2. Panther for Snowflake 3
Speakers
Ben Sebastian
Senior Detections Engineer
Mike Mitrowski
Principal Security Architect
3. Panther for Snowflake 4
Agenda
1. Snowflake and Panther Overveiw
2. Understand Snowflake’s security best practices
3. How Panther helps you validate security best
practices for Snowflake
4. Demo - Panther for Snowflake
5. Q & A
4. Panther for Snowflake 6
Security Monitoring with Panther for Snowflake
Snowflake and Panther have partnered to deliver a
solution designed to help Snowflake customers properly
ensure the security and compliance of their Snowflake
Data Cloud.
5. Panther for Snowflake 7
With Panther for Snowflake, you can…
• Continuously monitor the security of your Snowflake Data Cloud
• Identify settings that do not align with Snowflake security best practices
• Detect configuration changes
• Detect unauthorized access
• Monitor supporting infrastructure
• Expand your threat hunting to Snowflake
6. Panther for Snowflake 9
SCIM user management
Native Snowflake credentials
● Password policies
● Multi-Factor Authentication
● Key Pair Authentication
Federated Identity
● SAML 2.0-based SSO
● OAuth 2.0 delegated authorization
Session control through policies
Account, region, cloud, and data-level
recovery & fallover
● Fall-Safe
● Time Travel
● Cross-cloud & region replication &
fallover
● AWS, Azure, GCP redundancy
Built-in Features & partner integrations
RBAC & DAC
Column-level security
● Using views & UDFs
● Dynamic data masking
● External tokenization
Row access policy
Tagging
Classification
Anonymization
Customer data always encrypted in flight
Data-at-rest always encrypted using a
hierarchical key model
● Rooted in the CSP’s HSM
● Automated key rotation & re-
keying
● BYOK with “Tri-Secret Secure”
Snowflake Security Policy
Snowflake Legal
for DPA (GDPR), acceptable use,
support and more
● Comprehensive audit trail for all activities by all users from login
All communication secured using
TLS 1.2 with HSTS enforced for
all client communications, and
controlled by Network Policies (IP
Allowlisting)
Integration with CSP Private
Networking
● GSP Private Service
Connect
● AWS Privatelink
● AWS VPC ID S3
policies
● Azure Private Link
● Azure cross-VNet rules
for Blob access
Choose from any of the
Snowflake-supported cloud
regions
Snowflake Security & Governance At A Glance
7 | Compliance & Legal
3 | Data Governance
5 | Encryption
2 | Identity & Access
1 | Network Controls
4 | Data Protection
6 | Auditing
SOC 2 Type II
12 Month Coverage Period
SOC 1 Type II
6Month Coverage Period
7. Panther for Snowflake 11
Snowflake UI or Driver Running on Your Network (On-Prem or Cloud)
Outside Traffic to AWS
8. Panther for Snowflake 12
Using AWS Direct Connect: Snowflake UI or Driver Running on Your Network
Outside Traffic to AWS Private Link with Direct Connect
9. Panther for Snowflake 13
Snowflake Authentication
How to do Authentication & Delegated Authorization for Snowflake
10. Panther for Snowflake 14
Snowflake Governance Capabilities
Know Your Data Protect Your Data Unlock Your Data
Access History
Object Tagging
Account Usage
What
Where
Who
Direct Secure Sharing
Private Data Exchange
Data Marketplace
Row Access Policies
Dynamic Data Masking
External Tokenization
Encryption
Conditional Masking
Anonymization
Classification
Priv
Pub
GA
GA
GA
Priv
Pub
Pub
GA
GA
11. Panther for Snowflake 15
Database Replication & Failover
Cross-Cloud & Cross-Region Replication
● Business continuity & disaster recovery
● Secure data sharing across regions/clouds
● Data portability for account migrations
Zero Performance Impact on Primary
● Asynchronous replication
Reduced Data Loss
● Incremental refreshes
Instant Recovery
● Read: Readable secondary databases
● Write: Database failover
Secure
● Data encrypted at-rest & in-transit
● Tri-Secret Secure compatible
Cost Effective
● Replication costs: Data transfer & compute (serverless)
● Control which databases to replicate
1
2
3
4
5
6
Azure
AWS
Google Cloud
More about Database Replication & Failover
12. Panther for Snowflake 16
Hierarchical Key Model
• Hierarchical key model rooted in the
CSP’s HSM
○ GCP: Cloud HSM
○ AWS: Cloud HSM
○ Azure: Dedicated HSM
• All data at rest is encrypted by
default, with no configuration
required
Encryption/
Hierarchical Key Model
More resources on Key Management
Home/
13. Panther for Snowflake 17
Encryption/
Tri-Secret Secure Key Model
More resources on Key Management
Hierarchical Key Model
using Tri-Secret Secure
● Hierarchical key model adds a hybrid
HYOK & BYOK model to give the
customer control
● Customer holds key in their CSP Key
Management and brings key
materials to Snowflake to be part of
the key-encrypting key (the Account
Master Key or AMK)
● CSP-supported key managers:
○ GCP: Cloud KMS
○ AWS: AWS KMS
○ Azure: Key Vault
Home/
14. Panther for Snowflake 18
Key Rotation
• Snowflake rotates keys every 30 days
• Process is transparent to customer and
queries
More resources on Key Management
Key Re-Keying
• Yearly re-keying re-encrypts data on the
key's birthday
• Re-keying requires Enterprise Edition or better
• Process is transparent to customer and queries
Encryption/
Key Rotation & Re-Keying
Home/
15. Panther for Snowflake 19
Audit Logging – Account Usage
Auditing tracks every user’s
activity at all times in full detail
Kept in a tamper-proof area of
your account for 365 days
All supplied drivers and
connectors also have
extended logging
Home/ Auditing/
16. Panther for Snowflake 20
How Panther Helps You Validate
Security Best Practices For
Snowflake
03
17. Panther for Snowflake 21
.
High-scale
with zero ops
Fast detection
and data queries
Detection-as-Code
for ultimate flexibility
Panther is a security monitoring platform built for
speed, scale, and flexibility.
Structured data with
no retention limits
Panther For Snowflake
18. Panther for Snowflake 23
Panther Brings Your Security Data To Life
1. Security Logs
Cloud
Hybrid
SaaS
4. Alert
3. Detect
Analyze
Normalize
Parse
2. Ingest
+ more
Security Team
5. Investigate
Panther For Snowflake
19. Panther for Snowflake 24
Detection Rules
● Panther currently ships with 19 built-in
queries for monitoring Snowflake
● These differ slightly from other rules in
Panther as they are saved SQL queries
as opposed to Python functions for the
rule logic
● Rules include monitoring for items like
authentication configuration, changes in
user permissions, or changes in network
policies
● Some specific rules of note are:
• Network Policies Changed
• Local User Created
• Admin Access Granted
• SCIM Token Generated
● Rules can be customized for your
organization or used as templates to
create custom rules.