Data Security in Snowflake Via OvalEdge

OvalEdge has completed the Snowflake Ready Validation Program. This third-party technical validation process confirms that OvalEdge integration is optimized for Snowflake functionality. The focus of the validation was to provide Snowflake customers with secure, managed, universal access to assets in their data lake.

What's the problem?

Generally, in managed systems like SAP and Oracle Apps, a complete security system is in place that determines who can access which data. For example, a member of the HR team might only have access to salary data, a member of the Procurement team may be limited to accessing purchasing information, and a Sales Representative sales information.

Once this data is moved over to a data lake built in Snowflake, it is tough to provide universal access as there are no security rules in place. Although Snowflake has all the features in place to secure access to data, determining who is provided what access is a challenge, as there could be millions of attributes to consider.

Related: How End-to-End Data Governance in Snowflake Supports Business Agility

How OvalEdge tackles security challenges in Snowflake

Four pillars of secure data access

The four areas of data security the OvalEdge platform addresses in Snowflake are classification, roles and responsibilities, data protection, and monitoring. Together, these processes work consecutively to develop a complete data access security strategy.

Classify → Define Roles and Responsibilities → Protect → Monitor

Classification

Classification is a critical step for giving role-based access to users. First, you will divide your data horizontally. This is relatively easy as horizontal classifications are based on various business functions, such as Sales, HR, Marketing, and Finance. With this methodology, the implementation is relatively more straightforward. You must be able to find some common thread to classify your data based on -  applications, databases, etc. With horizontal classification, assigning access owners for various categories becomes easy.

The second task is to classify the data vertically. Vertical classification divides the data into categories like PII-Generic, PII-Complaint, Confidential, Top Secret, Standard, and Unidentified. All data which is not yet classified will come under Unidentified Data. Vertical classification is an intricate process involving these steps:

• The first step is for the data/access owners of the horizontally classified data to make policies determining what data will fall under which category within their department.
• For example, deal size and total revenue within the Sales department could fall under ‘confidential.’ The commission earned by a sales rep on a deal could fall under ‘top secret.’
• Some categories will follow the same conventions across various departments.

PII-Generic: First name, last name, email

PII-Compliant: SSN, driver's license number

• The next step is to define role-based access policies for all the categories of fully classified data.

Example Matrix

OvalEdge enables customers to write policies for each classification, use AI to classify the data, and automatically enforce policies as data is classified. OvalEdge data classification syncs directly with Snowflake to provide tag-based security on the platform.

Roles and Responsibilities

Once organizations have classified their data in OvalEdge, they must design an approval process based on these classifications. The various data governance roles and responsibilities in an organization support access policies.

Data governance roles usually include admin, steward, custodian, and user. These roles carry various responsibilities, and while a user may only have access to limited data sets, an admin will have the power to designate access to others. OvalEdge supports two-way syncing of user roles and permissions in Snowflake.

Protect

To prohibit unauthorized users from accessing PII or other sensitive data, it can be masked or restricted. When data is classified, it's easy to flag which data requires which degree of protection.

OvalEdge enables customers to mask or restrict data based on roles and at the source before moving it to a data warehouse like Snowflake.

Monitor

Whenever a new data element is added to a user's data catalog, AI automatically detects and sends the approval request to the right stakeholder. With this process in place, the correct stakeholder consistently monitors and updates data access. Snowflake customers can rest assured that the data access security measure will remain, regardless of any new data entering their ecosystem.