Downloaded 34 times
Uploaded byPanther Labs
How to Implement Snowflake Security Best Practices with Panther
The document outlines how Panther integrates with Snowflake to enhance security and compliance for Snowflake's data cloud. It covers security best practices, continuous monitoring, authentication methods, and features such as encryption, auditing, and data governance. Additionally, it describes the functionality of Panther for detecting unauthorized access and configuration changes through built-in detection rules.
More Related Content
Similar to How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with Panther
- 1. How to ImplementSnowflake Security Best Practices with Panther
- 2. Panther for Snowflake3 Speakers Ben Sebastian Senior Detections Engineer Mike Mitrowski Principal Security Architect
- 3. Panther for Snowflake4 Agenda 1. Snowflake and Panther Overveiw 2. Understand Snowflake’s security best practices 3. How Panther helps you validate security best practices for Snowflake 4. Demo - Panther for Snowflake 5. Q & A
- 4. Panther for Snowflake6 Security Monitoring with Panther for Snowflake Snowflake and Panther have partnered to deliver a solution designed to help Snowflake customers properly ensure the security and compliance of their Snowflake Data Cloud.
- 5. Panther for Snowflake7 With Panther for Snowflake, you can… • Continuously monitor the security of your Snowflake Data Cloud • Identify settings that do not align with Snowflake security best practices • Detect configuration changes • Detect unauthorized access • Monitor supporting infrastructure • Expand your threat hunting to Snowflake
- 6. Panther for Snowflake9 SCIM user management Native Snowflake credentials ● Password policies ● Multi-Factor Authentication ● Key Pair Authentication Federated Identity ● SAML 2.0-based SSO ● OAuth 2.0 delegated authorization Session control through policies Account, region, cloud, and data-level recovery & fallover ● Fall-Safe ● Time Travel ● Cross-cloud & region replication & fallover ● AWS, Azure, GCP redundancy Built-in Features & partner integrations RBAC & DAC Column-level security ● Using views & UDFs ● Dynamic data masking ● External tokenization Row access policy Tagging Classification Anonymization Customer data always encrypted in flight Data-at-rest always encrypted using a hierarchical key model ● Rooted in the CSP’s HSM ● Automated key rotation & re- keying ● BYOK with “Tri-Secret Secure” Snowflake Security Policy Snowflake Legal for DPA (GDPR), acceptable use, support and more ● Comprehensive audit trail for all activities by all users from login All communication secured using TLS 1.2 with HSTS enforced for all client communications, and controlled by Network Policies (IP Allowlisting) Integration with CSP Private Networking ● GSP Private Service Connect ● AWS Privatelink ● AWS VPC ID S3 policies ● Azure Private Link ● Azure cross-VNet rules for Blob access Choose from any of the Snowflake-supported cloud regions Snowflake Security & Governance At A Glance 7 | Compliance & Legal 3 | Data Governance 5 | Encryption 2 | Identity & Access 1 | Network Controls 4 | Data Protection 6 | Auditing SOC 2 Type II 12 Month Coverage Period SOC 1 Type II 6Month Coverage Period
- 7. Panther for Snowflake11 Snowflake UI or Driver Running on Your Network (On-Prem or Cloud) Outside Traffic to AWS
- 8. Panther for Snowflake12 Using AWS Direct Connect: Snowflake UI or Driver Running on Your Network Outside Traffic to AWS Private Link with Direct Connect
- 9. Panther for Snowflake13 Snowflake Authentication How to do Authentication & Delegated Authorization for Snowflake
- 10. Panther for Snowflake14 Snowflake Governance Capabilities Know Your Data Protect Your Data Unlock Your Data Access History Object Tagging Account Usage What Where Who Direct Secure Sharing Private Data Exchange Data Marketplace Row Access Policies Dynamic Data Masking External Tokenization Encryption Conditional Masking Anonymization Classification Priv Pub GA GA GA Priv Pub Pub GA GA
- 11. Panther for Snowflake15 Database Replication & Failover Cross-Cloud & Cross-Region Replication ● Business continuity & disaster recovery ● Secure data sharing across regions/clouds ● Data portability for account migrations Zero Performance Impact on Primary ● Asynchronous replication Reduced Data Loss ● Incremental refreshes Instant Recovery ● Read: Readable secondary databases ● Write: Database failover Secure ● Data encrypted at-rest & in-transit ● Tri-Secret Secure compatible Cost Effective ● Replication costs: Data transfer & compute (serverless) ● Control which databases to replicate 1 2 3 4 5 6 Azure AWS Google Cloud More about Database Replication & Failover
- 12. Panther for Snowflake16 Hierarchical Key Model • Hierarchical key model rooted in the CSP’s HSM ○ GCP: Cloud HSM ○ AWS: Cloud HSM ○ Azure: Dedicated HSM • All data at rest is encrypted by default, with no configuration required Encryption/ Hierarchical Key Model More resources on Key Management Home/
- 13. Panther for Snowflake17 Encryption/ Tri-Secret Secure Key Model More resources on Key Management Hierarchical Key Model using Tri-Secret Secure ● Hierarchical key model adds a hybrid HYOK & BYOK model to give the customer control ● Customer holds key in their CSP Key Management and brings key materials to Snowflake to be part of the key-encrypting key (the Account Master Key or AMK) ● CSP-supported key managers: ○ GCP: Cloud KMS ○ AWS: AWS KMS ○ Azure: Key Vault Home/
- 14. Panther for Snowflake18 Key Rotation • Snowflake rotates keys every 30 days • Process is transparent to customer and queries More resources on Key Management Key Re-Keying • Yearly re-keying re-encrypts data on the key's birthday • Re-keying requires Enterprise Edition or better • Process is transparent to customer and queries Encryption/ Key Rotation & Re-Keying Home/
- 15. Panther for Snowflake19 Audit Logging – Account Usage Auditing tracks every user’s activity at all times in full detail Kept in a tamper-proof area of your account for 365 days All supplied drivers and connectors also have extended logging Home/ Auditing/
- 16. Panther for Snowflake20 How Panther Helps You Validate Security Best Practices For Snowflake 03
- 17. Panther for Snowflake21 . High-scale with zero ops Fast detection and data queries Detection-as-Code for ultimate flexibility Panther is a security monitoring platform built for speed, scale, and flexibility. Structured data with no retention limits Panther For Snowflake
- 18. Panther for Snowflake23 Panther Brings Your Security Data To Life 1. Security Logs Cloud Hybrid SaaS 4. Alert 3. Detect Analyze Normalize Parse 2. Ingest + more Security Team 5. Investigate Panther For Snowflake
- 19. Panther for Snowflake24 Detection Rules ● Panther currently ships with 19 built-in queries for monitoring Snowflake ● These differ slightly from other rules in Panther as they are saved SQL queries as opposed to Python functions for the rule logic ● Rules include monitoring for items like authentication configuration, changes in user permissions, or changes in network policies ● Some specific rules of note are: • Network Policies Changed • Local User Created • Admin Access Granted • SCIM Token Generated ● Rules can be customized for your organization or used as templates to create custom rules.
- 20.
- 21. Panther for Snowflake26 Font size can vary from 24px to 30px Loved by Modern Security Teams Panther For Snowflake
- 22.
- 23.