コンテンツへスキップ
  • AT SNOWFLAKE
  • Industry solutions
  • Partner & Customer Value
  • Product & Technology
  • Strategy & Insights
Languages
  • Italiano
  • Español
  • Deutsch
  • Français
  • Português
  • 日本語
  • English
  • 한국어
  • Italiano
  • Español
  • Deutsch
  • Français
  • Português
  • 日本語
  • English
  • 한국어
  • AT SNOWFLAKE
  • Industry solutions
  • Partner & Customer Value
  • Product & Technology
  • Strategy & Insights
  • Italiano
  • Español
  • Deutsch
  • Français
  • Português
  • 日本語
  • English
  • 한국어
  • 概要
    • Snowflakeを選ぶ理由
    • カスタマーストーリー
    • パートナー
    • サービス内容
  • 概要
    • プラットフォームの概要
    • Snowflakeマーケットプレイス
    • Powered by Snowflake
    • ライブデモ
  • ワークロード
    • コラボレーション
    • データサイエンス&機械学習
    • サイバーセキュリティ
    • アプリケーション
    • データウェアハウス
    • データレイク
    • データエンジニアリング
    • ユニストア
  • 価格
    • 料金体系
  • 業界
    • 広告・メディア・エンターテインメント
    • 金融サービス
    • ヘルスケア・ライフサイエンス
    • マーケティングアナリティクス
    • 官公庁・公的機関
    • 小売・消費財
    • テクノロジー
  • 詳しく見る
    • リソースライブラリー
    • 資料
    • ハンズオンラボ
    • トレーニング
  • Connect
    • ブログ
    • コミュニティ
    • イベント
    • ウェビナー
    • ポッドキャスト
  • 概要
    • Snowflakeについて
    • 投資家情報
    • 経営陣と取締役会
    • 採用情報
作成者
Trask Dunlap Trask Dunlap
Contributing Author
Falguni Sonawala Falguni Sonawala
Share
Subscribe
2020年8月26日

Snowflake on Snowflake: How We Strengthened Data Governance Using Dynamic Data Masking

  • カテゴリーなし
  • 私たちの取り組み
    • Snowflake on Snowflake
  • 製品 & テクノロジー
Snowflake on Snowflake: How We Strengthened Data Governance Using Dynamic Data Masking

Managing access to sensitive data is the name of the game when it comes to security and data governance. It’s required to protect sensitive data from unauthorized changes or exposure, and it’s now a mandate as part of privacy regulations such as GDPR and the California Consumer Privacy Act (CCPA). Companies all over the world are now focused on protecting sensitive PII associated with their customers and employees.

Traditional role-based access control (RBAC) can be used to enforce and control least-privilege access. But what happens when traditional RBAC controls don’t allow for the right flexibility? At Snowflake, we used the new Dynamic Data Masking feature to design an RBAC model which gives us granular control over our employees’ viewing permissions to support our data governance model. 

Role-Based Access Control

Snowflake offers a robust RBAC system where administrators can create custom roles to meet their organization’s requirements. Snowflake’s internal RBAC design is based on the principle of least privilege, where users are granted access to only the privileges required for their job duties. Roles are designed to create a clear separation of duties between read-only access and write access. Snowflake distinguishes this separation between enterprise user roles (read-only access) and administrative roles (write access). More details of this design will be a topic for a future blog post. 

However, even though Snowflake’s RBAC model provided a solid framework to solve most access control requirements, it still presented limitations: 

  • RBAC worked well to control write access to data, but read-only access offered a different set of challenges. 
  • If roles and permissions are too granular, role management becomes very manual and unruly. 
  • If roles and permissions are too broad, they do not adhere to the least-privilege model. 

Managing access to sensitive data using the RBAC model meant that we had to require and track special approvals for each access request. We could create multiple views, which would cut out the information that a certain group of users should not see. However, this would require an administrator to manage access to multiple slices of the same set of data. As you can imagine, this approach gets messy really quickly.

The Pressure Was On

Confronted with the need to create a powerful and flexible access control framework, our teams put their heads together to enumerate all possible methods. Should we revoke access to the tables and re-create views with the sensitive columns removed? Should we then adjust the permissions of the roles? Or should we just revoke the roles from the users and then see who complains? Could these approaches break any existing workflows and reports? 

Everything seemed like a patchwork approach that would cause disruption and also make the environment more cluttered and obscure. However, with Snowflake, there is always a smarter way to solve tough challenges. 

Data Masking to the Rescue

Snowflake recently released the Dynamic Data Masking feature, which allows a designated administrator to create and apply column-level masking policies (see Figure 1). These policies can be defined specifically to restrict access to data in the columns (of tables or views) on which the policy is applied. Based on the policy, certain authorized roles (green-lit roles) will see the column values “as is,” while the other roles (red-lit roles) will see obfuscated values. The definition of the policy also allows for much flexibility. For example, if you don’t want to elaborate the names of every role that shouldn’t see the exact value of the column cell, you can name only green-lit or red-lit roles. Users with the red-lit roles would still be able to query the table or view but would not see the actual values of the masked column. 

Figure 1: Policies can be defined to restrict access to data in the columns of tables or views.

This approach was the solution we had been looking for! We could create a set of policies to mask every column with sensitive data across an entire account. Only authorized roles assigned to the individuals who required access would be able to see those columns, and others would just see the value defined in the policy (for example, “000000”). The best part was that applying the new data masking policy did not negatively affect or break any queries or reports. Nothing changed for the majority of users.

This approach was a quick, efficient, and completely thorough solution for a tough problem, implemented in days instead of weeks. No overhaul of RBAC or the current setup of databases and tables were required. Instead, we just had to write a precise set of policies and apply them to the right tables and right roles. This new feature showed us the power of Snowflake: It can make data accessible and also make it accessible to the right people. 

Conclusion

“Who can see what data?” is an imperative question for any business to answer. With Dynamic Data Masking as an addition to the traditional RBAC kit of problem solving tools, Snowflake account and database administrators have reason to rejoice. This feature is a perfect addition to the security and data governance wheelhouse, working harmoniously with RBAC. To learn more about Dynamic Data Masking and how it can complement your existing Snowflake access controls, refer to the following Snowflake documentation:

  • Managing Security in Snowflake
  • Understanding Column-level Security
  • Dynamic Data Masking
Share

JSON Examples

JSON examples include global social media apps that benefit from easy data transmission.

Expand your knowledge
全文を読む

Column-Level Security in Snowflake

Snowflake is happy to announce, in preview today, the availability of data masking policies that enhance column-level...

Discover
全文を読む

Enjoy the Benefits of Apache Spark DataFrames While Eliminating Drawbacks

There are challenges associated with using Spark DataFrames. In this post, we take a look at the challenges and explore ways to overcome them.

Full Details
全文を読む

Demo: Dynamic Data Masking

From day one, security and governing data has been a top priority at Snowflake. Watch this demo to learn more about our new...

Delve into the details
全文を読む
Snowflake Inc.
  • プラットフォーム
    • メディア&エンターテインメント
    • アーキテクチャ
    • 価格
    • Snowflakeデータマーケットプレイス
  • ソリューション
    • 医療・ライフサイエンスのためのSnowflake
    • 金融サービスのためのSnowflake
    • マーケティング分析のためのSnowflake
    • 小売業のためのSnowflake
    • 教育のためのSnowflake
  • リソース
    • リソースライブラリー
    • ウェビナー
    • 資料
    • コミュニティ
    • 法務
  • もっと知る
    • ニュース
    • ブログ
    • トレンド
  • 企業情報
    • Snowflakeについて
    • 経営陣と取締役会
    • パートナー
    • 求人
    • お問い合わせ

Sign up for Snowflake Communications

Thanks for signing up!

  • Privacy Notice
  • Site Terms
  • Cookie Settings

© 2023 Snowflake Inc. All Rights Reserved