Guide: Snowflake Security Guide

How to Monitor Access to Sensitive Data In Snowflake with Satori​

Being optimally focused is the key that helps you spend your resources better. When your organization has a lot of data that you put in your Snowflake Data Cloud, it is important to prioritize your focus on the things that matter most, and part of that is monitoring the sensitive data you have within your tables and managing who accesses it.

Types of sensitive data to monitor

There are several main types of sensitive data that you should monitor access to, which are listed below. Please keep in mind that the complete list depends on your organization and the type of data it has.

  • PII (Personal Identifiable Information): This includes things such as names, phone numbers, email addresses, login IP addresses, addresses, and other information that can identify data subjects.

  • PHI (Protected Health Information): This equates to data such as medical information and identifying information like EMPI (Enterprise Master Patient Index) or health plan beneficiary numbers.

  • Operational Data: This type of data consists of passwords, IP addresses, API keys, etc. whose exposure may cause a security risk.

  • Financial Data: Financial information or other business information that may contain commercial secrets and should not be shared broadly.

Why is it important to monitor access to sensitive data?

It is vital to  monitor access to sensitive information in your organization in terms of compliance, regulations, and risk-reduction frameworks used by your business. It is also incorporated for privacy reasons, such as making sure you’re meeting privacy regulations and are not exposing private information beyond what’s permitted. Furthermore, personal data leakage may be a catalyst to severe security risks.

 

Monitoring sensitive data access also helps your organization gain more confidence in Snowflake, and enhance your use of Snowflake to store and analyze data, thus increasing the overall strategic value of your data.

Steps of Monitoring Sensitive Data in Snowflake

There are two steps in monitoring sensitive data in Snowflake:

  1. The first is the inventory of your data. To monitor sensitive data, you need to know where it is and have an inventory of the location of sensitive data in your Snowflake data cloud.

  2. The second is having the ability to monitor access to those locations, and being able to answer questions about what type of sensitive data was accessed, when, and by who (users, groups, and roles).

Let’s dig a bit deeper into those steps, check the alternatives, and discuss why using Satori over Snowflake is the best solution to meet your objectives.:

Step 1: Data Inventory

Mapping your sensitive data can be done in several ways. For instance, you can use methods like sending questionnaires to data owners. Regardless, you would want to map the data you have that is being accessed and know what types of data it contains. This is either done manually for a relatively small dataset, or in an automated fashion.

 

When leveraging automation, it can either be done as an ad-hoc project of mapping sensitive data in your data repositories or done continuously. When you use Satori for Snowflake, it is automatically being updated to find out where sensitive data is inside your Snowflake data cloud. You can read more about the different ways to create a data inventory over Snowflake here.

 

We believe continuous discovery is better than ad-hoc mapping due to the following reasons:

  • Data in a data warehouse is constantly updated and changed, and a mapping project quickly becomes stale.

  • By performing the data inventory without scanning your Snowflake data cloud, we guarantee zero impact to activities, which also means that you do not need to coordinate such efforts across the organization. Thus, saving you immense time, resources, and money. 

This is a sample of the continuously updated data inventory in Satori, where you can also override the autonomously discovered  tags manually:

You can easily create views in Satori with newly discovered sensitive data so that you can take action specifically about new instances of sensitive data (such as apply masking or other types of access controls).

 

You can read more about Satori’s autonomous data inventory here

Step 2: Monitoring Access to Sensitive Data

There are several ways you can monitor access to the mapped sensitive data. One of them is by analyzing the access logs in Snowflake (under snowflake.account_usage.query_history). However, you will need to crunch some data and process the raw data to make sure you correlate between the columns that were pulled, and those containing sensitive data. You will also need to analyze the data some more to know if some of this data was masked by Snowflake’s dynamic masking (and therefore is not sensitive).

 

In Satori’s analytics dashboard, you can monitor access to sensitive data as well as create saved views with the monitored data during a certain time window for specific locations or groups. Here is  an example of what that looks like:

In addition, the enriched audit we provide contains contextual data, including the exact types of sensitive data that were accessed in each query, as well as the specific locations in which they were extracted. Here is a demonstration of that:

In conjunction with this, you can filter and analyze the audit to monitor exactly what is required for your organization. An example would be creating a view of the data access to sensitive data in the last day or week. More information on Satori’s universal audit, can be found here.

Monitor Sensitive data access in Snowflake now!

If you’d like to see our demo and understand how Satori can painlessly enable you to monitor your sensitive data and do much more around the governance, security, and compliance of your Snowflake data, you can schedule a demo here.

Last updated on

June 9, 2021

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information. The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.