CLOUD DATA

PLATFORM
SECURITY
HOW SNOWFLAKE SETS THE STANDARD

WHITE PAPER
The threat of a data security breach, someone gaining unauthorized access to an organization’s data, is
what keeps CEOs, CISOs, and CIOs awake at night. Such a breach can quickly turn into a public relations
nightmare, resulting in lost business and steep fines from regulatory agencies. Snowflake Cloud Data
Platform sets the industry standard for data platform security, so you don’t have to lose sleep. All aspects
of Snowflake’s architecture, implementation, and operation are designed to protect customer data in transit
and at rest against both current and evolving security threats.

SNOWFLAKE SECURITY FRAMEWORK Standard edition, Enterprise edition, Business Critical

edition, and Virtual Private Snowflake (VPS). The
Snowflake was built from the ground up to deliver
Business Critical edition provides additional security
end-to-end data security for all data platform users.
features to support customers who have HIPAA, PCI
It follows best-in-class, standards-based practices
DSS, or other compliance requirements. In addition,
for the controls and processes that secure it. As
VPS supports customers who have specific regulatory
part of its overall security framework, it leverages
requirements that prevent them from loading their
NIST 800-53 and the CIS Critical Security Controls,
data into a multi-tenant environment. VPS includes
a set of controls created by a broad consortium of
the Business Critical edition within a dedicated
international security experts to identify the security
version of Snowflake. For additional details about the
functions that are effective against real-world threats.
four versions, see the later section, “Four Levels of
Snowflake comprises a multilayered security Snowflake Security.”
architecture to protect customer data and access to
Snowflake also isolates query processing, which is
that data. This architecture addresses the following:
performed by one or more compute clusters called
• External interfaces virtual warehouses. These are multinode compute
clusters created by customers using Snowflake-
• Access control
provided interfaces. Snowflake provisions these
• Data storage compute clusters in such a way that the virtual
• Physical infrastructure warehouses of each customer are isolated from
other customers’ virtual warehouses. In addition,
This security architecture is complemented by the virtual warehouses are visible and accessible only to
monitoring, alerts, controls, and processes that the users within a customer account who have been
are part of Snowflake’s comprehensive security granted access.
framework.
Snowflake also isolates data storage by customer.
Security for compliance requirements Each customer’s data is always stored in an independent
directory and encrypted using customer-specific keys,
Snowflake is a multi-tenant service that implements
which are accessible only by that customer.
isolation at multiple levels. It runs inside a virtual
private cloud (VPC), a logically isolated network
section within either Amazon Web Services (AWS),
Microsoft Azure (Azure), or Google Cloud Platform
(GCP). The dedicated subnet, along with the
implementation of security groups, enables Snowflake
to isolate and limit access to its internal components.
“
We came to the conclusion that we achieved better
security with Snowflake than we could ever do on
our own.”
Customers can choose from four Snowflake editions BOB ASENSIO
CIO, CapSpecialty
that vary by available features and level of security:

WHITE PAPER 2
EXTERNAL INTERFACES • For customers who want to manage the
authentication mechanism for their account, and
Customers access Snowflake via the internet using
whose providers support SAML 2.0, Snowflake
only secure protocols. The following drivers and tools
offers federated authentication.
may be used to connect to the service:
• System for Cross-domain Identity Management
• Snowflake’s command-line interface (CLI) client
(SCIM) can be leveraged to help facilitate the
• Snowflake’s web-based user interface automated management of user identities and
groups (that is, roles) in cloud applications using
• Snowflake Connector for Python
RESTful APIs.
• Snowflake Connector for Spark

• Snowflake Connector for Kafka

• The Node.js driver Authorization

• The Go Snowflake driver Snowflake provides a sophisticated, role-based
access control (RBAC) authorization framework
• The .NET driver
to ensure data and information can be accessed
• The JDBC driver or operated on only by authorized users within
• The ODBC driver an organization. Access control is applied to all
database objects including tables, schemas, secure
views, secure user-defined functions (secure UDFs),
To find more information, see the Connectors & and virtual warehouses.
Drivers page in the Snowflake documentation. Access control grants determine a user’s ability
All internet communication between users and to both view and operate on database objects.
Snowflake is secured and encrypted using TLS In Snowflake’s access control model, users are
1.2 or higher. Snowflake also supports IP address assigned one or more roles, each of which can
whitelisting to enable customers to restrict access be assigned different access privileges. For every
to the Snowflake service by only trusted networks. access to database objects, Snowflake validates
Customers who prefer to not allow any traffic to that the necessary privileges have been granted
traverse the public internet may leverage either AWS to a role assigned to the user.
PrivateLink (and AWS DirectConnect) or Microsoft Customers can choose from a set of built-in roles
Azure Private Link. or create and define custom roles within the role
hierarchy defined by Snowflake.
ACCESS CONTROL The OAuth 2.0 authorization framework is also
supported.
Authentication
Snowflake employs robust authentication Encryption everywhere
mechanisms, and every request to Snowflake must In Snowflake, all customer data is always encrypted
be authenticated, for example: when it is stored on disk, and data is encrypted
when it’s moved into a Snowflake-provided staging
• User password hashes are securely stored.
location for loading into Snowflake. Data is also
• Strong password policy is enforced. encrypted when it is stored within a database object
• Various mechanisms are deployed by Snowflake in Snowflake, when it is cached within a virtual
to thwart brute-force attacks. warehouse, and when Snowflake stores a query result.

• Snowflake also offers built-in multi-factor

authentication (MFA), MFA for users with
administrative privileges, and key-pair
authentication for non-interactive users.

WHITE PAPER 3
Data encryption and key management internally writes those changes to a new storage
Snowflake uses strong AES 256-bit encryption object and automatically retains the previous storage
with a hierarchical key model rooted in a cluster object for a period of time (the retention period)
of hardware security modules. Each customer so that both versions are preserved. When data is
account has a separate key hierarchy of account- deleted or database objects are dropped, Snowflake
level, table-level, and file-level keys. Snowflake updates its metadata to reflect that change but keeps
automatically rotates account and table keys on a the data during the retention period.
regular basis. Data encryption and key management During the retention period, all data and data
are entirely transparent to customers and require no objects are fully recoverable by customers. Using a
configuration or management. simple SQL command, users granted administrative
privileges can undo a DROP command that removes
Data protection and recovery through retention a database, table, or schema.
and backups
Past versions of a data object from any point in time
Snowflake was designed from the ground up to be a
within the retention period can also be accessed via
continuously available cloud service that is resilient
SQL, both for direct access by a SELECT statement
to failures to prevent customer disruption and data
as well as for cloning in order to create a copy of a
loss. Its continuous data protection (CDP) capabilities
past version of the data object.
protect against and provide easy self-service
recovery from accidental errors, system failures, After the retention period has passed, Snowflake’s
and malicious acts. Fail-Safe feature provides an additional seven days
(the “fail-safe” period) to provide a sufficient length
Recovery from accidental errors of time during which Snowflake can, at a customer’s
request, recover any data that was maliciously or
The most common cause of data loss or corruption
inadvertently deleted by human or software error.
in a database is accidental errors made by a system
At the end of that period, an automated process
administrator, a privileged user, or an automated
physically deletes the data. Because of this design,
process. Snowflake provides a unique feature
it is impossible for the Snowflake service, any
called Time Travel that provides easy recovery
Snowflake personnel, or malicious intruders to
from such errors.
physically delete data.
Time Travel makes it possible to instantly restore or
CDP and Time Travel are standard features built into
query any previous version of a table or database from
Snowflake. The length of the default retention period
an arbitrary past point in time within a retention period.
is determined by the customer’s service agreement.
Customers can specify extended retention periods
at the time that a new database, table, or schema
is created via SQL data definition language (DDL)
commands. Extended retention periods incur additional
storage costs for the time that Snowflake retains the
data during the retention and fail-safe periods.

The Time Travel, Fail-Safe, and CDP features provide

customers with an unprecedented ability to recover
How Time Travel works from accidental errors. For example, if an errant data
loading script corrupts a database, it is possible to
Time Travel is made possible by Snowflake’s
create a logical duplicate of the database (a clone)
implementation of data manipulation language (DML)
from the point in time just prior to the execution of
operations. Snowflake provides a fully updatable
a specific statement.
relational database with a complete set of SQL DML
operators that support updates to or deletion of To illustrate, the next sections provide some examples
rows of data. When any data is modified, Snowflake of statements using the Time Travel feature.

WHITE PAPER 4
Example of recovering dropped objects
The UNDROP command can be used to recover any
dropped object:

Further details about Time Travel and commands are

described in the Snowflake documentation.
Examples of recovering previous versions
Protection against system failures
Recovering a previous version of a table can be done
by cloning a past version of a table at a specific point The second most common type of data loss is caused
in time: by some form of system failure: both software
failures and infrastructure failures such as the loss of
a disk, a disk array, a server or, most significantly, a
data center.

The Snowflake architecture is designed for resilience,

without data loss, in the face of such failures.
Snowflake, which runs on all the major cloud
Recovering a previous version of a database can
providers’ platforms (AWS, GCP, and Azure), uses a
be done by cloning a past version of a database just
fully distributed and resilient architecture combined
before a query (identified here by a query ID) was
with the resiliency capabilities available in these
processed:
cloud platforms to protect against a wide array of
possible failures.

As illustrated below, the Snowflake architecture

consists of three layers, each of which is resilient
to failures:

• Data storage layer. Stores all customer data in

Examples of selecting data from past versions
cloud storage.
Selecting data from an arbitrary time during the
retention period can be done using the AT or • Compute layer. Consists of one or more virtual
BEFORE command: warehouses, each of which is a multinode compute
cluster that processes queries. Virtual warehouses
cache data from the data storage layer in encrypted
form, but they do not store persistent data.

• Cloud services layer. The brain of the system, this

layer manages infrastructure, queries, security,
and metadata. The services running in this layer

Combining the current state of table “t2” with a

historical state of table “t1” as it existed before a
previous query (identified by the query ID) can be
done like this:

WHITE PAPER 5
 INFRASTRUCTURE SECURITY

Threat detection
Snowflake uses advanced threat detection tools to
monitor all aspects of its infrastructure. All security
logs, including logs and alerts from third-party tools,
are centralized in Snowflake’s security data lake,
where they are aggregated for analysis and alerting.
Activities meeting certain criteria generate alerts
that are triaged through Snowflake’s security incident
process. Specific areas of focus include the following:

• File integrity monitoring (FIM) tools are used

to ensure that critical system files, such as
important system and application executable files,
libraries, and configuration files, have not been
tampered with. FIM tools use integrity checks to
identify any suspicious system alterations, which
are implemented as a set of stateless processes. include owner or permissions changes to files or
directories, the use of alternate data streams to
hide malicious activities, and the introduction of
Each layer in the Snowflake architecture is distributed new files.
across availability zones. Because availability zones
• Behavioral monitoring tools monitor network,
are geographically separated data centers with
user, and binary activity against a known baseline
independent access to power and networking,
to identify anomalous behavior that could be an
operations continue even if one or two availability
indication of compromise.
zones become unavailable. In addition, the database
storage layer leverages the cloud provider’s resilient • Snowflake uses threat intelligence feeds to
storage service to provide highly durable, cost- contextualize and correlate security events and
effective storage. When a transaction is committed harden security controls to counteract malicious
in Snowflake, the data is securely stored in the cloud tactics, techniques, and procedures (TTPs).
provider’s highly durable data storage, which enables
data survival in the event of the loss of one or more Physical security
disks, servers, or even data centers. Amazon S3 Snowflake is hosted in AWS, Azure, or GCP data
synchronously and redundantly stores data across centers around the world. Snowflake’s infrastructure-
multiple devices in multiple facilities. It is designed as-a-service cloud provider partners employ many
for eleven 9s (99.999999999%) of data durability. physical security measures, including biometric
access controls and 24-hour armed guards and
video surveillance to ensure that no unauthorized
access is permitted. Neither Snowflake personnel
nor Snowflake customers have access to these data
centers. For more specific information on the security
controls implemented by Snowflake’s cloud provider
partners, please refer to the security and compliance
documentation provided by your provider.

WHITE PAPER 6
SECURITY COMPLIANCE
Snowflake’s portfolio of security and compliance reports are continuously expanded as customers request
reports. The following is the current list of reports available to all customers and prospects who are
under a non-disclosure agreement. Please contact Snowflake for copies of the reports applicable to your
organization or to find out if a particular certification will soon be available.

SOC 1 Type 2 HIPAA

The SOC 1 Type 2 report is an independent auditor’s The Health Information Portability and Accountability
attestation of the financial controls that Snowflake Act is a law that provides data security and privacy
had in place during the report’s coverage period. provisions to protect protected health information.
Snowflake is able to enter into a business associate
SOC 2 Type 2 agreement (BAA) with any covered entity that
The SOC 2 Type 2 report is an independent auditor’s requires HIPAA compliance.
attestation of the security controls that Snowflake
had in place during the report’s coverage period. ISO/IEC 27001
This report is provided for customers and prospects The International Organization for Standardization
to review to ensure there are no exceptions to the provides requirements for establishing, implementing,
documented policies and procedures in the policy maintaining, and continually improving an information
documentation. security management system. Snowflake’s ISO
certificate is available for download here.
PCI DSS
The Payment Card Industry Data Security Standard FedRAMP Moderate
is a set of prescriptive requirements to which an The Federal Risk and Authorization Management
organization must adhere in order to be considered Program, or FedRAMP, is a government-wide
compliant. Snowflake’s PCI DSS Attestation of program that provides a standardized approach to
Compliance provides an independent auditor’s security. Federal agencies may download Snowflake’s
assessment results after testing Snowflake’s FedRAMP package from OMB MAX.
security controls.

WHITE PAPER 7
FOUR LEVELS OF SNOWFLAKE SECURITY
Snowflake offers four editions, with varying levels of security. Each subsequent version contains all the
capabilities of the preceding versions. For example, the Business Critical edition includes everything the
Enterprise edition offers.

BUSINESS
STANDARD ENTERPRISE CRITICAL VPS
EDITION EDITION EDITION

All authentication methods (incl. SAML, OAuth) • • • •

RBAC • • • •

User and role provisioning using SCIM • • • •

Network policies • • • •

AWS PrivateLink and Azure Private Link • •

Annual rekeying of data • •

Tri-Secret Secure (customer-managed key) • •

Tri-Secret Secure (customer-managed key) • •

HIPAA compliance • •

PCI DSS compliance • •

Operational visibility •

WHITE PAPER 8
Enterprise edition Snowflake encryption key, the customer encryption
key (which is wholly owned by the customer), and
All data is re-encrypted annually. Federated
valid customer credentials with role-based access
authentication is also available so users can access
to the data.
Snowflake with secure single sign-on capability.
Snowflake’s unique data protection feature, Time
Because the data is encrypted with split keys, it
Travel, enables deleted or modified data to be
is impossible for anyone other than the customer,
restored to its original state for up to 90 days. Cross-
including Amazon, to gain access to the underlying
region replication is also available in the Enterprise
data. Snowflake can gain access to the data only if
edition, making it possible to add additional
the customer key and access credentials are provided
redundancy to Snowflake’s standard in-region
to Snowflake. This ensures that only the customer
replication.
can respond to demands for data access, regardless
of where they come from.
Business critical edition
The Business Critical edition is Snowflake’s solution Virtual Private Snowflake (VPS)
for customers who have specific compliance
VPS represents the most sophisticated solution for
requirements. It includes HIPAA support, is PCI DSS
customers with sensitive data. It differs from other
compliant, and features an enhanced security policy.
Snowflake editions in a number of important ways.
This edition enables customers to use Tri-Secret
Secure, which provides split encryption keys for With VPS, all of the servers that contain in-memory
multiple layers of data security. encryption keys are unique to each customer. Each
VPS customer has their own dedicated virtual servers,
When a customer uses Tri-Secret Secure, access to load balancer, and metadata store.
the customer’s data requires the combination of the

BUSINESS CRITICAL
STANDARD EDITION ENTERPRISE EDITION VPS
EDITION

• Complete SQL data Standard edition + Enterprise edition + Business Critical edition +
warehouse
• Multi-cluster • HIPAA support • Customer-dedicated
• Secure data sharing warehouse virtual servers
• PCI DSS compliance
across regions/clouds wherever the
• Up to 90 days of time
• Data encryption encryption key is
• Premier support travel
everywhere in-memory
24x365
• Annual rekeying of all
• Enhanced security • Customer-dedicated
• 1 day of time travel encrypted data
policy metadata store
• Always-on enterprise- • Materialized views
• Customer-managed
grade encryption of
encryption keys
data in transit and at
rest

• Customer-dedicated
virtual warehouses

• Federated
authentication

• Database replication

WHITE PAPER 9
There are also dedicated virtual private networks by design, even in a multi-tenant model. For instance,
(VPNs) or virtual private cloud (VPC) bridges from the hierarchical security module (HSM) is configured
a customer’s own VPC to the Snowflake VPC. These with a completely separate partition dedicated to the
dedicated services ensure that the most sensitive customer. All data is stored in Amazon S3 within a
components of the customer’s data warehouse are separately provisioned AWS account.
completely separate from those of other customers.
As shown is the following diagram, this design makes
In addition, VPS is designed to preserve Snowflake’s
it possible for even the most security conscious
unique ease of use and low burden of management.
customers to trust VPS as a comprehensively secure
Even with VPS, Snowflake’s hardware security module solution for their data.
and its maintenance, access, and deployment services
are still shared services. These components are secure

CONCLUSION
All Snowflake editions provide a secure and protected environment for customer data, protecting data in
transit and at rest from current and evolving threats. The features built into Snowflake deliver
enterprise-class security by default, without the additional burdens of complexity and management that
traditional solutions force customers to endure.
Snowflake is ANSI SQL compliant and designed from the ground up for the cloud and for modern data
analytics. Built with a unique new architecture, and provided as an enterprise-class software-as-a-service
(SaaS) offering, Snowflake delivers instant elasticity, native support for diverse data, and per-second pricing.
Security is fundamental to Snowflake’s architecture, implementation, and operation. Every aspect of
Snowflake is designed and operated to protect customer data.

WHITE PAPER 10
 ABOUT SNOWFLAKE
Snowflake delivers the Data Cloud—a global network where thousands of organizations mobilize data
with near-unlimited scale, concurrency, and performance. Inside the Data Cloud, organizations unite
their siloed data, easily discover and securely share governed data, and execute diverse analytic
workloads. Wherever data or users live, Snowflake delivers a single and seamless experience across
multiple public clouds. Snowflake’s platform is the engine that powers and provides access to the Data
Cloud, creating a solution for data warehousing, data lakes, data engineering, data science, data
application development, and data sharing. Join Snowflake customers, partners, and data providers
already taking their businesses to new frontiers in the Data Cloud. Find out more at snowflake.com.

© 2022 Snowflake. All rights reserved.

WHITE PAPER