Data Encryption and Authentication

This is part one of a two part series overviewing Snowflake’s security measures and tools. In this part you will learn about Snowflake’s measures and tools for data encryption and user authentication. Lets begin.

Data Encryption at Rest

Key rotation and rekeying

All customer data in Snowflake is encrypted by default using AES-256 bit encryption. Snowflake rotates the encryption keys every 30 days. As a result, after key rotation retired keys are used only for decrypting during the access process.

On top key rotation there is periodic rekeying, which, if enabled, re-encrypts data yearly with brand new keys. Rekeying requires a minimum of Enterprise edition and must be enabled by the account administrator. Both are entirely transparent.

Tri-Secret secure

Tri-Secret Secure is the composite master key that results from combining a Snowflake managed key and a customer managed key. It provides an additional level of security. It requires a minimum of Business Critical edition.

Authentication

Multifactor Authentication (MFA)

By default, Snowflake automatically enables for all accounts. Any user can self-enroll into MFA through the web interface. It uses the Duo security service.

There are three ways of providing second factor authentication:

User approves login request.
Use passcodes generated by the app (by sms or through app).
User receives a call and follows the instructions.

Administrators can disable MFA for a user, in which case the user must re-enroll in MFA. Moreover, they can also do so temporarily. MFA re-enables after the defined time has passed.

MFA is supported by:

SnowSQL
Snowflake ODBC
JDBC drivers
Python connector

Key Pair Authentication

Alternative to the username/password authentication method. Snowflake assigns public keys to users and they use the private key for authenticating. Snowflake may assign up to two public keys at a time. Supported by all SnowSQL and drivers and connectors.

SSO via SAML 2.0 Federated Authentication

Snowflake supports Federated Authentication, which enables users to connect to Snowflake using single sign-on (SSO). SSO enables users to authenticate through an external identity provider (IdP) compatible with the SAML 2.0. standard.

Compliant identity providers include:

Okta
ADFS
Google G Suite
Microsoft Azure Active Directory
OneLogin
Ping Identity PingOne

User Provisioning Through SCIM

System for Cross Domain Identity Management (SCIM) is an open standard that enables automatic user provisioning and syncing of roles based on information from an identity provider.