SecuPi Joins Snowflake Data Governance Accelerated Program

11 Jan, 2022
3 min read

SecuPi is pleased to announce our addition to the Snowflake Data Governance Accelerated Program.  This provides joint customers even more flexibility with an additional option for enforcing data access control and privacy compliance policy.  SecuPi customers can use the same central Policy Management Server and policy administration GUI they are already familiar with but, now have the additional choice of having the Policy Enforcement Point (PEP) essentially embedded within Snowflake.

With SecuPi, the central Policy Management Server or Policy Definition Point (PDP) administers policy (rules) governing Attribute or Purpose Based Access Control (ABAC/PBAC), Data Protection (dynamic masking, encryption, tokenization, anonymization).  These centrally managed policies are then consistently applied and enforced by distributed Policy Enforcement Points (PEP).  The PDP also provides End-User Accountability, , Reporting, Threshold Monitoring, Alerting, User Behavior Analytics (UBA) and Privacy Compliance (RTBF, Restriction of Use, Records of Processing, etc.) by consolidating all data access logs from the various distributed PEP’s.

SecuPi already provides four (4) different methods for implementing PEP’s.  This now adds a 5th method for Snowflake environments.  All five methods are now potentially available for use on Snowflake depending on how Snowflake is used or accessed.  The five methods include:

  • Application Overlays – Instrument Java, Python, Node.JS & .NET Applications for maximum End-User visibility
  • Smart Driver Wrappers – Transparently intercept ODBC/JDBC/ADO.NET connections to Databases
  • In-Line Network Gateways – Network proxy for Postgres, MySQL, Snowflake Web Clients, JDBC, ODBC, ADO.NET, Python with direct connections
  • SDK – Enables customers to build their own custom PEP’s, API calls, etc.
  • Snowflake Native – Leverage Snowflake native security features to enforce PDP policy

Refer to the following URL for more information on this program:

How It Works

Fine Grained access control policies are defined the same way in SecuPi.  This new 5th method for implementing a SecuPi PEP simply enables automated enforcement directly within Snowflake where applicable.   Recall that SecuPi can enforce PBAC and data protection based on virtually any User or Data Attribute and consistently apply rules at run-time across different Data Repositories and Applications On-Prem or in the Cloud.

This added PEP method supports policy enforcement whenever the User identity and all required User or Data attributes are available within the Snowflake environment.  Situations where Shared Application ID’s are used to access the data on behalf of multiple concurrent End-Users will be limited to controlling access based on the Shared ID.

The same applies for Data attributes.  For example, if there is a Column in a Customer Table that lists the Country that customer record belongs to, then a single policy can be generated in SecuPi that restricts access to records that match the Country(s) assigned to an End-User.  SecuPi will simply generate a Row Level Policy and attach it to the table so that when users are accessing the Table  it already includes the correct “WHERE” predicate to filter rows within Snowflake based on the matching Country tag or code.

In certain specific circumstances this 5th PEP method can be a useful or more efficient optional policy enforcement method.  However, there are caveats to consider.

With SecuPi’s transparent Snowflake Gateway PEP for example, the same “View” with the same WHERE predicate can be generated dynamically at run-time without making any changes to Snowflake.  Data access activity logging is also captured completely independent of Snowflake much like traditional Database Activity Monitoring (DAM) functionality but without the extra product, servers, network traffic, performance and administrative overhead.    

With SecuPi’s unique Hold Your Own Key (HYOK) capability, any Encrypted or Tokenized columns remain protected in the Cloud and are only unprotected (re-identified) for authorized Users at run-time back On-Prem, or in your Virtual Private Network (VPN).  The keys protecting the data are never available or accessible in the public or any shared Cloud environment.  HYOK implementations result in minimal changes to the trust model for Cloud Migrations.

Following are detailed descriptions with screen shots showing configuration steps and data access results for SecuPi policy being enforced natively within Snowflake.

Set Dynamic Data Masking (DDM) and Encryption of Selected Columns

SecuPi leverages Snowflake’s Java User Defined Function (UDF) to enforce the same SecuPi managed policies directly within Snowflake.  SecuPi managed policies can also be used to set access control, column-level dynamic masking and row-level filtering policies directly in Snowflake.

The following examples use 3 different Snowflake managed and defined roles and both the First Name and Email address Columns to describe how this works.  Three different roles are defined:    

FINANCE              Can view encrypted First Name & Email Columns (referential integrity maintained).

PUBLIC                 Can only view masked First Name & Email address Columns (can be the default role).

HRDEMO_HR    Can view both Name and Email address in the clear text.

When each of the different roles are selected or assigned to a User within Snowflake, they see only the data they are authorized to view in clear text.

                                                            Setting FINANCE Role in Snowflake

                                                          What FINANCE Role Members see


                                                         What PUBLIC Role Members see

                                                       What HRDEMO_HR Role Members See


SecuPi essentially deploys agents using Snowflake Java UDF’s
that then act like a PEP within Snowflake. 
These UDF’s are then continuously updated when the configuration changes
and are self-contained within Snowflake (with no external dependency). 

Data access control policies are defined within SecuPi using
the Native PEPs – Edit Native PEP Connection
menu option of SecuPi.  Each time a
policy is changed and saved in SecuPi, it is automatically pushed to Snowflake.


Screen Shot showing setup of Native PEP Connection for Snowflake


Native Snowflake Masking Policies Managed from SecuPi

Another SecuPi – Snowflake Data Governance Accelerated
program integration is with Snowflake’s native masking capabilities.  SecuPi can be used to manage masking policy within Snowflake.

The following screen shot displays output from the show masking policies command.  The Admin User Kareene is a member of
the SECUPI_GOV role with permission to manage masking policies within
Snowflake.  Two different masking
policies have been created.  One to mask the Email Address Column and one to mask the Name Column.