The SHOW PARAMETERS command determines whether a network policy is set on the account or for a specific user.
For Account level: SHOW PARAMETERS LIKE 'network_policy' IN ACCOUNT;
For User level : SHOW PARAMETERS LIKE 'network_policy' IN USER <username>;
Example - SHOW PARAMETERS LIKE 'network_policy' IN USER john;
Network policies currently support only Internet Protocol version 4 (i.e. IPv4) addresses.
👉Tri-Secret Secure
Tri-Secret Secure refers to the combination of a Snowflake-managed key and a customer-managed key, which results in the creation of a composite master key to protect your data. Tri-Secret Secure requires the Business Critical edition as a minimum and can be activated by contacting Snowflake support.
https://docs.snowflake.com/en/user-guide/security-encryption-manage
👉encryption keys
By default, Snowflake manages encryption keys automatically, requiring no customer intervention. Snowflake-managed keys are
--> rotated regularly (at 30-day intervals), and
--> an annual rekeying process re-encrypts data with new keys. The data encryption and key management processes are entirely transparent to the users. Snowflake uses
--> AES 256-bit encryption to encrypt data at rest.
https://docs.snowflake.com/en/user-guide/security-encryption-manage
Snowflake encrypts all data in transit using Transport Layer Security (TLS) 1.2. This applies to all Snowflake connections, including those made through the Snowflake Web interface, JDBC, ODBC, and the Python connector.
👉Snowflake-managed keys
All Snowflake-managed keys are automatically rotated by Snowflake when they are more than 30 days old. Active keys are retired, and new keys are created. When Snowflake determines the retired key is no longer needed, the key is automatically destroyed. When active, a key is used to encrypt data and is available for usage by the customer. When retired, the key is used solely to decrypt data and is only available for accessing the data.
https://docs.snowflake.com/en/user-guide/security-encryption-end-to-end
👉Multi-factor authentication
MFA is enabled by default for all Snowflake accounts and is available in all Snowflake editions.
All Snowflake client tools, including the web interface, SnowSQL, and the various connectors and drivers, support MFA.
Snowpipe is a snowflake-managed serverless service. A Snowflake user can not log into it; therefore, it doesn't require MFA. https://docs.snowflake.com/en/user-guide/security-mfa
Multi-factor authentication adds additional protection to the login process in Snowflake. Snowflake provides key pair authentication as a more secure alternative to the traditional username/password authentication approach. Additionally, Snowflake offers federated authentication, enabling users to access their accounts via a single sign-on (SSO). Users authenticate using SAML 2.0-compliant single sign-on (SSO) via an external identity provider (IdP).
Snowflake strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA.
Okta and Microsoft ADFS provide native Snowflake support for federated authentication and SSO.
After a specified period of time (defined by the IdP), a user’s session in the IdP automatically times out, but this does not affect their Snowflake sessions. Any Snowflake sessions that are active at the time remain open and do not require re-authentication. However, to initiate any new Snowflake sessions, the user must log into the IdP again.
Snowflake SQL API supports Oauth, and Key Pair authentication.
👉external Tokenization
Snowflake supports masking policies that may be applied to columns and enforced at the column level to provide column-level security. Column-level security is achieved by dynamic data masking or external Tokenization.
https://docs.snowflake.com/en/user-guide/security-column
👉IP Addresses
If you provide both Allowed IP Addresses and Blocked IP Addresses, Snowflake applies the Blocked List first. This would block your own access. Additionally, in order to block all IP addresses except a select list, you only need to add IP addresses to ALLOWED_IP_LIST. Snowflake automatically blocks all IP addresses not included in the allowed list.
