{"id":39967,"date":"2022-11-29T06:58:03","date_gmt":"2022-11-29T11:58:03","guid":{"rendered":"https:\/\/centricconsulting.com\/?p=39967"},"modified":"2022-11-28T11:00:44","modified_gmt":"2022-11-28T16:00:44","slug":"snowflake-security-vs-data-privacy-regulating-internal-data-access","status":"publish","type":"post","link":"https:\/\/centricconsulting.com\/blog\/snowflake-security-vs-data-privacy-regulating-internal-data-access\/","title":{"rendered":"Snowflake Security vs. Data Privacy: Regulating Internal Data Access"},"content":{"rendered":"
The up-and-coming data cloud Snowflake makes providing high-performance data access easier and more efficient than traditional databases, giving us the opportunity to get more value from our information. But, it also requires us to think differently about keeping data safe.<\/p>\n
In this six-part blog series<\/a>, we\u2019ve laid out some best practices for managing information access and Snowflake security, from organizing and isolating data<\/a> to object tagging<\/a>. In our final entry, we\u2019ll discuss a balanced approach to internal controls and share some guiding principles that will help us make decisions along the way.<\/p>\n Data security refers to protecting data from outside access or interference (essentially, blocking hackers). In Snowflake<\/a>, all data is encrypted while in motion and while at rest. This protects data from direct outside theft. If desired, special Snowflake accounts are available for federal government work and for HIPAA compliance, but even the standard Snowflake environment is highly secure.<\/strong><\/p>\n A well-configured, secure Snowflake<\/a> environment leveraging tools like Active Directory integration and Single Sign-On will not allow any direct access from outside your organization \u2013 employees will be able to log in from within your network, but external users will access data only through interfaces you create or provide, such as dashboards or applications (or tightly-controlled data shares, if desired). Employees using SSO authentication against their Active Directory accounts will automatically lose access if they leave the organization.<\/p>\n Of greater concern is the proper protection of data privacy within the world of authorized users.<\/p>\n As I mentioned in part one<\/a>, information is simultaneously valuable and dangerous. Technology companies have (intentionally or unintentionally) been careless about protecting private consumer data since the rise of the internet and social media. Global governments are stepping in to hold companies accountable:<\/p>\n Fines and related business impacts can reach tens of millions of dollars \u2013 Google, British Airways, H&M and Marriott<\/a> have each had GDPR fines over \u20ac10M, and Equifax recently reached a settlement of $425M<\/a> for their 2017 data breach. Earlier this year, one global credit card brand had to stop issuing cards in India entirely due to alleged non-compliance with their on-soil laws.<\/strong><\/p>\n A potentially greater concern is the damage to an organization\u2019s reputation. In the last few years, large and profitable companies have seen their stock prices plummet when they make the news due to data breaches, and their customers leave in droves. Similar problems are simmering beneath the surface elsewhere: Medical organizations reliably comply with HIPAA regulations outside their walls but may not have the time or expertise to prevent inappropriate access by internal employees.<\/p>\n At many organizations, any employee has full access to private information because it\u2019s too hard to separate by role. These practices may meet legal compliance, but \u2013 as we\u2019ve seen with the rise of phishing and ransomware \u2013 leave open opportunities for disaster.<\/p>\n Here are a few recommendations for careful and efficient privacy practices.<\/p>\n Consider anonymization, encryption and masking. True anonymization, per historical standards, involves transforming sensitive data to an anonymous format that cannot be reversed.<\/strong> In contrast, standard encryption of fields follows an unknown pattern that can be reversed with the right key, which is desirable in some cases. Anonymization physically replaces values with characters that do not in any way correspond to a pattern related to the underlying data, such as \u201c000-000-0000\u201d for all phone numbers.<\/p>\n You may not need this bar-the-doors approach in your environment once the recommended isolation, masking, role, and row-level policies are combined. Here are some guiding principles to follow:<\/strong><\/p>\nSnowflake Security vs. Privacy<\/h2>\n
Protecting Data Access and Your Reputation<\/h2>\n
\n
Regulating Data Access in Snowflake<\/h2>\n
\n
\n
\n
\n
\n