Data is an asset and it is imperative to keep it safe. This is why security is a core designing principle of Snowflake, it’s always on, and that removes the need for users to intervene. Snowflake actively partners with government agencies and the industrial and academic sectors that support them, in order to prevent global cybercrimes. All of this makes the Snowflake Data Cloud a key platform to support critical infrastructure sectors and exceed relevant standards such as Cybersecurity and Infrastructure Security Agency (CISA), and the National Institute of Standards and Technology (NIST), and others.
The National Cybersecurity Strategy
The White House recently released the first National Cybersecurity Strategy, which outlines the priorities to address cybersecurity issues, with the goal of enabling a safe and secure digital ecosystem for all Americans. Focusing on the internet as our social fabric, the strategy describes how the internet can be used for harm (for example, ransomware, IP theft, malicious attacks, and data breaches) and areas of the world where threat actors have the support of a nation state with vast resources. The strategy is designed for healthcare, energy, manufacturing, and public sector organizations and highlights two main challenges to overcome: End users bear too much responsibility for security, and the market does not incentivize companies to do security well. To address these two main challenges, the White House highlighted three key objectives:
- Hold the stewards of data accountable by introducing a fundamental change in responsibility mode, rebalancing the responsibility to defend cyberspace onto the organizations that are most capable and best positioned to reduce risks for all of us, and shifting liability for insecure software products and services away from end users and toward vendors that are capable of taking actions to prevent bad outcomes.
- Regulate key infrastructure with common control frameworks to secure data consistent with standards and guidelines developed by NIST.
- Create a level playing field for all players to invest in cybersecurity.
The Data Cloud
We at Snowflake are stewards of customer data, and we value the trust people put in us and our platform—the Data Cloud. Snowflake also views our commitment to security as a step toward the new cybersecurity social contract, an idea proposed by the two of the strategy’s authors. This social contract asks those organizations that can affect the cybersecurity posture in a positive way to do so. In this vein, the National Cybersecurity Strategy and the new social contract are examples of several global calls to action. We are also cognizant of the need to share data at scale among all industries and the government. Therefore, we are fully supportive of the above objectives as well as other similar strategic documents. Long before this strategy was announced, we built our infrastructure and product based on three core pillars:
- Secure by design via native security, data governance, and privacy features in our product and the companion security operations that keep our platform safe
- Compliance certifications to provide assurances that our platform meets regulatory requirements across many industries and countries
- Democratizing cybersecurity for our customers by enabling them to access and query security data from a single source of truth to effectively protect their own organizations
Secure by design
This first pillar has been our guiding principle for how we build and innovate with our products’ security, governance, and privacy controls.
In addition to end-to-end encryption for data in transit and at rest, we offer Tri-Secret Secure, which provides the ability to compose the account master key (used to encrypt all keys in hierarchy) from a combination of a Snowflake-maintained key and a customer-managed key. This gives you full control over when Snowflake can access your data and the ability to revoke that access whenever you decide.
Snowflake’s native data governance capabilities help organizations know what data they have and how to protect that data with policies to prevent unauthorized access. Capabilities such as object tagging, classification, and tag-based masking enable users to automatically detect and classify sensitive data within the platform. Further, a user can simply attach a tag to a table column and Snowflake will automatically enforce the associated data access policy (that is, column-level masking). The Dynamic Data Masking feature allows columns with sensitive data, such as Social Security numbers, to be fully or partially masked for unauthorized users while authorized users can continue to see them in plain text. External Tokenization allows users to tokenize sensitive data before loading it into Snowflake and dynamically detokenize data at query runtime, using masking policies. Snowflake’s Row Access Policies feature enable users to secure data using fine-grained, content-based access control of rows of sensitive data. With views of account usage focused on data governance such as access history, tag references, and policy references, our users can easily identify and automate auditing of data sets not properly protected by appropriate data access policies. Further, these views provide a native way of tracking frequency of use for tables/views and columns as well as track data access (selects) and data manipulations (DMLs).
Snowflake allows customers to further extend their existing data governance and security investments through pre-built integrations with partners in our Data Governance Accelerated program. Together with Snowflake’s native data governance capabilities, these partner integrations equip you to better manage your entire data estate without additional configurations and script-based workarounds. For instance, users can extend Snowflake’s native data governance capabilities to manage data housed outside of Snowflake via these partner integrations.
Snowflake’s privacy-preserving collaboration technology allows for securely sharing data without moving or transferring it between accounts, or sacrificing scale or efficiency. Instead of moving data to the compute environment, a “data provider” makes available read-only copies of live data to “data consumers.” Snowflake solves for private collaboration scenarios such as targeted data sharing with specified parties—data exchanges in which a group of organizations can securely collaborate around data—as well as global data clean rooms that allow for insights on data without the need to move the underlying data sets.
In order to guarantee security of our platform, we run multi-dimensional security operations covering different aspects of our platform’s safety.
The security of our software supply chain—managing dependencies, securing build artifacts, providing engineers with a secure development environment, securely building code —is an area Snowflake has been investing in since our beginning. We measure our maturity through emerging standards such as SLSA, giving customers additional confidence in the security of their data every time a third-party supply chain incident appears in the news.
Our threat intelligence program leverages multiple threat intelligence feeds and providers that we process with alerting for potential threats against Snowflake. We monitor our key vendors, applications, domains, executives, and other critical components on the dark web, open source intelligence, and other publicly available information. We also monitor our controls, producing key metrics about our native security features, alerting us when metric thresholds are breached, and informing us of any remediation we must enable.
In addition, we continuously test Snowflake for its security controls, with a variety of sophisticated test methods:
- Independent assessors conduct an average of one pentest per month as part of our compliance program (for example, FedRAMP, HITRUST).
- The Snowflake security team employs leading third-party offensive security firms to regularly audit Snowflake technology and infrastructure.
- We conduct multiple engagements throughout the year, ranging from purple team exercises (a hands-on drill that brings together red and blue teams to test and improve an organization’s security posture) to proactively helping secure our systems via sophisticated adversary simulations that stress our security controls and processes.
What’s more, Snowflake believes in collaborating with the security community as part of our strategy to constantly assess our controls. Our bug bounty program rewards and recognizes security researchers and ethical hackers that responsibly disclose potential vulnerabilities that may affect our product and infrastructure.
Our program also extends to detecting potential attacks that attempt to leverage our platform, its features, and our users and third parties. For example, our anti-abuse team performs security reviews of native applications built on Snowflake, and data sets and services listed on Snowflake Marketplace, to ensure they meet Snowflake’s security standards and protect prospective app and data consumers from abuse.
Snowflake has met or exceeded the requirements of compliance certifications, including U.S. federal and state government standards. For example, Snowflake’s government deployments have achieved Federal Risk & Authorization Management Program (FedRAMP) authorization. Snowflake also supports ITAR, SOC 1 Type II, SOC 2 Type II, PCI DSS, StateRAMP, and HITRUST compliance certifications, demonstrating Snowflake’s commitment to providing first-rate security to all customers, including state and federal governments. Snowflake is continuously expanding its portfolio of security and compliance reports in cooperation with our customers. Please see this full list of our compliance certifications.
Snowflake customers, both large and small, are boosting their cyber defenses with a security data lake architecture inherent to the Data Cloud, which historically only the largest and most sophisticated enterprises were capable of building. Our near-infinitely scalable data platform as service, instant access to threat intelligence, and cyber automation delivered off-the-shelf are all ways in which the Data Cloud is democratizing cybersecurity for all Snowflake customers.
We are aligned with the overall strategy established by the White House, but we are constantly evolving to deliver even greater protection of our customers’ data with such efforts as:
- Leading efforts to share threat intelligence and response across the private and public sectors
- Providing insight and expertise to help shape and advance security principles for securing our critical infrastructure, as advocated in the National Cybersecurity Strategy
- Providing education to security organizations on data-driven security best practices that encourage stakeholders in diverse roles to play a part in efficiently strengthening their security postures
We are very excited about the road ahead of us. Seeing this level of engagement and commitment from the White House reassures us that the investments we’ve made over the past decade in the security space will continue to deliver impact and peace of mind for our customers well into the future. Learn more about security best practices in the Snowflake platform.