Complex Access Control Governance in Snowflake with Privacera


Fine-Grained Access Control (FGAC) is commonly used in parsing and separating the users who do or do not have access to information in a document. A common example being, barring access to certain information to those in the marketing department while still allowing them viewing rights to information relevant to their job.

Why use Privacera in conjunction with Snowflake for FGAC? Privacera streamlines Snowflake policy management by simplifying the process and automatically updating Snowflake policies through the Privacera Platform. We use a simple click-based GUI which allows users an easy time setting up their policies that translate to Snowflakes-specific grant/revoke privileges.

These privileges can be tuned to file-, row-, and even column-levels while even providing audit records from Apache Ranger’s central audit stores and engines like Apache Kafka. Because of this, Snowflake users then gain access to a variety of benefits such as managing permissions for roles and set policies for users and groups from the Active Directory, the joining of datasets across multiple Snowflake roles, integrating with native Snowflake Audits allowing for precise access analytics, centralizing and publish audit records to external log aggregators and SIEMs, easily applying consistent compliance policies for GDPR, CCPA, LGPD, HIPAA, and other regulations, providing delegated policy administration for business groups and data owners, implementing dynamic column masking, row-level filtering, and column-level access control and simplifying policy management and enabling tag-based policies.

To walk through a use case, consider the following scenario.

Consider a large organization with several operating companies: a parent entity, a manufacturing division, a consulting company, and a recently acquired industrial software company. 

The parent organization maintains a data warehouse for internal financial and budgeting use. They would like to migrate it to Snowflake and make some data available to the operating companies for their own planning and analysis. However, their internal controls and policies prohibit certain data from existing in the cloud without at-rest encryption at a field level, and managing access for users across the parent company and all three operating companies is complex and risky.

The manufacturing and consulting operating companies generate a great deal of data in local data marts and a few huge, risky spreadsheet applications. They would like to use Snowflake for these applications as well. The manufacturing company would like to use some of the data collected by the consulting company for benchmarking, but are prohibited from seeing the data with any identifying information, and the industrial software company would like to use data from both the consulting company and manufacturing operations to train ML models for new, AI-powered software.

With Privacera, all four entities can meet their needs, ensuring a secure migration and improving appropriate, transparent reuse of data where appropriate:

  • Encrypting data at rest prior to migration to Snowflake
  • Providing column-level masking to allow sharing and analysis without exposing sensitive information
  • Automatically provisioning access to Snowflake data at a database, table, or column level based on each operating company’s directory
  • Filtering data within Snowflake based on organization, role, or attribute
  • Scanning for, flagging, and protecting data as it is added to Snowflake

Privacera’s Compliance Workflows can be used to encrypt data at rest at a field level in cloud storage such as S3 or ADLS.

Policy-based access control permits privileged users to see decrypted data when appropriate and can dynamically mask data to allow analysis while protecting. 

Users, groups, and user attributes are synchronized from each company’s identity provider (IDP) and used to provision data access automatically, reducing onboarding time and the risk of manual errors.

Row filters are automatically provisioned directly in Snowflake, using high-performance, native Snowflake features.

New data brought into Snowflake is scanned and tagged with out-of-the box classifications for PII or custom categories using Privacera’s extensible lookup, matching, and heuristic model features.

Closing Remarks

As part of an enterprise effort to manage access to sensitive information, organizations first need to identify and tag sensitive data to reflect its makeup and resulting sensitivity. With the automation enabled by Privacera Data Discovery, we can help address this challenge. To learn more, read about how Privacera helps identify and secure sensitive data in Snowflake for a complex organization.

Learn more about Privacera here or contact us to schedule a call to discuss how we can help your organization meet its dual mandate of balancing data democratization with security to maximize business insights while ensuring privacy and compliance.


Contact Privacera for a Data Governance and Security Demo Today