SNOWFLAKE SECURITY · ODBC JDBC Web UI Custom Load Balancer HTTPS All communication encrypted...
34
© 2019 Snowflake Inc. All Rights Reserved SNOWFLAKE SECURITY
Transcript of SNOWFLAKE SECURITY · ODBC JDBC Web UI Custom Load Balancer HTTPS All communication encrypted...
© 2019 Snowflake Inc. All Rights Reserved
SNOWFLAKESECURITY
© 2019 Snowflake Inc. All Rights Reserved
Setting the Stage
© 2019 Snowflake Inc. All Rights Reserved
Snowflake is a SaaS Data Warehouse
● Customers Create and Manage Users● Customers Load Data● Customers Execute Commands● Customers Export Data
● Snowflake Service Processes Requests● Snowflake Service Maintains Security● Snowflake Service Manages Capacity
● Snowflake Personnel Do Not Have Access to Unencrypted Customer Data
● Snowflake Personnel Do Not Collect, Delete, Update, Disclose, or Use Customer Data
WHAT IS SNOWFLAKE?IaaS Region
S3/BlobStorage
Customer Environment (VNET/VPC/On-Prem)
CloudServices
VirtualWarehouses
Metadata Store
LoadBalancer
Snowflake Multi-Tenant Pod
Cloud Gateway
Snowflake Deployment
© 2019 Snowflake Inc. All Rights Reserved
Snowflake Editions
© 2019 Snowflake Inc. All Rights Reserved
SNOWFLAKE SECURITY AT A GLANCE
5
Snowflake Operational Controls• NIST 800-53• SOC2 Type 2• ISO 27001
Access• All communication
secured & encrypted• TLS 1.2 encryption for all
client communications• IP Whitelisting
Authentication• User Provisioning with SCIM• Password Policy
enforcement
• Multifactor Authentication• SSO using SAML 2.0
Federated Authentication
• Key Pair (link to snowsql, but supported all over)
Authorization• RBAC for data
and actions• OAuth2.0 authorization
framework support• Secure views and UDFs to
protect information access
• Full audit trails for every action any user does
Data• Encrypted at rest• Hierarchical key model
rooted in AWS Cloud HSMor Azure Dedicated HSM
• Automatic key rotation• Time Travel 1 day
• Fail Safe
Infrastructure• AWS, Azure Physical Security• AWS, Azure Redundancy• Regional Data Centers
▪ US▪ EU▪ AP
Standard/Premier
Premier – the following security and compliance features may be added on for an additional fee:• Time Travel up to 90 days• Annual re-keying of encrypted data
© 2019 Snowflake Inc. All Rights Reserved
SNOWFLAKE SECURITY AT A GLANCEEnterprise
6
Snowflake Operational Controls• NIST 800-53• SOC2 Type 2• ISO 27001
Access• All communication
secured & encrypted• TLS 1.2 encryption for all
client communications• IP Whitelisting
Authentication• User Provisioning with SCIM• Password Policy
enforcement
• Multifactor Authentication• SSO using SAML 2.0
Federated Authentication
• Key Pair (link to snowsql, but supported all over)
Authorization• RBAC for data
and actions• OAuth2.0 authorization
framework support• Secure views and UDFs to
protect information access
• Full audit trails for every action any user does
Data• Encrypted at rest• Hierarchical key model
rooted in AWS Cloud HSMor Azure Dedicated HSM
• Automatic key rotation• Yearly re-keying
• Time Travel 1-90 days• Fail Safe
Infrastructure• AWS, Azure Physical Security• AWS, Azure Redundancy• Regional Data Centers
▪ US▪ EU▪ AP
© 2019 Snowflake Inc. All Rights Reserved
SNOWFLAKE SECURITY AT A GLANCE
7
Snowflake Operational Controls• FedRAMP / NIST 800-53• HIPAA• PCI
• ISO/IEC 27001 • SOC2 Type 2• SOC1 Type 2
Business Critical Edition
Access• All communication
secured & encrypted• TLS 1.2 encryption for all
client communications• Option for encryption in both
trusted and untrusted networks
• IP Whitelisting
• Support for Azure Cross VNET rules for Blob access
• Integration with AWS PrivateLink
Authentication• User Provisioning with SCIM• Password Policy
enforcement
• Multifactor Authentication• SSO using SAML 2.0
Federated Authentication
• Key Pair (link to snowsql, but supported all over)
Authorization• Flexible & granular
authorization controls• RBAC for data
and actions• OAuth2.0 authorization
framework support
• Secure views and UDFs to protect information access
• Full audit trails for every action any user does
Data• Encrypted at rest• Hierarchical key model
rooted in AWS Cloud HSMor Azure Dedicated HSM
• Automatic key rotation• Yearly re-keying
• Tri-Secret Secure (BYOK)• Time Travel 1-90 days
• Fail Safe
Infrastructure• AWS, Azure Physical Security• AWS, Azure Redundancy• Regional Data Centers
▪ US▪ EU▪ AP
© 2019 Snowflake Inc. All Rights Reserved
Details
© 2019 Snowflake Inc. All Rights Reserved
SNOWFLAKE SECURITY AT A GLANCE
9
IaaS Region
S3/BlobStorage
Snowflake VNET / VPC
Customer Environment (VNET/VPC/On-Prem)
CloudServices
VirtualWarehouses
Metadata Store
LoadBalancer
Snowflake Multi-Tenant Pod
Customer Dedicated Virtual Instances
Secure traffic between all points(Encrypted at rest and in transit)
Tri-Secret Secure Customer Managed Keys (Bring Your Own Key enabled)
Cloud Gateway
Snowflake Deployment
© 2019 Snowflake Inc. All Rights Reserved
Access & Authorization
© 2019 Snowflake Inc. All Rights Reserved
ACCESS – SECURE COMMUNICATION
11
11
SnowflakeVNET/VPC
ODBC JDBC Web UI Custom
Load Balancer
HTTPS
All communication encrypted end-to-end● Web UI, command line client, and drivers communicate
solely over HTTPS● Connections encrypted using TLS 1.2 from client through
to Snowflake Service● Data encrypted at rest
All access controlled● IP whitelisting available to restrict client communication to
specified IP addresses● Authentication required for all connections
Customer-Configured Network Policy
© 2019 Snowflake Inc. All Rights Reserved
SnowflakeAD (or Others)
Authoritative Directory in Control
● User creation, changes & deletes
● Roles driven by group membership
● Use Okta, Azure AD, or any system that speaks SCIM
● Or any that can use SQL
USER PROVISIONING WITH SCIM
12
Role 1New Role
Role 2
Group 1New Group
Group 2
New New
Change Change
New Member Now Assigned
SCIM
SCIM
SCIM
SCIM
© 2019 Snowflake Inc. All Rights Reserved
Authorization Control● Role-based authorization
● Authorization for access to all database objects—databases, schemas, tables…
● Authorization for operations in Snowflake—create, stop & start virtual warehouses
● DAC and RBAC info
Application Auditing● All actions are logged
● Audit Logs available throughSnowflake Service
APPLICATION SECURITY
13
Role 1View tables X, YUse warehouse A
Role 2View table YModify table YUse warehouse B
Users
© 2019 Snowflake Inc. All Rights Reserved
Encryption
© 2019 Snowflake Inc. All Rights Reserved
HIERARCHICAL ENCRYPTION FOR DATA AT REST
15
Hierarchical Key Model using Tri-Secret Secure Key Rotation & Re-Keying
• Keys rotated by Snowflake• All data re-encrypted with
annual re-keying• Transparent to customer
and queries
More resources on Key Management
• Hierarchical key model rooted in AWS Cloud HSMor Azure Dedicated HSM
• Tri-Secret Secure• Data is encrypted by default,
with no configuration required
© 2019 Snowflake Inc. All Rights Reserved
TIME TRAVEL & FAIL SAFE
Time Travel
● Select from data as it existed in the past, e.g. before some specific event
● Up to 90 days
Fail Safe
● Request recovery of lost data
● Up to 7 days for most objects
More on Time Travel & Fail Safe
© 2019 Snowflake Inc. All Rights Reserved
Application Logging & Monitoring
© 2019 Snowflake Inc. All Rights Reserved
History Tab● Provides a list of all commands
● Clicking on any item brings up additional details about the action
● For errors, provides SQL as well as a verbose error statement
APPLICATION ACTIVITY LOGGING
18
© 2019 Snowflake Inc. All Rights Reserved
The LOGIN_HISTORY family of table functions can be used to query login attempts by Snowflake users along various dimensions. More information can be found in our LOGIN_HISTORY documentation.
EXPORTING USER ACCESS AUDIT LOGS – LOGIN_HISTORY
19
● LOGIN_HISTORY – returns login events within a specified time range
● LOGIN_HISTORY_BY_USER– returns login events of a specified user within a specified time range
● Results can be further filtered using SQL predicates
● Can be used to return login activity for up to 7 days inthe past
● Export as JSON for use in SIEM or Snowflake
Column Name Data Type Description
EVENT_TIMESTAMP TIMESTAMP_LTZ Time of the event occurrence.
EVENT_ID NUMBER Event’s unique id.
EVENT_TYPE TEXT Event type, such as LOGIN for authentication events.
USER_NAME TEXT User associated with this event.
CLIENT_IP TEXT IP address where the request originated from.
REPORTED_CLIENT_TYPE TEXT Reported type of the client software, such as JDBC_DRIVER, ODBC_DRIVER, etc. This information is not authenticated.
REPORTED_CLIENT_VERSION TEXT Reported version of the client software.This information is not authenticated.
FIRST_AUTHENTICATION_FACTOR TEXT Method used to authenticate the user(the first factor, if using multi factor authentication).
SECOND_AUTHENTICATION_FACTOR TEXT The second factor, if using multi factor authentication, or NULL otherwise.
IS_SUCCESS TEXT Whether the user’s request was successful or not.
ERROR_CODE NUMBER Error code, if the request was not successful.
ERROR_MESSAGE TEXT Error message returned to the user, if the request was not successful.
RELATED_EVENT_ID NUMBER Reserved for future use.
© 2019 Snowflake Inc. All Rights Reserved
● QUERY_HISTORY returns queries within a specified time range.
● QUERY_HISTORY_BY_SESSIONreturns queries within a specified session and time range.
● QUERY_HISTORY_BY_USERreturns queries submitted by a specified user within a specified time range.
● QUERY_HISTORY_BY_WAREHOUSE returns queries executed by a specified warehouse within a specified time range.
● Up to 7 days
EXPORTING QUERY LOGS – QUERY_HISTORY
20
© 2019 Snowflake Inc. All Rights Reserved
EXPORTING USER ACCESS AUDIT LOGS
21
● History logs via functions and views
● LOGIN_HISTORY● QUERY_HISTORY
● Results can be further filtered using SQL predicates
● Can be used to return login activity for up to 7 days in functions 365 days in views in the past
● Export through JDBC or as JSON for use in SIEM
● All supplied drivers and connectors also have extended logging
© 2019 Snowflake Inc. All Rights Reserved
Infrastructure Security
© 2019 Snowflake Inc. All Rights Reserved
INFRASTRUCTURE SECURITY & MONITORING
Infrastructure is managed and monitored by SnowflakeCritical Security Controls Dashboard• Access Control, Security Assessment & Authorization, Configuration Management, Security Awareness,
etc. all represented on a single Dashboard
• Real-time monitoring of data loaded into Snowflake from internal and other relevant data sources
• Allows Security Compliance Team and relevant stakeholders across Snowflake to have real-time visibility into Risk
Snowflake uses CIS Benchmark Templates for configuration hardening• Configuration information is collected centrally in Snowflake
• Snowflake Security Compliance Team monitors status, tracks findings
• Part of Snowflake’s Compliance Dashboard
© 2019 Snowflake Inc. All Rights Reserved
VULNERABILITY TESTING & REMEDIATION
Snowflake performs 7-12 3rd Party penetration Tests per year• Comprehensive Web Application Penetration Test – Annually
• Internal Network Penetration Test – Annually
• Major Functionality Penetration Tests – As major functionality is released
Snowflake performs weekly vulnerability scans on infrastructure• Vulnerabilities are remediated per Policy
• Remediation trends tracked using Snowflake
© 2019 Snowflake Inc. All Rights Reserved
Snowflake uses advanced threat detection tools to monitor production infrastructure● Failed logins
● File integrity monitoring
● Unauthorized system modifications
Snowflake also uses behavioral monitoring tools to monitor a baseline of production infrastructure behavior
● Network traffic
● User activity
● Binaries
Logs are Centralized in Snowflake
● Cost savings, Flexibility, Familiarity with existing tools (Tableau, Looker, Sigma)
THREAT DETECTION
25
© 2019 Snowflake Inc. All Rights Reserved
SECURITY ANALYTICS WAREHOUSESnowflake Internal
26
Threat intelligence
Vendors
SecurityEngineers
Internet Registration Trackers
Security Solution
Providers
“Known Good” Trackers
Indicators of CompromiseTTPs and Attribution
Hash WhitelistsDetection Queries
Suppression QueriesSecurity AlertsRaw Events
© 2019 Snowflake Inc. All Rights Reserved
SECURITY ANALYTICS WAREHOUSESnowflake Internal
27
Query examples:AWS login without MFA?Customer bucket / blob data modified?Unauthorized install on server?Grant permissions on Snowflake?
Log Data Table
QueryTable
AlertsTable
SERVERLESS
© 2019 Snowflake Inc. All Rights Reserved
INFRASTRUCTURE LOGGING & MONITORING
SnowAlert provides a security analytics framework
OpenSource, hosted on GitHub
Integrates with other systems for notification and tracking (Slack, JIRA, etc.)
Provides real-time data and trends
Snowflake’s Security Analytics Warehouse
SnowAlert and sample alert to detect the startup of shell scripts in the EC2 environment
© 2019 Snowflake Inc. All Rights Reserved
SNOWALERT – SAMPLE ALERTS
Display a dashboard of actionable alerts with links to issue-tracking systems
Show trends to measure improvement, monitor problem areas
© 2019 Snowflake Inc. All Rights Reserved
Compliance Frameworks
© 2019 Snowflake Inc. All Rights Reserved
COMPLIANCEThird Party Attestations and Certifications
31
Self-AssessmentsCAIQ, SIG, Pen Test Results
SOC 1 Type II6 month Coverage Period
SOC 2 Type II12 Month Coverage Period
PCI-DSS HIPAAHITRUST in Progress
FedRAMP(Available from OMB/MAX)
ISO/IEC 27001
© 2019 Snowflake Inc. All Rights Reserved
What it is● GDPR is a new EU regulation that becomes effective on May 25, 2018
● Governs the protection and processing of EU personal data
What it means in the context of SnowflakeDifferent requirements apply to different types of entities
● Controller – Snowflake Customers are responsible for complying with GDPR independently from Snowflake
● Processor – Snowflake is responsible for the following:
○ Putting data processing addendums in place with our customers and our vendors
○ Only using our customers' EU personal data to provide our service to them
○ Being transparent about how we handle and process our customers' EU personal data on their behalf and keeping accurate records
○ Securing customers’ EU personal data in our service
○ Facilitating our customers' compliance with data subject requests
○ Notifying customers about changes to our list of subcontractors
Snowflake responsibilities are documented in a Data Processing Addendum (DPA on snowflake.com/legal)Available for signature now
GDPR – GENERAL DATA PROTECTION REGULATION
32
© 2019 Snowflake Inc. All Rights Reserved
Snowflake Security Product DocumentationThe above link provides information on how to configure:
● Network Policies● MFA, IP Whitelisting● Federated Authentication / SSO● Access Control (DAC, RBAC)● Best Practices● Audit Logs
ADDITIONAL COLLATERAL
33
© 2019 Snowflake Inc. All Rights Reserved
THANK YOU
