Identifying and Securing Sensitive Data in Snowflake Using the Privacera Platform

Identifying and Securing Sensitive Data in Snowflake Using the Privacera Platform
Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on email
Email

Snowflake has thousands of customers who take advantage of its “Data Cloud” Software-as-a-Service (SaaS) offerings. Massive enterprises run complex workloads every day – supporting their critical business operations – using these tools. In all of that data, though, there are often large amounts of sensitive information that require safeguarding. Toward this end, Snowflake provides an excellent set of robust security controls that meet many common customer needs. Complex organizations, however, often need a unified governance plane for their entire range of use cases. This is because identifying, classifying, tagging, encrypting, and providing fine-grained access control for vast arrays of information is often beyond the scope of toolsets native to the datasource itself. Additionally, managing and orchestrating the full range of relevant policies generally require a purpose-built product.

Working with a multinational industrial company, Privacera is helping to establish a Data Access and Security Governance program built on top of Privacera Platform to address just this challenge. As part of their effort to manage access to sensitive information using Privacera Access Manager, the customer first needed to identify and tag this data to reflect its makeup and resulting sensitivity. To meet this need, they turned to Privacera Data Discovery.

This specific organization had two primary goals in establishing its program. Firstly, its compliance team members needed to ensure only human resources (HR) and management staff had access to personally identifiable information (PII). Secondly, they also needed to make certain that categories of data subject to the European Union General Data Protection Regulation (GDPR) – and related court decisions such as the Schrems II judgment – were only available to authorized users. To achieve these goals, this team decided to implement right-to-privacy (RTP) compliance workflows. Before establishing policies to implement these use cases with Access Manager, however, this company needed to find all of the relevant information first. This Privacera customer thus sought to use Discovery’s on-demand data scanning and tagging capabilities.

To walk through the customer’s use case, consider the following scenario.

Someone on the customer’s finance team needs to compile sales information for revenue projection purposes. This person doesn’t need to know anything about the individual salespeople responsible for bringing in this revenue; such information would be restricted to the HR team and senior management only. The customer’s compliance team would thus trigger a Privacera Data Discovery scan of the sales information to search for personally identifiable information, such as a person’s name. Using a combination of pre-built dictionaries and models, the team can scour its Snowflake tables for anything that looks like a person’s name. Any data found meeting this criterion are then tagged as a PERSON_NAME.

Drilling down into the details, the compliance team can confirm the column containing people’s names is correctly identified. Although the data is redacted to facilitate public sharing, Discovery correctly determined that the PERSON_NAME column does in fact contain such information (with 100% confidence!).

Now that the customer’s compliance team is confident in their identification of sensitive data, they can generate a copy of it for analysis purposes, with sensitive information encrypted using an RTP compliance workflow.

After configuring the type of policy and specifying a description, the compliance team can then designate a location where Privacera will send a copy of the data with the sensitive portions encrypted using an out-of-the-box encryption scheme.

Using the widely-accepted Advanced Encryption Standard (AES), Privacera’s RTP compliance workflow copies and archives the data in a new location while also securing any sensitive information. As per the blue box in this screenshot, names are rendered illegible using AES:

With that done, the customer’s finance team can drive business insights by analyzing the resultant information in Snowflake, all the while minimizing privacy and compliance risk.

Upon completion of their implementation, this customer team will be able to comprehensively inventory, control, and protect its data housed in Snowflake. As per the previous use case, if individuals outside of HR seek to use data containing PII information, they will only be able to see encrypted, redacted, or anonymized entries. Additionally, data subject to GDPR and Shrems II restrictions will have similar controls applied to it, ensuring that no restricted information is visible to those who do not meet authorized geographical or organizational criteria. As a result, this organization will be able to preserve the privacy of its employees and partners while minimizing compliance and security risk during the conduct of globally-distributed business operations.

Learn more about Privacera here or contact us to schedule a call to discuss how we can help your organization meet its dual mandate of balancing data democratization with security to maximize business insights while ensuring privacy and compliance.

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on email
Email

Contact Privacera for a Data Governance and Security Demo Today