Securing your Snowflake cloud information

The challenges of legacy information warehouses and conventional enterprise intelligence techniques have been well-documented. Constructed on inflexible infrastructure and managed by specialised gatekeepers, information warehouses of the previous had been, as one monetary buyer as soon as advised us, “like a snake swallowing a basketball.”

For a sampling of consumers’ longstanding frustrations, try this slide from Wikibon’s 2014 Large Information Capital Markets Occasion: 

The quantity of information ingested into an information warehouse overwhelmed the system. Each time Intel Corp. got here out with a brand new microprocessor, practitioners would “chase the chips” in an effort to attempt to compress the overly restrictive elapsed time to insights. This cycle repeated itself for many years.

Cloud information warehouses typically and Snowflake Inc. particularly modified all this. Not solely had been assets nearly infinite, however the capacity to separate compute from storage completely altered the fee, efficiency, scale and worth equation. However as information makes its method into the cloud and is more and more democratized as a shared useful resource throughout clouds – and on the edge – practitioners should deliver a SecDevOps mindset to securing their cloud information warehouses.

This Breaking Evaluation takes a more in-depth take a look at the basics of securing Snowflake. An essential subject as information turns into extra accessible and out there to a rising ecosystem of customers, prospects and companions. To take action we welcome two friends to this episode. Ben Herzberg is an skilled hacker, developer and an skilled in a number of elements of information safety. Yoav Cohen is a expertise visionary and at the moment serving as chief expertise officer at Satori Cyber.

These two people have co-authored the e-book proven above known as “Snowflake Safety.”  The work is a complete information to what you could know as an information practitioner utilizing Snowflake. It’s filled with nice data, greatest practices and sensible recommendation and insights – multi functional place.

Safety and information practices are colliding

Earlier than we get into the dialogue, let’s share some Enterprise Know-how Analysis survey information to set the context. We’re seeing cybersecurity and information are colliding in an essential method.

Beneath are some information factors from ETRs newest drill-down survey. ETR requested greater than 1,200 respondents – chief data officer, chief data safety officers and knowledge technologyprofessionals – which organizational priorities could be most essential in 2022. The highest seven are proven within the diagram.

It’s no shock that safety is No. 1 – though as we shared in our current predictions put up, the magnitude of its relative significance varies relying on the diploma of experience inside the group. The delta just isn’t as important in giant corporations, for instance.

Analytics and information are outstanding within the record and we’ve tied these two domains collectively. We’re highlighting a time period our two friends have used known as DataSecOps. To us it’s the concept you deliver agile DevOps practices to information operations — and built-in safety as a part of the complete cycle of managing the creation, use, entry, safety and restoration of information.

As Yoav Cohen factors out, it’s additionally important that cloud migration was the No. 2 precedence on the record, since that’s driving modifications in operational fashions. In line with Cohen:

This positively aligns with what we’re seeing on the bottom out there. Within the diagram you will have cybersecurity and information warehousing. Within the center you will have cloud migration. That’s mainly what’s pushing corporations to put money into safety and information and warehousing, as a result of the cloud modified the sport for cybersecurity. The instruments that we used earlier than usually are not the identical instruments that we have to use now. And likewise, it unlocks quite a lot of efficiency worth and capabilities round information warehousing. So, all of that comes collectively to a giant development within the trade for funding, for alternative, and positively we’re seeing that on the Snowflake platform, which is doing actually, very well not too long ago.

Take heed to Yoav Cohen touch upon the connection between cyber, analytics/information and cloud.

Why are we at all times speaking about Snowflake?

Let’s share yet another graphic earlier than we dive in with Ben and Yoav. In fact, Snowflake is a sizzling firm; everybody is aware of that and it reveals in its financials. The ETR survey information under tells a equally compelling story with survey information.

The chart above is from the latest ETR January survey. The blue line on the high represents Internet Rating or spending momentum. The darker line on the backside represents presence or pervasiveness within the survey pattern. There have been 165 Snowflake prospects that responded to this survey. Ten p.c of corporations inside the Fortune 500 had been within the pattern and about 4% of World 2000 corporations participated. Just below 30% had been C-suite execs and about 20% had been analysts or engineers or information specialists, with round 50% in vice chairman, director or supervisor roles, with a really broad mixture of industries and a bias towards bigger corporations.

The highest blue line within the graph is derived utilizing basic math from the info within the inserted field. ETR asks prospects every quarter: 1. Are you adopting Snowflake new in 2022? That’s the 27% lime inexperienced; 2. Will you be spending 6% or extra on Snowflake relative to 2021? That’s the 57% forest inexperienced; 3. Is your spending flat? That’s 15% of respondents within the grey; 4. Is your spending down by 6% or worse? Only one% in within the pink; and 5. Are you leaving the platform or defecting? That’s the brilliant crimson at 0%.

No defections.

Subtract the reds from the greens and also you get Internet Rating, which calculates out to 83% for Snowflake on this previous survey. What’s outstanding is that Snowflake has held this elevated rating for greater than 12 quarterly surveys. It’s within the stratosphere among the many many hundreds of corporations that ETR tracks. Bear in mind as properly, something above 40% on the vertical axis is taken into account elevated Internet Rating and Snowflake is glued to the ceiling.

The greenish brown line within the graph reveals the corporate’s market presence within the information set. It continues to develop and the inexperienced shaded space emphasizes that its tempo this final quarter is accelerating.

Snowflake is changing into ubiquitous and prospects have gotten intimately acquainted with its platform. Snowflake is scaling up like we’ve by no means seen earlier than and is constructing a hard-to-penetrate fortress with its product, ecosystem and execution.

Broadly, Ben Herzberg attributes this momentum to 5 principal components:

  1. Simplicity and model promise. Snowflake performs as marketed– out of the field;
  2. Very wealthy assist of capabilities and options wanted in a cloud information warehouse;
  3. Multicloud assist reduces dependencies on a single cloud;
  4. It’s quick and scalable with no worries about infrastructure and heavy upkeep lifting; and
  5. Quick tempo of innovation – for instance, many safety and governance options, strikes to assist unstructured information and the like.

Take heed to Ben Herzberg speak about why Snowflake prospects are quickly adopting the platform.

Subsequent we pivot to the deeper dive in Snowflake safety. We requested the consultants to touch upon a number of questions, summarized under:

Query No. 1: Snowflake already will get excessive marks on safety so why does there should be a e-book on the topic?

The reply comes all the way down to the necessity to perceive the nuances of Snowflake within the cloud’s shared duty mannequin and the best way to apply greatest practices on this setting. In line with Cohen:

Snowflake is investing in and placing quite a lot of emphasis on safety. Nevertheless, it’s linked to the cloud, and like some other cloud service, there’s a shared duty mannequin between Snowflake and its prospects relating to totally securing their information cloud. So Snowflake can construct wonderful options, however then prospects have to essentially undertake them, implement them in the easiest way. One of many issues that we’ve seen by working with Snowflake prospects is that we sometimes work together with information engineers, however then they need to implement security measures and safety capabilities. We thought writing a e-book concerning the subject would assist these prospects to know the options higher, profit from them higher and actually construction their implementation and determine what’s most essential to implement at each step of their journey.

Take heed to Yoav Cohen clarify why he and his colleague wrote the e-book on Snowflake Safety.

Query No. 2: What are the fundamental fundamentals of securing Snowflake?

We wished to discover this subject as a result of in a world of versatile and globally distributed information, the place democratization is a serious theme, information how do you actually be certain solely these of us that ought to have entry do have entry?

In line with Herzberg, it comes all the way down to many common sense objects corresponding to limiting community entry with a couple of easy instructions. It will considerably decrease your safety danger and enhance your compliance posture. Additional, it’s essential to know which purposes entry Snowflake and the way are they gaining entry. If it’s by password, rethink that and use a key as an alternative. Are customers accessing Snowflake with usernames and passwords? Change that to an identification system corresponding to Okta. And there are lots of different areas mentioned within the e-book that go into these fundamentals in nice element, from configuring, monitoring and auditing Snowflake safety.

Take heed to Ben Herzberg discuss concerning the fundamentals of Snowflake safety.

Query No. 3: Don’t these fundamentals apply to any setting? What’s distinctive to Snowflake?

The reply in keeping with Cohen is sure and no. Positive, fundamental safety hygiene is essential in all environments, however as information strikes to cloud information warehouses typically and Snowflake particularly, insurance policies have gotten extra dynamic. Extra sophistication round authorization and extra fine-grained controls are vital and out there in Snowflake. Right here’s Cohen’s clarification intimately:

A pair issues to think about. To begin with, we like to say that it’s 80% good safety hygiene. It’s a must to guarantee that your fundamentals are locked and tightly configured and that brings quite a lot of worth. However two factors to think about, initially, all of all these [standard] controls are fairly static within the sense that when you get in, you get in, after which you will have fairly broad entry; and we will speak about authorization ideas. However these [standard practices] are actually static gatekeepers round your information. After you have entry, then it’s actually free for all. Whenever you examine it to different forms of environments and what we’re seeing in different domains, possibly a transfer to extra dynamic sort of controls, elevated entry or elevated further authentication steps earlier than you get elevated entry. And what we’re pondering is that past these static controls, the market goes to maneuver in direction of implementing extra dynamic, extra fine-grain management, particularly as a result of in Snowflake, however some other information warehouse or large-scale information retailer, which turns into an aggregation level of information within the firm, and we work with actually huge corporations, and so they usher in information from a number of jurisdiction from the world over, to allow them to get an outline of the enterprise and run the enterprise in a way more environment friendly method, however that actually creates a strain level relating to securing that information.

Take heed to Yoav Cohen clarify how cloud information platforms typically, however Snowflake particularly requires new pondering in safety.

Query No. 4: Coming again to the Snowflake specifics and the shared duty mannequin, Snowflake talks a few three-layered safety method: community, identification entry and encryption. Can we dig into every of those areas and higher perceive the tasks of the Snowflake buyer?

Configuring community safety – What’s the place to begin? 

Let’s begin with the community. The client is liable for issues corresponding to organising the DNS, deciding the extent of public web entry for different apps and customers. Herzberg says there are two high-level areas Snowflake prospects ought to be targeted on with regard to community safety:

  • Setting the coverage to restrict community entry to your account;
  • Contemplate configuring the community with a non-public hyperlink to the cloud setting.

Take heed to Ben Herzberg clarify the fundamentals of the community shared duty mannequin for Snowflake.

Id entry: avoiding ‘hierarchy hell’

With identification, it’s a must to fear about issues like organising roles and managing customers and probably configuring row and column based mostly entry. Establishing roles can get difficult – particularly if you’re crossing area identities and organising hierarchies. Complexity is the enemy of excellent safety and prospects need to watch out about organising complicated hierarchies. Cohen explains hierarchy hell:

The e-book says that you should use hierarchy, however you need to keep away from attending to a hierarchy hell. Mainly, we’ve seen that with a number of Snowflake prospects with the flexibility to set roles in a hierarchy mannequin, setting a task that inherits privileges from one other position, that inherits privileges from different roles and possibly, after all, utilized in a great way, nevertheless it additionally in among the circumstances, it results in complexities and to entry not being deterministic, at the least not apparent to the one who offers entry, who’s normally the info engineer. So, everytime you begin having a fancy authorization mannequin, every time I wish to give Yoav entry to a sure information set, and since issues are complicated, I additionally, by mistake, give him entry to the wage data of the corporate, that’s when issues grow to be difficult. In case your roles are messy and complicated, then it might result in information publicity inside the group or outdoors the group.

Take heed to Ben Herzberg clarify hierarchy hell.

Encryption in Snowflake: fundamental to superior ranges

For a lot of corporations, encryption in Snowflake is fairly easy and doesn’t require quite a lot of duty for the shopper. Snowflake encrypts all the things in movement and rotates keys each 30 days. So many corporations actually have to simply monitor issues and ensure they’re in compliance and have good log information. However it relies on the diploma of sophistication required. As Herzberg explains:

This actually relies upon. So, for the common firm, I’d say, sure. For among the corporations with increased safety necessities or compliance necessities or each, typically there are points like corporations that don’t wish to have the info saved in clear textual content, in Snowflake, even encrypted as within the information warehouse encryption or the account encryption, even when somebody by accident will get entry to the desk, they need them not to have the ability to pull the info in clear textual content, after which it will get barely extra sophisticated. You’ve other ways of tackling this, however for the common firm or corporations who would not have such necessities, then all the things in Snowflake is encrypted in transit and addressed, and naturally, there are extra superior options for increased necessities.

Take heed to Ben Herzberg clarify his ideas on the shared decisions prospects face round Snowflake encryption.

Query No. 5: What are among the extra weak elements of Snowflake? When you had been a hacker, the place would you assault first?

Along with phishing scams and different consumer vulnerabilities, we wished to know if there have been any space the place prospects ought to be additional cautious. Yoav’s Cohen’s reply begins with primarily “Observe the info”:

I’d begin with the place information resides. And, should you take a look at the Snowflake structure, there’s a separation between storage and compute, however that additionally means storage is accessible with out going via the compute. That may create alternatives for hackers to go and attempt to discover entry the place entry shouldn’t be had. That’s the place I’d give attention to.

Take heed to Yoav Cohen clarify the place a hacker would possible give attention to discovering Snowflake vulnerabilities.

Query No. 6: Does the multitenant nature of the Snowflake Information Cloud improve safety dangers? Ought to prospects use Digital Personal Snowflake or VPS to cut back exposures?

Herzberg doesn’t imagine that multi-enancy inherently will increase exposures and feels most corporations don’t want VPS. He feels there are extra optimum and price efficient approaches to mitigating dangers.

Digital Personal Snowflake is Snowflake’s highest safety stage. It’s designed for organizations with probably the most stringent necessities (corresponding to regulated industries like healthcare and monetary providers). VPS isolates the Snowflake setting from all different Snowflake accounts and shares no assets outdoors of the VPS account.

Herzberg summarized his ideas as follows:

To the very best of my information, Digital Personal Snowflake is utilized by a minority of the purchasers, a small minority of the purchasers. There are different extra in style methods inside Snowflake, like non-public hyperlink, for instance, to boost your safety and your account segregation. However I wouldn’t say that just because the platform is multi-tenant, it’s weak. In fact, in lots of circumstances, your safety or compliance wants require you to get rid of even this danger; however I’d say that there are quite a lot of different platforms in several areas which can be multi-tenant and possibly safer than many on-premises environments.

Take heed to Ben Herzberg and Yoav Cohen touch upon multi-tenancy and its relative danger.

Query No. 7: Will new performance corresponding to assist for unstructured information or including information science use circumstances create new assault vectors for hackers?

Snowflake rolls out new capabilities at a fast tempo. Its CEO has prioritized investments in engineering since his first days on the job and that’s translating to fast rollout of latest performance. We wished to know if the tempo of latest characteristic rollouts and complete out there market growth strikes create new alternatives for hackers…and the way will prospects cope with this?

In line with Cohen, whereas new capabilities could create a larger risk floor, the strategies to handle them will likely be related. It’s extra possible a case that as prospects faucet these new areas of growth they are going to maybe apply security measures they haven’t beforehand deployed. The most important development to look at would be the democratization of information and that can require larger diligence and focus by group.

Cohen defined as follows:

I’d say that Snowflake is shifting quick with including new performance– quick, however not too quick. They’re releasing it in a managed method. I’d say that for brand new capabilities, after all, in some circumstances there are new assault vectors or new dangers and clearly, securing various kinds of information could deliver new challenges, however the fundamentals, I feel, stay the identical. The fundamentals of the community, identification authentication, authorization and auditing monitoring. I’d say they would be the similar and maybe new options or capabilities will should be used. And the most important challenge, as information democratization is rising inside organizations, and an increasing number of individuals are utilizing your information cloud, that additionally must be addressed.

Take heed to Ben Herzberg speak about new assault vectors and the way prospects will tackle them.

Query No. 8: Snowflake is constructing what we name a supercloud, a layer that provides worth above the hyperscale infrastructure and throughout clouds. How will that have an effect on the way in which organizations will method DataSecOps? 

Let’s discuss futures. Within the e-book, Cohen and Herzberg focus on multicloud as a option to cut back reliance on a single vendor and that’s all good. However we’ve been utilizing the time period “Supercloud” as a reference to an abstraction layer that exists on high of a number of clouds and hides among the underlying cloud complexity and we really feel Snowflake is an effective instance of that– constructing worth on high of all of the hyperscale infrastructure and throughout clouds. We wished to know how this would possibly have an effect on the way in which corporations take into consideration DataSecOps.

Right here’s what Yoav stated:

Positively, we additionally see the development of corporations adopting an increasing number of forms of cloud and cloud applied sciences. They’re in a single cloud right this moment. They wish to transfer to a second one, virtually each firm that I discuss to have, these days, a multi-cloud technique. With respect to Snowflake, they mainly have it found out, as a result of they’re an overlay, like a supercloud, tremendous information cloud, that’s unfold throughout any cloud, and you may mainly choose and select the place you wish to put your information for what use circumstances, and that’s actually, actually useful, as a result of you then don’t need to handle the complexity of a number of options for a number of areas of the enterprise. We see this additionally in different areas the place corporations are saying, “Hey, I want to not use a particular cloud expertise for that objective, however use a vendor that may cowl my wants throughout the clouds.” Positively on the safety aspect, the place they need one throat to choke, so to talk, however they wish to management issues on a central place. As Ben talked about earlier than, complexity is the enemy of safety and having these multi-cloud operations, from a safety perspective, positively provides complexity, which provides dangers, so simplifying that’s actually, actually useful.

Take heed to Yoav Cohen focus on Snowflake as a “Tremendous Information Cloud” and the way that can have an effect on the way in which safety execs take into consideration managing their environments.

Thanks for Yoav Cohen and Ben Herzberg for collaborating on this Breaking Evaluation. Right here’s Yoav Cohen giving a fast clarification of what Satori does. 

Keep up a correspondence

Bear in mind we publish every week on Wikibon and SiliconANGLE. These episodes are all out there as podcasts wherever you hear.

E-mail [email protected], DM @dvellante on Twitter and touch upon our LinkedIn posts.

Additionally, try this ETR Tutorial we created, which explains the spending methodology in additional element. Be aware: ETR is a separate firm from Wikibon and SiliconANGLE. If you want to quote or republish any of the corporate’s information, or inquire about its providers, please contact ETR at [email protected]

Right here’s the complete video evaluation:

All statements made concerning corporations or securities are strictly beliefs, factors of view and opinions held by SiliconANGLE Media, Enterprise Know-how Analysis, different friends on theCUBE and visitor writers. Such statements usually are not suggestions by these people to purchase, promote or maintain any safety. The content material introduced doesn’t represent funding recommendation and shouldn’t be used as the premise for any funding choice. You and solely you might be liable for your funding choices.

Picture: meenkulathiamma/Adobe Inventory

Present your assist for our mission by becoming a member of our Dice Membership and Dice Occasion Neighborhood of consultants. Be a part of the neighborhood that features Amazon Net Providers and CEO Andy Jassy, Dell Applied sciences founder and CEO Michael Dell, Intel CEO Pat Gelsinger and plenty of extra luminaries and consultants.

Supply hyperlink

Leave a Reply

Your email address will not be published.