Login
Get Started

The Fastest DAM Way to Improve Security in Snowflake

The Fastest DAM Way to Improve Snowflake Security

PUBLISHED:

Real-time DAM is critical for catching and stopping threats instantly, making it a must-have for Snowflake security.

Snowflake powers modern businesses by serving as a data warehouse for vast amounts of customer data—gigabytes, terabytes, or more. This treasure trove of information fuels better decision-making for executives, data scientists, and employees alike. Imagine a retailer using Snowflake to analyze purchase patterns and optimize inventory—game-changing insights, right? But with great data comes great responsibility.

Data warehouses are magnets for sensitive information, and when that data is leaked, the consequences are dire. Take the 2024 Snowflake-related breach, where attackers exploited compromised credentials to access sensitive customer data from companies like AT&T and Ticketmaster. The fallout included reputational damage and disrupted operations—proving no business is immune.

Smart businesses recognize these risks and act proactively. Two critical tools in their arsenal? Access controls and database activity monitoring.

Access Controls

Access controls in Snowflake serve as your first line of defense, setting the groundwork for data security. These policies are designed to restrict access, ensuring that employees, partners, and other users can only view or interact with the specific data necessary for their roles. The process typically begins with a broad statement like, “Access should be role-based,” which outlines the principle that permissions should align with job responsibilities. From there, these general guidelines are transformed into precise, granular configurations within Snowflake, such as restricting customer service representatives to viewing basic account details while limiting financial analysts to aggregated spending patterns.

While access controls are foundational to protecting sensitive data, they are not foolproof. Their effectiveness hinges on proper implementation and the integrity of user credentials. Unfortunately, credentials are vulnerable. They can be guessed, stolen through phishing attacks, exposed in data breaches, or misused by insiders. Alarmingly, credential-related breaches account for 61% of data incidents, according to the Verizon Data Breach Report. Even the most carefully configured access control policies are rendered useless if a malicious actor gains unauthorized access using valid credentials.

Additionally, managing access control policies at scale can be a complex challenge. Organizations often struggle with outdated or overly permissive roles, which can lead to unnecessary exposure of sensitive information. For example, a former employee or a contractor might retain access they no longer need, creating a potential security risk.

To address these vulnerabilities, businesses must layer access controls with another essential security measure: Database Activity Monitoring

Database Activity Monitoring

Think of Database Activity Monitoring as your vigilant security guard. DAM operates by processing a continuous stream of activity events from your database, analyzing each one using advanced algorithms to pinpoint suspicious behavior. It doesn’t just observe—it evaluates. When it detects actionable anomalies, the system sends out alerts, prompting your team to respond quickly before a potential threat escalates.

Examples of suspect activity DAM can identify include:

  • A partner accessing sensitive data outside of normal business hours.
  • An unidentified user attempting to query restricted datasets.
  • Automated processes behaving erratically, mimicking human-like query patterns.
  • An unusual spike in the volume of data queried by a specific role.
  • Data being accessed from unexpected or suspicious locations.

The secret to effective DAM? Speed. In the face of a potential credentialed access breach, timing is everything. A DAM solution must evaluate database activity as close to the moment it occurs as possible. Real-time detection is non-negotiable.

Why? Because every second of delay increases the window of opportunity for attackers, amplifying the potential damage. The longer it takes to identify anomalous activity, the longer it takes to respond—and with that delay comes greater data exposure, more significant losses, and heightened risk.

For any DAM solution to truly be effective, it must be fueled by timely, actionable information. Without it, even the most sophisticated monitoring becomes a post-mortem tool rather than a real-time shield.

Can Snowflake access and query history logs be used to feed Activity Monitoring?

Snowflake Access Logs for Monitoring

All important events in Snowflake are kicked off by a SQL statement issued by a either person, or a software program. As Snowflake processes the statement,  it saves context  about the statement to its internal data stores. Context information can include lots of useful information about the statement. Some examples are:

  • who initiated it
  • what kind of statement (UPDATE, SELECT, INSERT etc.)
  • when the statement started and ended
  • where the request come from
  • what change, or data resulted

Ultimately this context information winds up as log entries in various tables within Snowflake. Each log table serves a different purpose and is made available for consumption in different ways and time frames by Snowflake.

One of the most important pieces of context for identifying a credentialed access breach is the context around every data query (SELECT statements).  Snowflake provides this information in its query and access history views.  Can these views be the source of activities for database activity monitoring?  The short answer is no.  Here’s why:

Why Snowflake’s Logs Fall Short for Real-time Database Activity Monitoring

The Query and Access history views are part of the built-in SNOWFLAKE database, housed within its ACCOUNT_USAGE schema. These views consolidate the query history from all databases in an account into a single dataset. While primarily designed for operational insights, customers often use these views to monitor their Snowflake usage and optimize costs—for example, by identifying and ranking their most resource-intensive queries.

However, there’s a significant limitation: latency. Due to how Snowflake extracts this data from its internal stores, the Query and Access history views have a delay ranging from 45 minutes to as much as 3 hours. This latency renders them unsuitable for real-time database activity monitoring. While the information they provide can be valuable for retrospective analysis—such as investigating a data breach after it occurs—it’s of little use for detecting and responding to threats as they happen. By the time the data becomes available, any malicious activity has already run its course, leaving your organization to play catch-up.

ALTR: Real-Time Database Monitoring and Security

Since every data access activity in Snowflake involves a SQL statement, solving the latency issue requires capturing query context the moment the statement begins processing. This allows audit information to be collected and evaluated in real-time, enabling swift detection and response to potential threats.

This is where ALTR excels. By integrating directly with Snowflake at query execution time, ALTR captures critical context for any query involving sensitive data, delivering significant, time-sensitive advantages for database activity monitoring and auditing. Here’s how:

Faster Generation of Query Audit Records

ALTR starts capturing query context the instant a SQL statement is processed by Snowflake. This real-time capture eliminates the latency problem inherent in Snowflake’s query history, enabling activity records to be delivered to external SIEM or SOAR solutions much faster. With quicker identification of unusual events, mitigation actions can begin sooner, reducing the risk of data exposure.

Automated Responses to Suspicious Activity

ALTR doesn’t just observe—it acts. Alerts are evaluated at query time, triggered when configurable thresholds are violated. For instance, if a customer service role exceeds a limit of 100 records retrieved in an hour, ALTR can send an alert to external systems like SIEM or SOAR. Beyond alerts, ALTR can optionally halt the flow of sensitive data during threshold violations, giving your team time to confirm whether the activity is legitimate or malicious. This proactive approach buys critical time to protect your data.

Enriched Audit Records for Deeper Insights

ALTR’s query audit records are packed with detailed context, including:

  • Who accessed the data
  • What was accessed and how much
  • Policies applied (e.g., masking or encryption)
  • Decisions behind policy enforcement
  • Additional security layers, like tokenization

These enriched records provide invaluable insights for analyzing the effectiveness of access policies, streamlining compliance audits, and improving security strategies. Plus, since the data is generated in real-time, it can trigger non-urgent workflows to fine-tune operations or investigate anomalies further.

Wrapping Up

Data warehouses like Snowflake are powerful tools, but they’re also high-value targets. Protecting sensitive data isn’t optional—it’s essential. ALTR gives you the real-time insights and controls you need to stay ahead of threats while maintaining trust and compliance.

Ready to see ALTR in action? Discover why we’re the New Standard in Snowflake Data Security.

Github Youtube Linkedin

Sign up to our newsletter to catch the newest launches first

Company

Product

Key Features

Copyright © 2024 ALTR Solutions, Inc.