data discovery and classification is now coupled with SecuPi Data Security platform to apply remediation back at the source Cloud data platforms using its 5(!) overarching access control and de-identification Enforcer techniques
  2. Snowflake new sensitive data lineage from operational data sources to destination imposes the fiduciary requirement to apply de-identification, encryption and tokenization to address data sovereignty and privacy requirements. The SecuPi ETL Enforcers, deployed on Kafka, Glue, Azure Data Factory, Talend to name a few, applies masking, hashing, encryption and tokenization on critical data on-premises and in-country.
  3. The SecuPi client-side encryption Enforcer for Snowflake ensures that the data is always encrypted, with full Segregation of Duties (SoD), only to be decrypted at the authorized client application.

With SecuPi, the central Policy Management Server administers policy (rules) governing Attribute or Purpose Based Access Control (ABAC/PBAC), Data Protection (dynamic masking, encryption, tokenization, anonymization) directly within Snowflake and other data platforms in use. These centrally managed policies are then consistently applied and enforced by distributed Enforcers. The SecuPi Management Server also provides end-user accountability, reporting, threshold monitoring, alerting, user behavior analytics (UBA), and privacy compliance (RTBF), restriction of use, records of processing, etc.) by consolidating all data access logs from the various distributed Enforcers.

SecuPi has already been providing four (4) different methods for implementing data access control and security enforcement and is now offering a 5th method for Snowflake environments. All five methods are now available for use by Snowflake customers, addressing the various Snowflake deployment options and purposes.

The five methods include:

  • Application Overlays – instrumenting Java, Python, Node.JS & .NET Applications for maximum End-User visibility.
  • Smart Driver Wrappers – Transparently intercepting ODBC/JDBC/ADO.NET connections to Databases.
  • In-Line Network Gateways – Network proxy for Postgres, MySQL, Snowflake Web Clients, JDBC, ODBC, ADO.NET, and Python with direct connections.
  • SDK – Enabling customers to build their own custom Enforcers, API calls, etc.
  • Snowflake Native – Leverage Snowflake native security features to enforce data protection policies.

Automated Enforcement Directly within Snowflake – How It Works

Fine-grained access control policies and data de-identification policies are defined in the same way in the SecuPi management server. The newly introduced 5th method for implementing a SecuPi Enforcer enables automated enforcement directly within Snowflake where applicable, with SecuPi enforcing PBAC, de-identification and data protection at-rest and in-use, ensuring the consistent application of rules at runtime across various data repositories and applications, whether they are on-prem or in the cloud.

The newly introduced method supports policy enforcement whenever the user identity and all required user or data attributes are available within the Snowflake environment. Situations, where Shared Application IDs are used to access the data on behalf of multiple concurrent end-users, will be limited to controlling access based on the Shared ID.

The same applies to Data attributes. For example, if there is a Column in a Customer Table that includes the Country that the customer record belongs to, then a single policy can be generated in SecuPi to restrict access to records that match the Country(s) assigned to an end user. SecuPi will simply generate a Row Level Policy and attach it to the table so that when users access the Table, it already includes the correct “WHERE” predicate to filter rows within Snowflake based on the matching Country tag or code.

In certain specific circumstances, this method can be a useful or more efficient policy enforcement method. However, there are caveats to consider:

  • With SecuPi’s transparent Snowflake Gateway Enforcer, for example, the same “View” with the same “WHERE” predicate can be generated dynamically at run-time without making any changes to Snowflake. Data access activity logging is also captured completely independently of Snowflake; much like traditional Database Activity Monitoring (DAM) functionality but without the extra product, servers, network traffic, performance and administrative overhead.
  • With SecuPi’s unique Hold Your Own Key (HYOK) capability, any Encrypted or Tokenized columns remain protected in the Cloud and are in the clear (re-identified) only for authorized Users at run-time back On-Prem, or in your Virtual Private Network (VPN). The keys protecting the data are never available or accessible in the public or any shared Cloud environment. HYOK implementations result in minimal changes to the trust model for Cloud Migrations.

Following are detailed descriptions with screenshots showing configuration steps and data access results for SecuPi policy being enforced natively within Snowflake.

Set Dynamic Data Masking (DDM) and Encryption of Selected Columns, Rows and Fields

SecuPi leverages Snowflake’s Java User Defined Function (UDF) to enforce the same SecuPi-managed policies directly within Snowflake. SecuPi managed policies can also be used to set access control, column-level dynamic masking, and row-level filtering policies directly in Snowflake.

The following examples use 3 different Snowflake-managed and defined roles and both the “First Name” and “Email address” columns to describe how this works. Three different roles are defined:

FINANCE – Can view encrypted “First Name” and “Email Address” columns (referential integrity maintained).

PUBLIC – Can only view masked “First Name” and “Email Address” columns (can be the default role).

HRDEMO_HR – Can view both “First Name” and “Email Address” in the clear text.

When each of the different roles is selected or assigned to a User within Snowflake, they see only the data they are authorized to view in clear text.

When each of the different roles are selected or assigned to a User within Snowflake, they see only the data they are authorized to view in clear text.

Setting FINANCE Role in Snowflake


What FINANCE Role Members see

 

What PUBLIC Role Members see


What HRDEMO_HR Role Members See

SecuPi essentially deploys agents using Snowflake Java UDF’s
that then act like an enforcer within Snowflake. 
These UDF’s are then continuously updated when the configuration changes and are self-contained within Snowflake (with no external dependency). 

Data access control policies are defined within SecuPi using the Native Enforcer – Edit Native Connection menu option of SecuPi. Each time a policy is changed and saved in SecuPi, it is automatically propagated to Snowflake for execution.

 Screenshot showing the setup of Native Enforcer Connection for Snowflake

  

Native Snowflake Masking Policies Managed from SecuPi

Another SecuPi – Snowflake Data Governance Accelerated
program integration is with Snowflake’s native masking capabilities. SecuPi can be used to manage masking policy within Snowflake.

The following screenshot displays output from the show masking policies command. The Admin User Kareene is a member of the SECUPI_GOV role with permission to manage masking policies within Snowflake. Two different masking policies have been created. One to mask the Email Address Column and one to mask the Name Column.