How to Implement Snowflake Security Best
Practices with Panther
Panther for Snowflake 3
Speakers
Ben Sebastian
Senior Detections Engineer
Mike Mitrowski
Principal Security Architect
Panther for Snowflake 4
Agenda
1. Snowflake and Panther Overveiw
2. Understand Snowflake’s security best practices
3. How Panther helps you validate security best
practices for Snowflake
4. Demo - Panther for Snowflake
5. Q & A
Panther for Snowflake 6
Security Monitoring with Panther for Snowflake
Snowflake and Panther have partnered to deliver a
solution designed to help Snowflake customers properly
ensure the security and compliance of their Snowflake
Data Cloud.
Panther for Snowflake 7
With Panther for Snowflake, you can…
• Continuously monitor the security of your Snowflake Data Cloud
• Identify settings that do not align with Snowflake security best practices
• Detect configuration changes
• Detect unauthorized access
• Monitor supporting infrastructure
• Expand your threat hunting to Snowflake
Panther for Snowflake 9
SCIM user management
Native Snowflake credentials
● Password policies
● Multi-Factor Authentication
● Key Pair Authentication
Federated Identity
● SAML 2.0-based SSO
● OAuth 2.0 delegated authorization
Session control through policies
Account, region, cloud, and data-level
recovery & fallover
● Fall-Safe
● Time Travel
● Cross-cloud & region replication &
fallover
● AWS, Azure, GCP redundancy
Built-in Features & partner integrations
RBAC & DAC
Column-level security
● Using views & UDFs
● Dynamic data masking
● External tokenization
Row access policy
Tagging
Classification
Anonymization
Customer data always encrypted in flight
Data-at-rest always encrypted using a
hierarchical key model
● Rooted in the CSP’s HSM
● Automated key rotation & re-
keying
● BYOK with “Tri-Secret Secure”
Snowflake Security Policy
Snowflake Legal
for DPA (GDPR), acceptable use,
support and more
● Comprehensive audit trail for all activities by all users from login
All communication secured using
TLS 1.2 with HSTS enforced for
all client communications, and
controlled by Network Policies (IP
Allowlisting)
Integration with CSP Private
Networking
● GSP Private Service
Connect
● AWS Privatelink
● AWS VPC ID S3
policies
● Azure Private Link
● Azure cross-VNet rules
for Blob access
Choose from any of the
Snowflake-supported cloud
regions
Snowflake Security & Governance At A Glance
7 | Compliance & Legal
3 | Data Governance
5 | Encryption
2 | Identity & Access
1 | Network Controls
4 | Data Protection
6 | Auditing
SOC 2 Type II
12 Month Coverage Period
SOC 1 Type II
6Month Coverage Period
Panther for Snowflake 11
Snowflake UI or Driver Running on Your Network (On-Prem or Cloud)
Outside Traffic to AWS
Panther for Snowflake 12
Using AWS Direct Connect: Snowflake UI or Driver Running on Your Network
Outside Traffic to AWS Private Link with Direct Connect
Panther for Snowflake 13
Snowflake Authentication
How to do Authentication & Delegated Authorization for Snowflake
Panther for Snowflake 14
Snowflake Governance Capabilities
Know Your Data Protect Your Data Unlock Your Data
Access History
Object Tagging
Account Usage
What
Where
Who
Direct Secure Sharing
Private Data Exchange
Data Marketplace
Row Access Policies
Dynamic Data Masking
External Tokenization
Encryption
Conditional Masking
Anonymization
Classification
Priv
Pub
GA
GA
GA
Priv
Pub
Pub
GA
GA
Panther for Snowflake 15
Database Replication & Failover
Cross-Cloud & Cross-Region Replication
● Business continuity & disaster recovery
● Secure data sharing across regions/clouds
● Data portability for account migrations
Zero Performance Impact on Primary
● Asynchronous replication
Reduced Data Loss
● Incremental refreshes
Instant Recovery
● Read: Readable secondary databases
● Write: Database failover
Secure
● Data encrypted at-rest & in-transit
● Tri-Secret Secure compatible
Cost Effective
● Replication costs: Data transfer & compute (serverless)
● Control which databases to replicate
1
2
3
4
5
6
Azure
AWS
Google Cloud
More about Database Replication & Failover
Panther for Snowflake 16
Hierarchical Key Model
• Hierarchical key model rooted in the
CSP’s HSM
○ GCP: Cloud HSM
○ AWS: Cloud HSM
○ Azure: Dedicated HSM
• All data at rest is encrypted by
default, with no configuration
required
Encryption/
Hierarchical Key Model
More resources on Key Management
Home/
Panther for Snowflake 17
Encryption/
Tri-Secret Secure Key Model
More resources on Key Management
Hierarchical Key Model
using Tri-Secret Secure
● Hierarchical key model adds a hybrid
HYOK & BYOK model to give the
customer control
● Customer holds key in their CSP Key
Management and brings key
materials to Snowflake to be part of
the key-encrypting key (the Account
Master Key or AMK)
● CSP-supported key managers:
○ GCP: Cloud KMS
○ AWS: AWS KMS
○ Azure: Key Vault
Home/
Panther for Snowflake 18
Key Rotation
• Snowflake rotates keys every 30 days
• Process is transparent to customer and
queries
More resources on Key Management
Key Re-Keying
• Yearly re-keying re-encrypts data on the
key's birthday
• Re-keying requires Enterprise Edition or better
• Process is transparent to customer and queries
Encryption/
Key Rotation & Re-Keying
Home/
Panther for Snowflake 19
Audit Logging – Account Usage
Auditing tracks every user’s
activity at all times in full detail
Kept in a tamper-proof area of
your account for 365 days
All supplied drivers and
connectors also have
extended logging
Home/ Auditing/
Panther for Snowflake 20
How Panther Helps You Validate
Security Best Practices For
Snowflake
03
Panther for Snowflake 21
.
High-scale
with zero ops
Fast detection
and data queries
Detection-as-Code
for ultimate flexibility
Panther is a security monitoring platform built for
speed, scale, and flexibility.
Structured data with
no retention limits
Panther For Snowflake
Panther for Snowflake 23
Panther Brings Your Security Data To Life
1. Security Logs
Cloud
Hybrid
SaaS
4. Alert
3. Detect
Analyze
Normalize
Parse
2. Ingest
+ more
Security Team
5. Investigate
Panther For Snowflake
Panther for Snowflake 24
Detection Rules
● Panther currently ships with 19 built-in
queries for monitoring Snowflake
● These differ slightly from other rules in
Panther as they are saved SQL queries
as opposed to Python functions for the
rule logic
● Rules include monitoring for items like
authentication configuration, changes in
user permissions, or changes in network
policies
● Some specific rules of note are:
• Network Policies Changed
• Local User Created
• Admin Access Granted
• SCIM Token Generated
● Rules can be customized for your
organization or used as templates to
create custom rules.
runpanther.io
Demo
Panther for Snowflake 26
Font size can vary from 24px to 30px
Loved by Modern Security Teams
Panther For Snowflake
runpanther.io
Q & A
runpanther.io
Thank You!

How to Implement Snowflake Security Best Practices with Panther

  • 1.
    How to ImplementSnowflake Security Best Practices with Panther
  • 2.
    Panther for Snowflake3 Speakers Ben Sebastian Senior Detections Engineer Mike Mitrowski Principal Security Architect
  • 3.
    Panther for Snowflake4 Agenda 1. Snowflake and Panther Overveiw 2. Understand Snowflake’s security best practices 3. How Panther helps you validate security best practices for Snowflake 4. Demo - Panther for Snowflake 5. Q & A
  • 4.
    Panther for Snowflake6 Security Monitoring with Panther for Snowflake Snowflake and Panther have partnered to deliver a solution designed to help Snowflake customers properly ensure the security and compliance of their Snowflake Data Cloud.
  • 5.
    Panther for Snowflake7 With Panther for Snowflake, you can… • Continuously monitor the security of your Snowflake Data Cloud • Identify settings that do not align with Snowflake security best practices • Detect configuration changes • Detect unauthorized access • Monitor supporting infrastructure • Expand your threat hunting to Snowflake
  • 6.
    Panther for Snowflake9 SCIM user management Native Snowflake credentials ● Password policies ● Multi-Factor Authentication ● Key Pair Authentication Federated Identity ● SAML 2.0-based SSO ● OAuth 2.0 delegated authorization Session control through policies Account, region, cloud, and data-level recovery & fallover ● Fall-Safe ● Time Travel ● Cross-cloud & region replication & fallover ● AWS, Azure, GCP redundancy Built-in Features & partner integrations RBAC & DAC Column-level security ● Using views & UDFs ● Dynamic data masking ● External tokenization Row access policy Tagging Classification Anonymization Customer data always encrypted in flight Data-at-rest always encrypted using a hierarchical key model ● Rooted in the CSP’s HSM ● Automated key rotation & re- keying ● BYOK with “Tri-Secret Secure” Snowflake Security Policy Snowflake Legal for DPA (GDPR), acceptable use, support and more ● Comprehensive audit trail for all activities by all users from login All communication secured using TLS 1.2 with HSTS enforced for all client communications, and controlled by Network Policies (IP Allowlisting) Integration with CSP Private Networking ● GSP Private Service Connect ● AWS Privatelink ● AWS VPC ID S3 policies ● Azure Private Link ● Azure cross-VNet rules for Blob access Choose from any of the Snowflake-supported cloud regions Snowflake Security & Governance At A Glance 7 | Compliance & Legal 3 | Data Governance 5 | Encryption 2 | Identity & Access 1 | Network Controls 4 | Data Protection 6 | Auditing SOC 2 Type II 12 Month Coverage Period SOC 1 Type II 6Month Coverage Period
  • 7.
    Panther for Snowflake11 Snowflake UI or Driver Running on Your Network (On-Prem or Cloud) Outside Traffic to AWS
  • 8.
    Panther for Snowflake12 Using AWS Direct Connect: Snowflake UI or Driver Running on Your Network Outside Traffic to AWS Private Link with Direct Connect
  • 9.
    Panther for Snowflake13 Snowflake Authentication How to do Authentication & Delegated Authorization for Snowflake
  • 10.
    Panther for Snowflake14 Snowflake Governance Capabilities Know Your Data Protect Your Data Unlock Your Data Access History Object Tagging Account Usage What Where Who Direct Secure Sharing Private Data Exchange Data Marketplace Row Access Policies Dynamic Data Masking External Tokenization Encryption Conditional Masking Anonymization Classification Priv Pub GA GA GA Priv Pub Pub GA GA
  • 11.
    Panther for Snowflake15 Database Replication & Failover Cross-Cloud & Cross-Region Replication ● Business continuity & disaster recovery ● Secure data sharing across regions/clouds ● Data portability for account migrations Zero Performance Impact on Primary ● Asynchronous replication Reduced Data Loss ● Incremental refreshes Instant Recovery ● Read: Readable secondary databases ● Write: Database failover Secure ● Data encrypted at-rest & in-transit ● Tri-Secret Secure compatible Cost Effective ● Replication costs: Data transfer & compute (serverless) ● Control which databases to replicate 1 2 3 4 5 6 Azure AWS Google Cloud More about Database Replication & Failover
  • 12.
    Panther for Snowflake16 Hierarchical Key Model • Hierarchical key model rooted in the CSP’s HSM ○ GCP: Cloud HSM ○ AWS: Cloud HSM ○ Azure: Dedicated HSM • All data at rest is encrypted by default, with no configuration required Encryption/ Hierarchical Key Model More resources on Key Management Home/
  • 13.
    Panther for Snowflake17 Encryption/ Tri-Secret Secure Key Model More resources on Key Management Hierarchical Key Model using Tri-Secret Secure ● Hierarchical key model adds a hybrid HYOK & BYOK model to give the customer control ● Customer holds key in their CSP Key Management and brings key materials to Snowflake to be part of the key-encrypting key (the Account Master Key or AMK) ● CSP-supported key managers: ○ GCP: Cloud KMS ○ AWS: AWS KMS ○ Azure: Key Vault Home/
  • 14.
    Panther for Snowflake18 Key Rotation • Snowflake rotates keys every 30 days • Process is transparent to customer and queries More resources on Key Management Key Re-Keying • Yearly re-keying re-encrypts data on the key's birthday • Re-keying requires Enterprise Edition or better • Process is transparent to customer and queries Encryption/ Key Rotation & Re-Keying Home/
  • 15.
    Panther for Snowflake19 Audit Logging – Account Usage Auditing tracks every user’s activity at all times in full detail Kept in a tamper-proof area of your account for 365 days All supplied drivers and connectors also have extended logging Home/ Auditing/
  • 16.
    Panther for Snowflake20 How Panther Helps You Validate Security Best Practices For Snowflake 03
  • 17.
    Panther for Snowflake21 . High-scale with zero ops Fast detection and data queries Detection-as-Code for ultimate flexibility Panther is a security monitoring platform built for speed, scale, and flexibility. Structured data with no retention limits Panther For Snowflake
  • 18.
    Panther for Snowflake23 Panther Brings Your Security Data To Life 1. Security Logs Cloud Hybrid SaaS 4. Alert 3. Detect Analyze Normalize Parse 2. Ingest + more Security Team 5. Investigate Panther For Snowflake
  • 19.
    Panther for Snowflake24 Detection Rules ● Panther currently ships with 19 built-in queries for monitoring Snowflake ● These differ slightly from other rules in Panther as they are saved SQL queries as opposed to Python functions for the rule logic ● Rules include monitoring for items like authentication configuration, changes in user permissions, or changes in network policies ● Some specific rules of note are: • Network Policies Changed • Local User Created • Admin Access Granted • SCIM Token Generated ● Rules can be customized for your organization or used as templates to create custom rules.
  • 20.
  • 21.
    Panther for Snowflake26 Font size can vary from 24px to 30px Loved by Modern Security Teams Panther For Snowflake
  • 22.
  • 23.