SnowPro Core Certification: Data Protection and Data Sharing（6/8）

SnowPro Core Certification: Data Protection and Data Sharing（6/8）

Please subscribe YouTube Channel（请订阅油管频道）: Data Driven Wealth 数说财富 DDW - YouTube

✅CHECK SNOWFLAKE DOCUMENTATION FOR THE LATEST RELEASE/FEATURE

✅Data Protection

👉Cloud services layer

Snowflake's cloud services layer is its brain and is a reliable, always-on service. Snowflake accounts are only accessible via cloud services. All requests to Snowflake, whether via the Snowflake web UI or SnowSQL, travel through this layer. 

👉Snowflake-provided clients

Snowflake-provided clients, including SnowSQL (command line interface, for linux, windows, macos), connectors for Python and Spark, and drivers for Node.js, JDBC, ODBC, and more.

Connectors available for Snowflake are Python, Kafka, and Spark.

 

Snowflake also provides several drivers like ODBC, JDBC, Node.js, Go,.Net, and PHP PDO. 

The Snowflake SQL API is a REST API that you can use to access and update data in a Snowflake database.

Snowflake SQL API supports Oauth, and Key Pair authentication.

Snowflake SQL API provides operations that we can use to:

• Submit SQL statements for execution.

• Check the status of the execution of a statement.

• Cancel the execution of a statement.

• Fetch query results concurrently. 

Snowflake has the following Cloud Partner Categories:

• Data Integration

• Business Intelligence (BI)

• Machine Learning & Data Science

• Security Governance & Observability

• SQL Development & Management, and

• Native Programmatic Interfaces.

👉Database Storage

Snowflake's shared storage layer resides on low-cost object cloud storage. Snowflake currently supports AWS S3 storage, Azure Blob Storage, and Google Cloud Storage for data storage.

The benefits of The Data Cloud are Access, Governance, and Action (AGA).

Access means that organizations can easily discover data and share it internally or with third parties without regard to geographical location.

Governance is about setting policies and rules and protecting the data in a way that can unlock new value and collaboration while maintaining the highest levels of security and compliance.

Action means you can empower every part of your business with data to build better products, make faster decisions, create new revenue streams and realize the value of your greatest untapped asset, your data.

👉Time Travel

Depending on the Snowflake edition, the Time Travel duration might range from 1 to 90 days. 

The Standard edition allows for one day of Time Travel. 

Time Travel is possible for up to 90 days in the Enterprise version and above.

Transient and Temporary tables have a maximum of 1 day of Time Travel.

https://docs.snowflake.com/en/user-guide/data-time-travel#data-retention-period

👉Fail-safe

Fail-safe is supported in all Snowflake editions; therefore, the minimum edition with fail-safe support is the Standard edition.

Once the data is in fail-safe storage, only Snowflake support can help retrieve the data. The customer cannot access fail-safe storage. 

Fail-safe is not provided as a means for accessing historical data after the Time Travel retention period has ended. It is for use only by Snowflake to recover data that may have been lost or damaged due to extreme operational failures. 

Data recovery through Fail-safe may take from several hours to several days to complete.

https://docs.snowflake.com/en/user-guide/data-failsafe

Transient and temporary tables don't have any failsafe; this is done to reduce storage costs for temporary and transient data. 

https://docs.snowflake.com/en/user-guide/tables-temp-transient

👉Replication and Failover

STANDARD & BUSINESS CRITICAL FEATURE

• Database and share replication are available to all accounts.

• Replication of other account objects & failover/failback require Business Critical Edition (or higher). To inquire about upgrading, please contact Snowflake Support.

This feature enables the replication of objects from a source account to one or more target accounts in the same organization. Replicated objects in each target account are referred to as secondary objects and are replicas of the primary objects in the source account. Replication is supported across regions and across cloud platforms.

https://docs.snowflake.com/en/user-guide/account-replication-intro

👉Private connectivity

Private connectivity enables you to ensure that access to your Snowflake instance is via a secure connection and, potentially, to block internet-based access completely. Private connectivity to Snowflake requires the Business-Critical edition as a minimum.

👉Securable Object

Securable Object is an entity to which access can be granted. Unless allowed by a grant, access will be denied.

👉NETWORK POLICY

Only security administrators (i.e., users with the SECURITYADMIN role) or higher or a role with the global CREATE NETWORK POLICY privilege can create network policies using Snowsight, Classic Web Interface, and SQL.

The SHOW PARAMETERS command determines whether a network policy is set on the account or for a specific user.

For Account level: SHOW PARAMETERS LIKE 'network_policy' IN ACCOUNT;

For User level : SHOW PARAMETERS LIKE 'network_policy' IN USER <username>; 

        Example - SHOW PARAMETERS LIKE 'network_policy' IN USER john;

Network policies currently support only Internet Protocol version 4 (i.e. IPv4) addresses.

👉Tri-Secret Secure 

Tri-Secret Secure refers to the combination of a Snowflake-managed key and a customer-managed key, which results in the creation of a composite master key to protect your data. Tri-Secret Secure requires the Business Critical edition as a minimum and can be activated by contacting Snowflake support. 

https://docs.snowflake.com/en/user-guide/security-encryption-manage

👉encryption keys

By default, Snowflake manages encryption keys automatically, requiring no customer intervention. Snowflake-managed keys are 

--> rotated regularly (at 30-day intervals), and 

--> an annual rekeying process re-encrypts data with new keys. The data encryption and key management processes are entirely transparent to the users. Snowflake uses 

--> AES 256-bit encryption to encrypt data at rest. 

https://docs.snowflake.com/en/user-guide/security-encryption-manage

Snowflake encrypts all data in transit using Transport Layer Security (TLS) 1.2. This applies to all Snowflake connections, including those made through the Snowflake Web interface, JDBC, ODBC, and the Python connector. 

👉Snowflake-managed keys

All Snowflake-managed keys are automatically rotated by Snowflake when they are more than 30 days old. Active keys are retired, and new keys are created. When Snowflake determines the retired key is no longer needed, the key is automatically destroyed. When active, a key is used to encrypt data and is available for usage by the customer. When retired, the key is used solely to decrypt data and is only available for accessing the data.

https://docs.snowflake.com/en/user-guide/security-encryption-end-to-end

👉Multi-factor authentication

MFA is enabled by default for all Snowflake accounts and is available in all Snowflake editions. 

All Snowflake client tools, including the web interface, SnowSQL, and the various connectors and drivers, support MFA. 

Snowpipe is a snowflake-managed serverless service. A Snowflake user can not log into it; therefore, it doesn't require MFA. https://docs.snowflake.com/en/user-guide/security-mfa

Multi-factor authentication adds additional protection to the login process in Snowflake. Snowflake provides key pair authentication as a more secure alternative to the traditional username/password authentication approach. Additionally, Snowflake offers federated authentication, enabling users to access their accounts via a single sign-on (SSO). Users authenticate using SAML 2.0-compliant single sign-on (SSO) via an external identity provider (IdP).

Snowflake strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA.

Okta and Microsoft ADFS provide native Snowflake support for federated authentication and SSO.

After a specified period of time (defined by the IdP), a user’s session in the IdP automatically times out, but this does not affect their Snowflake sessions. Any Snowflake sessions that are active at the time remain open and do not require re-authentication. However, to initiate any new Snowflake sessions, the user must log into the IdP again.

Snowflake SQL API supports Oauth, and Key Pair authentication.

👉external Tokenization

Snowflake supports masking policies that may be applied to columns and enforced at the column level to provide column-level security. Column-level security is achieved by dynamic data masking or external Tokenization.

https://docs.snowflake.com/en/user-guide/security-column

👉IP Addresses 

If you provide both Allowed IP Addresses and Blocked IP Addresses, Snowflake applies the Blocked List first. This would block your own access. Additionally, in order to block all IP addresses except a select list, you only need to add IP addresses to ALLOWED_IP_LIST. Snowflake automatically blocks all IP addresses not included in the allowed list.

✅Data Sharing

👉Snowflake Marketplace

All Snowflake accounts, except VPS Snowflake accounts, can use the Snowflake Marketplace. 

VPS accounts have isolated metadata and compute and, therefore, can't use the Snowflake marketplace built on the common cloud services and metadata provided by Snowflake.

Data Marketplace is supported in all Snowflake editions; thus, the minimum edition that supports it is the Standard edition. Do note that VPS doesn’t support Data Marketplace.

For listing, no edition is required

 https://other-docs.snowflake.com/en/collaboration/collaboration-marketplace-about.html#about-the-snowflake-marketplace

👉Sharing

You can share data with multiple consumers: Snowflake customers, non-Snowflake customers, or a mix of both.

Standard views cannot be shared. Direct data sharing enables sharing of the following types of objects: Tables, External tables, Secure views, Secure materialized views, Secure UDFs.

Database sharing across regions and clouds (via replication) is supported in all Snowflake editions; thus, the minimum edition that supports it is the Standard edition.

Snowsight lets you share worksheets and folders with other Snowflake users in your account, allowing others to view and execute SQL in your worksheets and folders. 

https://docs.snowflake.com/en/user-guide/ui-snowsight

A share acts as a container for objects that need to be shared and specifies the consumer accounts. A share contains USAGE privileges on the database & the schema to be shared, privileges on the tables, secure views which will be shared, and the consumer account(s) to which the Share will be available. 

A virtual warehouse is not part of a share. 

If a Snowflake customer consumes a share, they will use their own virtual warehouse. 

If a non-Snowflake customer is consuming the Share, they will use the data provider compute through a data provider-created virtual warehouse (which would have been separately configured)

Snowflake data providers can share data that resides in different databases by using secure views. A secure view can reference objects such as schemas, tables, and other views from one or more databases, as long as these databases belong to the same account.

👉Consumer accounts

Consumer accounts can only access and query data but cannot add, modify, or create database objects to a shared database.

Consumer accounts cannot clone a shared database, its schemas, or any of its tables.

Consumer accounts cannot use Time Travel on the shared data.

Consumer accounts cannot further share a shared database.

Shared databases have the following limitations for consumers:

• Shared databases are read-only. Users in a consumer account can view/query data, but cannot insert or update data, or create any objects in the database.

• The following actions are not supported:

  • Creating a clone of a shared database or any schemas/tables in the database.

  • Time Travel for a shared database or any schemas/tables in the database.

  • Editing the comments for a shared database.

• Shared databases and all the objects in the database cannot be re-shared with other accounts.

• Shared databases cannot be replicated.

A Snowflake share can be defined without a consumer added to it. One or more consumers can be added to the Share afterward

👉Different cloud platform

It is possible to share data with Snowflake accounts in another cloud platform, but the provider must enable replication and replicate your existing database to the other cloud platform. 

https://docs.snowflake.com/en/user-guide/secure-data-sharing-across-regions-plaforms

👉Reader account

A reader account can only consume data from the data provider account that created it. 

https://docs.snowflake.com/en/user-guide/data-sharing-reader-create#what-is-restricted-allowed-in-a-reader-account

Sharing with a non-Snowflake user requires the creation of a reader account. The reader account provides the non-Snowflake user with a Snowflake account through which they can consume the shared data. The data providers own the reader account, and all costs (including query costs) are charged to the data provider. 

https://docs.snowflake.com/en/user-guide/data-sharing-reader-create

👉Data Exchange

Data Exchange is your own private hub for sharing data with a small group of people or organizations who have been invited to join. The owner of the Data Exchange account is in charge of inviting members and specifying whether they can share, consume, or do both. 

https://docs.snowflake.com/en/user-guide/data-exchange

👉Direct data sharing

Standard views cannot be shared. Direct data sharing enables sharing of the following types of objects: Tables, External tables, Secure views, Secure materialized views, Secure UDFs.

https://docs.snowflake.com/en/user-guide/data-sharing-intro

👉Securable Object

Securable Object is an entity to which access can be granted. Unless allowed by a grant, access will be denied.

👉NETWORK POLICY

Only security administrators (i.e., users with the SECURITYADMIN role) or higher or a role with the global CREATE NETWORK POLICY privilege can create network policies using Snowsight, Classic Web Interface, and SQL.

The SHOW PARAMETERS command determines whether a network policy is set on the account or for a specific user.

For Account level: SHOW PARAMETERS LIKE 'network_policy' IN ACCOUNT;

For User level : SHOW PARAMETERS LIKE 'network_policy' IN USER <username>; 

        Example - SHOW PARAMETERS LIKE 'network_policy' IN USER john;

Network policies currently support only Internet Protocol version 4 (i.e. IPv4) addresses.

👉Tri-Secret Secure 

Tri-Secret Secure refers to the combination of a Snowflake-managed key and a customer-managed key, which results in the creation of a composite master key to protect your data. Tri-Secret Secure requires the Business Critical edition as a minimum and can be activated by contacting Snowflake support. 

https://docs.snowflake.com/en/user-guide/security-encryption-manage

👉encryption keys

By default, Snowflake manages encryption keys automatically, requiring no customer intervention. Snowflake-managed keys are 

--> rotated regularly (at 30-day intervals), and 

--> an annual rekeying process re-encrypts data with new keys. The data encryption and key management processes are entirely transparent to the users. Snowflake uses 

--> AES 256-bit encryption to encrypt data at rest. 

https://docs.snowflake.com/en/user-guide/security-encryption-manage

Snowflake encrypts all data in transit using Transport Layer Security (TLS) 1.2. This applies to all Snowflake connections, including those made through the Snowflake Web interface, JDBC, ODBC, and the Python connector. 

👉Snowflake-managed keys

All Snowflake-managed keys are automatically rotated by Snowflake when they are more than 30 days old. Active keys are retired, and new keys are created. When Snowflake determines the retired key is no longer needed, the key is automatically destroyed. When active, a key is used to encrypt data and is available for usage by the customer. When retired, the key is used solely to decrypt data and is only available for accessing the data.

https://docs.snowflake.com/en/user-guide/security-encryption-end-to-end

👉Multi-factor authentication

MFA is enabled by default for all Snowflake accounts and is available in all Snowflake editions. 

All Snowflake client tools, including the web interface, SnowSQL, and the various connectors and drivers, support MFA. 

Snowpipe is a snowflake-managed serverless service. A Snowflake user can not log into it; therefore, it doesn't require MFA. https://docs.snowflake.com/en/user-guide/security-mfa

Multi-factor authentication adds additional protection to the login process in Snowflake. Snowflake provides key pair authentication as a more secure alternative to the traditional username/password authentication approach. Additionally, Snowflake offers federated authentication, enabling users to access their accounts via a single sign-on (SSO). Users authenticate using SAML 2.0-compliant single sign-on (SSO) via an external identity provider (IdP).

Snowflake strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA.

Okta and Microsoft ADFS provide native Snowflake support for federated authentication and SSO.

After a specified period of time (defined by the IdP), a user’s session in the IdP automatically times out, but this does not affect their Snowflake sessions. Any Snowflake sessions that are active at the time remain open and do not require re-authentication. However, to initiate any new Snowflake sessions, the user must log into the IdP again.

Snowflake SQL API supports Oauth, and Key Pair authentication.

👉external Tokenization

Snowflake supports masking policies that may be applied to columns and enforced at the column level to provide column-level security. Column-level security is achieved by dynamic data masking or external Tokenization.

https://docs.snowflake.com/en/user-guide/security-column

👉IP Addresses 

If you provide both Allowed IP Addresses and Blocked IP Addresses, Snowflake applies the Blocked List first. This would block your own access. Additionally, in order to block all IP addresses except a select list, you only need to add IP addresses to ALLOWED_IP_LIST. Snowflake automatically blocks all IP addresses not included in the allowed list.