Access Control,

Snowflake

How to Control Access to PII in Snowflake with Satori

|CTO and Co-Founder
Organizations are adopting Snowflake to accelerate time to value (TTV) from their data by enabling more people access to more data. Enterprise data warehouses such as Snowflake have become an aggregation point of disparate data sources and systems, but with great power comes great risk. When organizations provide broad access to data, they risk data misuse or leaks.   Personally Identifiable Information, or PII, is any data that could potentially identify an individual or that can be used to distinguish one person from another. Broadly, PII can deanonymize previously anonymous data. Such data is widely available in many business-to-consumers (B2C) and business-to-business-to-consumers (B2B2C) environments. Actions and information generated by end-users (consumers) are being accessed, processed, stored, analyzed and reported on by increasing numbers of  employees.

Protecting PII Today

Protecting against misuse or leakage of PII is challenging and raises many questions: Where is the PII? Who should have access to it and for what purpose? Should PII data sets be quarantined? Should they be anonymized?   Did I mention that this is a challenging process? For most organizations, protecting PII borders is impossible. That’s why organizations take on a step-by-step approach: deploy a classification solution to identify the location of the PII, funnel data store query logs to a security information and event management (SIEM) software, scan those logs to correlate queries about the PII’s location, and so forth.  

 

A Much Simpler Approach

Satori’s secure data access platform allows organizations to transcend the challenges described above by using a different, unique approach—identifying PII in motion, as it’s being accessed, and making a decision on whether to allow access in real-time. By shifting the data classification task from an ongoing background process to a real-time activity, correlating data access logs to where PII resides becomes redundant. This modification increases protection accuracy and reduces the effort required in deploying enterprise data protection.   Setting a policy to monitor unauthorized access to PII with Satori is as simple as it gets. For example, the following straightforward policy would generate an alert when users that are not the Snowflake administrators try to access PII:  
rules:   - name: "Alert on access to PII"     action: alert     data_tags:       - c12n.pii     identity_tags:       - "NOT identity.datastore.role:ACCOUNTADMIN"     priority: 1
  Note how we didn’t have to specify in which tables or columns we expect to find PII because Satori doesn’t scan the data upfront, and it only scans the result sets of actual queries. Satori is also able to detect PII in semi-structured data, like JSON documents. A full list of all PII data types that Satori supports is available here: https://www.satoricyber.com/docs/acl/tags/#personally-identifiable-information-pii-data-types   The alert action doesn’t impact how users consume PII—it only monitors usage. To prevent unauthorized access to PII, change the action to block. Users will get an error message if they try to access PII:

SnowUI query

To learn more about Satori schedule a demo here. {{cta('e315dd43-c247-41ee-bcfd-04fb837b6b66','justifycenter')}}
Learn More About Satori
in a Live Demo
Schedule A Demo
About the author
|CTO and Co-Founder

Yoav Cohen is the Co-Founder and Chief Technology Officer of Satori Cyber. At Satori, Yoav is building the company’s technology vision and leading the research and engineering teams that build the Secure Data Access Cloud. Prior to founding Satori Cyber, Yoav was the Senior Vice President of Product Development for Imperva, which he joined as part of the acquisition of Incapsula, a Cloud-based web applications security and acceleration company, where he was the Vice President of Engineering. Before joining Incapsula, Yoav held several technology leadership positions at SAP.

When he isn’t glued to his laptop or on a whiteboard, Yoav can be found traveling with his wife and four kids in an RV, playing electric guitar or doing laps at the pool. He is still dreaming about building his own Operating System.

Yoav holds an M.Sc in Computer Science from Tel-Aviv University and a B.Sc in Computer Science and Biology from Tel-Aviv University.

Back to Blog