Snowflake Data Governance

© 2021 Snowflake Inc. All Rights Reserved
SNOWFLAKE
GOVERNANCE
Natalie Nick - Novartis US Sales Engineer
Tino Bourboulas - Novartis EMEA Sales Engineer

DATA GOVERNANCE CHALLENGES
2
Data Is
Everywhere
Must be able to eliminate
silos inside and outside
your organization
Managing Data Is
Unnecessarily Complex
Knowing what your
data is — and how it is
being used — is hard
Security and Governance
Are Inherently Rigid
Requires managing risk and
changing regulations, while
getting the most from your data

SNOWFLAKE PLATFORM
3
DATA
SOURCES
OLTP DATABASES
ENTERPRISE
APPLICATIONS
THIRD-PARTY
WEB/LOG DATA
IoT
DATA
CONSUMERS
DATA MONETIZATION
OPERATIONAL
REPORTING
AD HOC ANALYSIS
REAL-TIME ANALYTICS

SNOWFLAKE GOVERNANCE
4
Know Your Data Protect Your Data
Understand, classify, and
track data and its usage
Secure sensitive data with
policy-based access controls
Securely collaborate and
share data across teams
Unlock Your Data

NEW / UPDATED GOVERNANCE CAPABILITIES
Access History
Object Tagging
Classification
Know Your Data –
what it is, where it is
Protect
Your Data
Know Your Data –
who accessed it
Conditional Masking
Row Access
Policies
Anonymization
5
5

KNOW YOUR DATA
Automatic Data Classification
Why is it important?
● Risk management, compliance, and data security
● Personal data is easier to discover, protect, track and audit
● Prepares data for anonymization
What is it?
● Process of analyzing data and tagging it according to its
semantic and privacy categories
Who does it impact?
● Data owner, Data engineer
● Security Admin, Compliance or Privacy Officer, CDO
How does it work?
● System defined function invoked on a table returns the
semantic and privacy categories of each column
● Data owner reviews the results, revises if necessary and
then applies the tags
● Admin finds columns, applies policies and tracks usage
Data owner runs
Classification on
specific table(s)
Alex
(Data Owner)
name gender age zip_code phone
John Smith male 39 79007 123-555-1234
Jane Doe female 50 77001 333-555-1236
Mary Taylor female 46 77020 222-333-1111
Ann Marshall female 48 77042 555-555-1234
Michael Gaines male 75 79003 666-666-1357
Admin finds
columns with
personal data
based on
classification
Morgan
( Admin)
PUBLIC GA
PRIVATE
DEV
6

PROTECT YOUR DATA
Anonymization
7
Data Owner creates
anonymized view
Alex
(Data Owner)
Customer Table
John Smith male 39 79007 123-555-1234
Jane Doe female 50 77001 333-555-1236
Mary Taylor female 46 77020 222-333-1111
Michael Gaines male 37 79003 666-666-1357
Taylor
(Data Analyst)
**** male [36-40] 790** ***-***-****
**** female [46-50] 770** ***-***-****
**** female [46-50] 770** ***-***-****
**** male [36-40] 790** ***-***-****
Anonymized View
Data Analyst queries
anonymized view
Admin defines
policies
Morgan
(Admin)
PUBLIC GA
PRIVATE
DEV
● Risk management and compliance
● Retains analytical value
● Unique vs competitors (native anonymity)
What is it?
● An irreversible process of de-identifying data according to k-
Anonymity (industry standard)
Who does it impact?
● Data Owner, Data Engineer
● Data Analyst, Data Scientist
How does it work?
● Create an anonymized view that has the k-Anonymity
property
● Remove directly identifying information
● Generalize or suppress indirectly or quasi identifying
information into groups of at least size k

Data owner
assigns with
tag value
OBJECT TAGGING
ID SSN Phone
101 ********* 248-222-3333
102 ********* 800-778-9904
103 ********* 415-887-8888
Admin creates
custom tags
Alex
(Data Owner)
Admin audits
tagged objects
Morgan
(Admin)
Morgan
(Admin)
Confidentiality
Track Sensitive Data and Compute Objects
PII_Type Department
Confidentiality
Sensitive
PII_Type
Phone
Department
Sales
PUBLIC GA
PRIVATE
8
8
DEV
● Track sensitive information to satisfy regulatory compliance
(GDPR/CCPA, SOX) audit and protection.
● Track resource usage for cost attribution by cost center,
department, client etc.
What is it?
● Easy-to-manage, scalable way to associate metadata with
objects.
● Customers can custom create a tag (new Snowflake object)
and assign to any supported object such as column, table, or
warehouse in their account.
Who does it impact?
● Data owner, Data engineer, Data Stewards
How does it work?
● Track sensitive data and resources across an account in
three simple steps: Create Tags, Assign to Objects, Audit.
● Privileges for centralized and decentralized tag assignment.

OBJECT TAGGING
Key Capabilities
Currently Available:
● Create tags
● Assign tags to objects (warehouse, role, user, database, schema, table, view, column)
● Display tags and relationships with objects using account usage views and functions (e.g. “display all columns associated with
tag_x”, “display all tags associated with table_y”)
● Display tag lineage:
a. If a tag is assigned to a database, all objects within that database will adopt the tag.
b. Users can use a function (e.g. “get_tag_by_lineage”) to display all of the tags for an object that were assigned via lineage
● Today, customers leverage Stored Procedures to scan tags and apply policies based on the tag value
Future Roadmap:
● Associate a policy with a tag: Users will be able to associate a policy with a tag, which will automatically enforce policies for
other objects based on shared tags. For example - if tag “pii” is associated with policy “pii_string”, and the tag is applied to a
table “customer_data”, then the table will automatically inherit the “pii_string” policy (which will dynamically mask the string
columns).
● Use tags in conditional logic of policy: Instead of just using the user’s current role, look for the tag on the role (using function
“get current tag on role”) - and if tag is approved for data, will grant/deny access.

DEMO
OBJECT TAGGING

ROW ACCESS POLICIES
Dynamically Filter Unauthorized Rows
(Policy Admin)
Role Allowed Region
EU_RL Europe
NA_RL North America
Policy
Look
up
Customer Spend Region
ACME $820,000 North America
Koko $2,100,00 North America
AGM $5,757,00 Europe
Kira $228,000 Asia
Table: Sales
Table: Entitlement
AGM $5,757,000 Europe
ACME $820,000
North
America
Koko $2,100,00
North
America
Jordan
(Role:
EU_RL)
Alex
(Role:
NA_RL)
Apply
PUBLIC GA
PRIVATE
11
11
DEV
● Saves cost and time by reducing management
overhead associated with alternatives.
● Improves security posture by centralizing
access policy.
● Unlocks data by eliminating data silos while
complying with compliance requirements.
What is it?
● Easy-to-manage row-level security that
dynamically filters rows in a table based on
querying user’s authorization.
Who does it impact?
● Data Engineers, Security Admin, Compliance
or Privacy Officer, CDO
How does it work?
● Enforce row level security with four easy steps:
Create a policy, Assign to Tables/Views,
Enforce row filtering, Audit assignments.
● Privileges for centralized and decentralized
policy assignment.

COLUMN LEVEL SECURITY
12
Dynamic Data Masking External Tokenization
AND
Alex
(Unauthorized)
Morgan
(Authorized)
ID Phone SSN
101 ***-***-5534 *********
102 ***-***-3564 *********
103 ***-***-9787 *********
ID Phone SSN
101 408-123-5534 *********
102 510-335-3564 *********
103 214-553-9787 *********
Masking
Policies
INGEST
RAW DATA
Alex
(Unauthorized)
Morgan
(Authorized)
ID Phone SSN
101 882-345-8344 213-44-5563
102 980-234-8934 369-77-0088
103 512-345-6443 802-44-9984
ID Phone SSN
101 408-123-5534 369-22-7781
102 510-335-3564 787-12-3345
103 214-553-9787 312-88-3421
Masking
Policies
INGEST
TOKENIZED DATA
External
Functions
API Gateway
De-
Tokenization
API
Customer
VPC / VNet
PUBLIC GA
PRIVATE

© 2020 Snowflake Computing Inc. All Rights Reserved
Ingestion And Consumption
Policies
ID Phone SSN
101 408-123-5534 387-78-3456
102 510-334-3564 226-44-8908
103 214-553-9787 359-9987-0098
ID Phone SSN
101 ***-**-5534 ********
102 ***-**-3564 ********
103 ***-**-9787 ********
Alice
(unauthorized)
Bob
(authorized)
Ingest raw data
Dynamically mask protected (PII, PHI)
column data at query time
• No change to the stored data
• Mask or partial mask using constant
value, hash, and custom functions
• Unmask for authorized users only
Policy based control
• Table/View owners and privileged
users (such as accountadmin)
unauthorized by default
• Centralized policy mgt
Ease of Management
• Apply single policy to multiple
columns
• Prevent secure view explosion

Dynamic Data Masking Policies
DB 1
Table 1
Column 1
DB 1
View 1
Column 1
DB n
Table n
Column n
<policy condition>
<masking function>
Masking Policy
Resource(s)
Policy
Admin
Apply
CASE
WHEN invoker_role() IN (‘pii_role’) THEN val
WHEN invoker_role() IN (‘support’) THEN
regexp_replace(val,'.+@','*****@')
ELSE ‘********’
END;
Masking Policy Example
Unmask
Partial mask
Mask
Masking Policy
• Policy contains condition(s) and
masking function to apply under
those conditions
• Policy is applied to one or more
table, view, or external table
columns in an account
• Nested policy execution for views -
policy on table executed before
policy on view(s)
Supports
• All data types
• Data sharing
• Streams
• Clone carries over policy
associations

CREATE MASKING POLICY <name> AS
(val <data_type>) returns <data_type> -> (SQL expression on val);
Example:
CREATE MASKING POLICY email_mask AS
(val string) returns string ->
CASE
WHEN current_role() IN ('ANALYST') THEN val
ELSE '***MASKED***'
END;
Create Masking Policy

ALTER {TABLE | VIEW} <name> MODIFY COLUMN <col_name> [UN]SET MASKING
POLICY <name>;
Example:
ALTER TABLE customer MODIFY COLUMN email SET MASKING POLICY
email_mask;
ALTER VIEW customer_v MODIFY COLUMN email SET MASKING POLICY
email_mask;
Note: policies can also be applied to external tables.
Apply Masking Policy To Column(s)

DEMO
COLUMN AND ROW-LEVEL POLICIES

Select *
from Info;
ID Phone Unique_ID
101 248-222-3333 333-78-9999
102 800-778-9904 779-66-8908
103 415-887-8888 111-00-8888
View: INFO (Directly Accessed)
Table: SENSITIVE
ID SSN
101 333-78-9999
102 779-66-8908
103 111-00-8888
Table: CONTACT
ID Mobile
101 248-222-3333
102 800-778-9904
103 415-887-8888
Log
Access History
User Tables Columns
Taylor
Info,
Sensitive,
Contact
ID,
Phone,
Unique_ID,
SSN,
Mobile
Morgan Sensitive ID, SSN
Select *
from
Sensitive;
PUBLIC GA
PRIVATE
Taylor
(Privileged
User)
Morgan
(Admin)
ACCESS HISTORY
Satisfy Regulatory Compliance, Understand Usage with Column-level Access Visibility
18
18
DEV
● Satisfy Compliance Audits for SOX, PII, and other
sensitive data access with audit reports.
● Optimize storage with visibility of unused tables
and columns.
● Lowers cost by eliminating need to parse query
statements.
● Unique column-level viz vs. Cloud competitors
What is it?
● A new Account_Usage view with records of tables
and columns directly and indirectly accessed by
each query.
Who does it impact?
● Security Admin, Compliance or Privacy Officer,
CDO

PUBLIC GA
PRIVATE
CONDITIONAL MASKING
POLICIES
Conditional Unmasking
Jordan
(Role: Sales)
Alex
(Role:
Finance)
name dept zip_code phone
John Smith Sales 79007 123-555-1234
Jane Doe Sales 77001 333-555-1236
Mary Taylor Finance 77020 ***-***-1111
Ann Marshall Finance 77042 ***-***-1234
Michael Gaines Finance 79003 ***-***-1357
name dept zip_code phone
John Smith Sales 79007 ***-***-1234
Jane Doe Sales 77001 ***-***-1236
Mary Taylor Finance 77020 222-333-1111
Ann Marshall Finance 77042 555-555-1234
Michael Gaines Finance 79003 666-666-1357
INGEST RAW DATA
19
19
DEV
Conditionally Mask Based on Value in Other Column(s)
● Unique to Snowflake vs other Cloud DWs
● Demonstrates Snowflake investments to address fine-
grained data access control needs
● Provides fine-grained access controls without creating
silos or increasing management overhead
What is it?
● Mask protected field-level
data based on value in another column(s)
Who does it impact?
How does it work?
● Enhances MASKING POLICY to take condition
column(s) as input for masking decision.

Snowflake Data Governance

More Related Content

What's hot

Similar to Snowflake Data Governance

Recently uploaded

Snowflake Data Governance