ALTR isn’t just keeping pace with the evolving data security landscape—we’re setting the speed limit. As businesses scramble to safeguard their data, ALTR is not just another player in the game; we’re the go-to solution for bulletproof data access control and security. And today, we’re doubling down on that promise with three strategic hires to turbocharge our Go-To-Market (GTM) strategy.

Meet the Heavy Hitters

Christy Baldassarre

Christy Baldassarre joins us as our new Director of Marketing, bringing a formidable blend of strategic vision and execution prowess. With a track record of driving brand growth and market penetration, Christy excels at crafting compelling narratives that resonate with target audiences. She’s a master at turning complex concepts into clear, impactful messaging and knows how to leverage the latest digital marketing tactics to amplify ALTR’s voice.  

"I am excited to be on such a great team and to be a part of taking ALTR to the next level. I chose ALTR because of its excellence in Cloud Security and Data Protection. This is a great opportunity to collaborate with such a visionary team and contribute to groundbreaking solutions that not only push boundaries but set new standards of how to keep everyone’s data safe." - Christy

Rick McBride

Rick McBride, our new Demand Gen Manager, brings a deep expertise in go-to-market strategy. With a strong foundation in business development, Rick has honed his skills in identifying opportunities and driving pipeline growth from the ground up. He’s not just about crafting campaigns; Rick knows how to connect with decision-makers and convert interest into action.  

“A successful go-to-market strategy thrives on seamless collaboration across various teams, and our GTM group is poised to be the driving force behind it. We're set to champion the Snowflake ecosystem—engaging with customers, Snowflake’s Field Sales team, and partners alike—to fuel strategic growth. By leveraging Snowflake's powerful native capabilities in Security and Governance, we aim to deliver at the speed and scale that Snowflake users expect. We're thrilled to extend this value to every organization that prioritizes and trusts Snowflake for their data management needs!” - Rick

George Policastro

Next, we've got George Policastro as our newest Account Executive. George is a seasoned sales professional with a proven track record of closing complex deals and delivering results. His strengths lie in his ability to deeply understand client needs, build lasting relationships, and strategically navigate the sales process to drive success.  

"I’m thrilled to join ALTR and tackle one of the biggest challenges organizations face today: securing their sensitive data while unlocking its full potential to drive business growth." - George

ALTR: Defining the Future of Data Access Control and Security

The world of data security and governance has evolved dramatically from the days of simple perimeter defenses. Now, we’re dealing with sophisticated, multi-layered security strategies that need to keep up with cybercriminals who are more aggressive and resourceful than ever. The core principles—knowing where your data is, who can access it, and ensuring its protection—haven’t changed. However, as data moves to the cloud, the challenge is achieving these goals at an unprecedented scale and speed.

That’s where ALTR excels. We’re not just providing solutions; we’re reimagining what data access control and security can be in a cloud-first world. By cutting through the complexities and inefficiencies of traditional methods, we deliver a streamlined, scalable approach that makes data security both simple and powerful. Our intuitive automated access controls, policy automation, and real-time data observability empower organizations to protect sensitive data at rest, in transit, and in use—effortlessly and at lightning speed. With ALTR, securing your data isn’t just more accessible; it’s smarter, faster, and designed for today’s dynamic cloud environments.

With our latest GTM team expansion, we’re fortifying our foundation to evolve into a cloud data security market leader who’s not just part of the conversation but is driving it.

In a world where data breaches and privacy threats are the norm, safeguarding sensitive information is no longer optional—it's critical. As regulations tighten and privacy concerns soar, our customers are demanding cutting-edge solutions that don't just secure their data but do so with finesse. Enter Format Preserving Encryption (FPE). When paired with ALTR's capability to seamlessly share encryption keys with trusted third parties via platforms like Snowflake's data sharing, FPE becomes a game-changer.  

Understanding Format Preserving Encryption (FPE)  

Format Preserving Encryption (FPE) is a type of encryption that ensures the encrypted data retains the same format as the original plaintext. For example, if a credit card number is encrypted using FPE, the resulting ciphertext will still appear as a string of digits of the same length. This characteristic makes FPE particularly useful in scenarios where maintaining data format is crucial, such as legacy systems, databases, or applications requiring data in a specific format.  

Key Benefits of FPE  

Seamless Integration

‍FPE maintains the data format, allowing easy integration into existing data pipelines without requiring significant changes. This minimizes the impact on business operations and reduces the costs associated with implementing encryption.  

Compliance with Regulations

‍Many regulatory frameworks, such as the GDPR, PCI-DSS, and HIPAA, mandate the protection of sensitive data. FPE helps organizations comply with these regulations by ensuring that data is encrypted to preserve its usability and format, which can sometimes be a requirement in these standards.  ‍

Enhanced Data Utility

‍Unlike traditional encryption methods, FPE allows encrypted data to be used in its existing form for specific operations, such as searches, sorting, and indexing. This ensures organizations can continue to derive value from their data without compromising security.  

The Role of Snowflake in Data Sharing  

Snowflake is a cloud-based data warehousing platform that allows organizations to store, process, and analyze large volumes of data. One of its differentiating features is data sharing, which enables companies to share live, governed data with other Snowflake accounts in a secure and controlled manner while also shifting the cost of the computing operations of the data over to the share's consumer.     

Key Features of Snowflake Data Sharing

Real-Time Data Access

‍Snowflake's data sharing allows recipients to access shared data in real-time, ensuring they always have the most up-to-date information. This is particularly valuable in scenarios where timely access to data is critical, such as in financial services or healthcare.  

Secure Data Exchange

‍Snowflake's platform is designed with security at its core. Data sharing is governed by robust access controls, ensuring only authorized parties can view or interact with the shared data. This is crucial for maintaining the confidentiality and integrity of sensitive information.  

Scalability and Flexibility

‍Snowflake's architecture allows for easy scalability, enabling organizations to share large volumes of data with multiple parties without compromising performance. Additionally, the platform supports a wide range of data formats and types, making it suitable for diverse use cases.  

The Power of Combining FPE with Snowflake’s Key Sharing  

When FPE is combined with the ability to share encryption keys via Snowflake's data sharing, it unlocks a new level of security and flexibility for organizations. This combination addresses several critical challenges in data protection and sharing:    

Controlled Access to Encrypted Data

By leveraging FPE, organizations can encrypt sensitive data while preserving its format. However, there are scenarios where this encrypted data needs to be shared with trusted third parties, such as partners, auditors, or service providers. Through Snowflake's data sharing and ALTR's FPE Key Sharing, companies can securely share encrypted data along with the corresponding encryption keys. This allows the third party to decrypt the data within the policies that they have defined and use it as needed.  

Data Security Across Multiple Environments

In a multi-cloud or hybrid environment, data often needs to be moved between different systems or shared with external entities. Traditional encryption methods can be cumbersome in such scenarios, as they require extensive reconfiguration or critical management efforts. However, with FPE and Snowflake's key sharing, organizations can seamlessly share encrypted data across different environments without compromising security. The encryption keys can be securely shared via Snowflake, ensuring only authorized parties can decrypt and access the data.  

Regulatory Compliance and Auditing

Many regulations require organizations to demonstrate that they have implemented appropriate security measures to protect sensitive data. By using FPE, companies can encrypt data that complies with these regulations. At the same time, the ability to share encryption keys through Snowflake ensures that data can be securely shared with auditors or regulators. Additionally, Snowflake's robust logging and auditing capabilities provide a detailed record of who accessed the data and when which is essential for compliance reporting.  

Enhanced Collaboration with Partners

In finance, healthcare, and retail industries, collaboration with external partners is often essential. However, sharing sensitive data with these partners presents significant security risks. By combining FPE with ALTR's key sharing, organizations can securely share encrypted data with partners, ensuring that sensitive information is transmitted throughout the data's lifecycle, including across shares. This enables more effective collaboration without compromising data security.  

Efficient and Secure Data Processing  

Specific data processing tasks, such as data analytics or AI model training, require access to large volumes of data. In scenarios where this data is sensitive, encryption is necessary. However, traditional encryption methods can hinder the efficiency of these tasks due to the need for decryption before processing. With FPE, the data can remain encrypted during processing, while ALTR's key sharing allows the consumer to decrypt data only when absolutely necessary. This ensures that data processing is both secure and efficient.  

Use Cases of FPE with ALTR Key Sharing  

To better understand the value of combining FPE with ALTR's key sharing, let's explore a few use cases:  

Financial Services

In the financial sector, organizations handle a vast amount of sensitive data, including customer information, transaction details, and credit card numbers. FPE can encrypt this data while preserving its format, ensuring it can still be used in legacy systems and applications. Through Snowflake's data sharing, financial institutions can securely share encrypted transaction data with external auditors, partners, or regulators, along with the necessary encryption keys. This ensures compliance with regulations while maintaining the security of sensitive information.  

Healthcare

Healthcare organizations often need to share patient data with external entities, such as insurance companies or research institutions. FPE can encrypt patient records, ensuring they remain secure while preserving the format required for healthcare applications. Snowflake's data sharing allows healthcare providers to securely share this encrypted data with third parties. At the same time, ALTR enables the sharing of the corresponding encryption keys, enabling them to access and use the data while ensuring compliance with HIPAA and other regulations.  

Retail

Retailers often need to share customer data with marketing partners, payment processors, or logistics providers. FPE can be used to encrypt customer information, such as names, addresses, and payment details while maintaining the format required for retail systems. Snowflake's data sharing enables retailers to securely share this encrypted data with their partners; with ALTR, the encryption keys are also shared, ensuring that customer information is always protected.  

The Broader Implications for Businesses  

The combination of Format Preserving Encryption and ALTR's key-sharing capabilities represents a significant advancement in the field of data security. This approach addresses several critical challenges in data protection and sharing by enabling organizations to securely share encrypted data with trusted third parties.    

Strengthening Trust and Collaboration

In an increasingly interconnected world, businesses must collaborate with external partners and share data to remain competitive. However, this collaboration often comes with significant security risks. By leveraging FPE and ALTR's key sharing, organizations can strengthen trust with their partners by ensuring that sensitive data is always protected, even when shared. This leads to more effective and secure collaboration, ultimately driving business success.  

Reducing the Risk of Data Breaches

Data breaches, including financial losses, reputational damage, and regulatory penalties, can devastate businesses. Organizations can significantly reduce the risk of data breaches by encrypting sensitive data with FPE and securely sharing it via Snowflake. Even if the data is intercepted, it remains protected, as only authorized parties with the corresponding encryption keys can decrypt it.  

Enabling Innovation While Ensuring Security

As organizations continue to innovate and leverage new technologies, such as artificial intelligence and machine learning, the need for secure data sharing will only grow. The combination of FPE and ALTR's key sharing enables businesses to securely share and process data innovatively without compromising security. This ensures that organizations can continue to innovate while protecting their most valuable asset – their data.  

Wrapping Up

Integrating Format Preserving Encryption with ALTR's key sharing capabilities offers a powerful solution for organizations seeking to protect sensitive data while enabling secure collaboration and innovation. By preserving the format of encrypted data and allowing for secure key sharing, this approach addresses critical challenges in data protection, regulatory compliance, and data sharing across multiple environments. As businesses navigate the complexities of the digital age, the value of this combined solution will only become more apparent, making it a vital component of any robust data security strategy.  

ALTR's Format-preserving Encryption is now available on Snowflake Marketplace.

“Today is the day!” you exclaim to yourself as you settle into your desk on Monday morning. After months of meticulous planning, the migration from Teradata to Snowflake begins now. You have been through all the back-and-forth with leadership on why this migration is needed: Teradata is expensive, Teradata is not agile, Snowflake creates a single source of data truth, and Snowflake is instantly on and scales when you need it. It’s perfect for you and your business.

As you follow your meticulously planned checklist for the migration, you're utilizing cutting-edge tools like DBT, Okta, and Sigma. These tools are not just cool, they're the future. You're moving your database structure, loading the initial non-sensitive data, repointing your ETL pipelines, and witnessing the power of modern technology in action. Everything is working like a charm.

A few weeks or months of testing go by, your downstream consumers of data are still using Teradata but are starting to give thumbs up on the Snowflake workloads that you have already migrated. Things are going well. You have not thought about CPU or disk space for the Teradata box in a while, which was the point of the migration. You finally get word from all stakeholders that this trial migration was a success! You call your Snowflake team, and tell them to back up the truck, you are clear to move the remaining workloads. Life is good. But then, comes a knock at the door.

It’s Pat from Security & Risk. You know Pat well and enjoy Pat’s company, but you also do as much as possible to avoid Pat because you are in data and, well, we all know the feeling. Pat tells you, “Heard we are finally getting off Teradata; that’s awesome! Do you have a plan for the PII and SSNs that are kept in that one Teradata database that we require using Protegrity for audit and compliance reasons?” You nod, “I do, but I couldn't do it without your expertise. I’ve been reading the Snowflake documentation, and I'm in the process of writing a few small AWS Lambdas to interface with Protegrity. Your input is crucial to this process.” Pat smiles, gives a non-assuring hand on your back and walks out. Phew, no more Pat.

Four weeks later, you're utterly exhausted. You've logged over 50 hours in Snowflake with fellow data engineers, and tapped into the expertise of one of the cloud ops team members who knows Lambda inside out. You have escalated to Snowflake support, but your external function calls from Snowflake to AWS keep timing out. AWS support is unable to help. Now, you have memory limits being hit with AWS Lambda. Suddenly, the internal network team does not want to keep the ports open to hit Protegrity from AWS, and you need to use a Private Link connection with additional security controls. You are behind on the Teradata migrations. There is no end in sight of the scale problems. Shoot, this is not working.

Don’t worry, you are not alone. This is the same experience felt by hundreds of Snowflake customers, and it stems from the same problem: everything about your Snowflake migration was planned for the new architecture of Snowflake except for one thing: data protection. You followed all the blogs and user guides, and your stateless data pipeline feeding Snowflake with a Kafka bus is perfect. Sigma is running without limits. The team is happy, but they want that customer data now. Except, you can’t use it until you solve this security problem.

Snowflake and OLAP workloads, generally, turned data protection on its head. OLTP workloads are easy to secure. You know the access points and the typical pattern of user behavior, so you can easily plan for scale and up-time. OLAP is widely unpredictable. Large queries, small queries, ten rows, 10M rows, it’s a nightmare for security. There is only one path forward: you must get purpose-built data protection for Snowflake.

You need a data protection solution that matches Snowflake’s architecture, just like when you matched Protegrity to Teradata. If Snowflake is going to be elastic, your data protection needs to be elastic. If Snowflake is going to be accessed by many downstream consumers, you need to be able to integrate data protection into the access policies in Snowflake. Who is going to do that work? Who will maintain this code? How can you control costs? The answer to all those questions is ALTR.

ALTR’s purpose-built native app for data protection is an easy solution for Snowflake. You can install it on your own. You can use your Snowflake committed dollars to pay for the service. ALTR’s data protection scale is controlled by Snowflake and nothing else. It’s the easiest way to get back on track. Call your Snowflake team, ask them about ALTR. It will feel good walking back into Pat’s office with your head held high and your data migration back on track.

Whether your team currently has Protegrity or Voltage, you will face the same problems. Do not waste your time trying to get these solutions to scale, just call ATLR.

Don’t just take my word for it…

In a world where data is the lifeblood of organizations, managing and securing that data is no longer just an IT task—it's a business imperative. Yet, despite the critical nature of data governance, many solutions out there are still bogged down by complexity, time-consuming processes, and significant risks. Enter ALTR, the cutting-edge solution that’s not just simplifying data governance but revolutionizing it. Here’s why ALTR is the game-changer your organization needs, and why it’s quickly becoming the go-to for companies leveraging Snowflake.

1. Ease of Use: Accessible Security

Data governance has long been a domain reserved for the technically savvy, with traditional methods requiring extensive SQL coding and intricate configurations. This not only made the process time-consuming but also left it vulnerable to human error. ALTR redefines this narrative with a user-centric approach. Seamlessly integrated into Snowflake and instantly accessible through Snowflake Partner Connect, ALTR is designed to be up and running in mere minutes. The intuitive interface, built on ALTR’s robust Management API, empowers even non-technical users to accomplish tasks that once required days of coding—now achievable with just a few clicks. ALTR democratizes data governance, making it fast, simple, and accessible to all, ensuring that security is no longer a complex or exclusive domain, but one that everyone can master.

2. Proof of Value & Time to Value: Immediate Impact

In the high-speed world of data, there's simply no room for delay. ALTR recognizes this need for urgency, delivering Proof of Value and Time to Value in a matter of hours and days—rather than the months or quarters typical of traditional solutions. With ALTR’s SaaS model, you can unlock its features in your Snowflake sandbox environment at no cost, letting you experience its power before making any commitments.

But ALTR doesn’t just stop at providing tools; we empower you with expertise. Our team of Field Engineers is ready to assist in crafting tailored solutions, automating processes, and ensuring seamless interoperability with your data catalogs, ETL/ELT tools, and SIEMs. Customers often leverage ALTR’s Rapid POC Framework, which accelerates the definition of use case requirements and success criteria. Over just two or three focused one-hour screenshare sessions with an ALTR Field Engineer, you’ll produce the artifacts, evidence, and performance metrics needed to confidently move toward full-scale implementation.

It’s not merely about demonstrating ALTR’s value—it’s about ensuring you realize that value at lightning speed, setting your team up for swift, scalable success.

3. Reduced Complexity: Cutting Through the Chaos

In the realm of data governance and security, complexity is the silent killer. The more convoluted your protocols, the more they drain your resources—whether that’s time, money, or manpower. ALTR was engineered to dismantle this complexity from the ground up. Managing access policies across multiple access points like SNOW SQL, BI Tools, applications, and data shares is an overwhelming task on its own. When you add the intricacies of data security within Snowflake’s ecosystem, the challenge becomes even more daunting. ALTR alleviates these burdens by enabling automation at scale and empowering users to handle these tasks with ease. By simplifying these traditionally complex processes, ALTR doesn't just reduce friction; it eliminates the barriers that have historically plagued data governance. With ALTR, complexity is no longer an obstacle—it's a thing of the past.  

4. Minimized Risk: Securing Your Most Valuable Asset

Human error is the Achilles’ heel of data security. From misconfigurations to overlooked details, the potential for mistakes is vast. Recent Snowflake Security incidents serve as stark reminders of these risks. ALTR addresses this vulnerability head-on. By eliminating the need for manual SQL scripting and enabling point-and-click automation, ALTR significantly reduces the risk of human error. But it doesn’t stop there. ALTR’s advanced Data Protection features—such as Format-Preserving Encryption and Tokenization—ensure that your data is protected at rest, in transit, and even in use. Coupling this with access policy automation means your data is safe from external threats, internal misuse, and even potential risks from privileged users.

5. Interoperability: The Secret to Seamless Integration

In today’s data-driven world, interoperability isn’t just a nice-to-have; it’s essential. ALTR’s SaaS architecture is designed to work seamlessly within your existing data ecosystem and InfoSec stack, making it an ideal partner for your CISO’s peace of mind. Whether it’s leveraging Snowflake Object Tags or integrating with your SIEM, SOAR, or workflow resolution software, ALTR ensures everything works together flawlessly. By making real-time Data Activity Monitoring logs, policy alerts, and notifications available within your existing systems, ALTR takes interoperability to the next level, ensuring that your data governance is as efficient as it is secure.

Wrapping Up

ALTR is not just another data governance tool—it’s a revolution in how data is managed and secured. By focusing on ease of use, rapid proof of value, reduced complexity, minimized risk, and seamless interoperability, ALTR is setting a new standard in the industry. For companies leveraging Snowflake, ALTR is the key to unlocking the full potential of their data while safeguarding it from the ever-present threats of today’s digital landscape. In a world where data is king, ALTR is the crown. Don’t just manage your data security—master it with ALTR.

‍

Keeping a tight grip on data access control is crucial for protecting sensitive information. However, when these systems get too complicated, they can bring about a whole host of challenges and additional risks. If you're finding that your data access control is more headache than help, it might be time to take a closer look. Let's explore ten signs that your data access control might be overly complex and explore some practical solutions to help streamline and strengthen your data security approach.

9 Signs Your Data Access Control is Out of Control

1. Frequent Configuration Errors

Are you experiencing persistent configuration errors? This may indicate an overly complex data access control system. These errors often arise from the intricate setup and continuous and manual adjustments needed to manage permissions. When systems require detailed and specific configurations, even minor mistakes can lead to significant vulnerabilities. Frequent misconfigurations are a security risk and a drain on resources, necessitating constant oversight and corrections.‍

2. Slow Response Times

Is your team struggling to respond to access requests or security incidents promptly? This suggests your system is too convoluted. The more complex the system, the harder it is for security teams to act swiftly and efficiently. Complex workflows and multiple layers of approval can slow down response times, increasing the risk of security breaches going undetected or unaddressed for extended periods. ‍

3. High Maintenance Costs

Excessive resources spent on maintaining and updating access controls indicate unnecessary complexity. High maintenance costs often stem from the need for specialized training and continuous updates to keep the system running smoothly. These costs add up quickly, diverting funds and constrained resources from other critical areas, making the system financially unsustainable over the long term. ‍

4. Integration Challenges

Are you using multiple tools to manage access control? This can create redundancies, integration issues and make the system harder to manage and more expensive to maintain. Each tool requires its own configuration, management, and monitoring, adding layers of complexity that can overwhelm security teams. ‍

5. Ineffective Monitoring

Is your security team struggling to monitor access in real-time? This could be a sign of system complexity and can lead to undetected breaches and delayed responses. Complex systems generate vast amounts of data, making it challenging to filter out critical security alerts from the noise. Ineffective real-time monitoring can result in slow threat detection and response times, increasing the risk of significant security incidents. ‍

6. Inconsistent Policies  

Wide variations in access control policies across different parts of the organization can lead to security gaps and enforcement inconsistencies. Ensuring a unified security approach becomes challenging when other departments or teams use different policies. Attackers who look for weak spots in the security fabric can exploit this inconsistency.  ‍

7. Difficulty in Auditing and Compliance

Are you struggling to conduct regular audits and ensure compliance with industry regulations? This could indicate that your access control processes are too complex. The intricate nature of these systems often requires specialized knowledge to navigate and assess, making compliance audits time-consuming and costly. Non-compliance can expose the organization to legal and financial risks, including fines and reputational damage. ‍

8. High Incidence of Insider Threats

Complex access controls can make monitoring and restricting insider access difficult, leading to a higher incidence of insider threats. Insiders who already have a level of trusted access can exploit overly complex systems to bypass security measures or access unauthorized data. The difficulty in tracking and managing insider activities in such environments exacerbates this risk. ‍

9. User Frustration and Low Productivity

Are users struggling to get the access they need to data? This indicates overly complex access controls, which can decrease productivity and lead to frustration. This can also lead to users seeking workarounds, such as using unauthorized methods to access data, which further compromises security.

What to Look for in a Data Security Platform (DSP)

Selecting the right Data Security Platform (DSP) is crucial for effectively managing data access control and safeguarding sensitive information. Here are the key attributes to consider when choosing a DSP:

Sensitive Data Discovery

A robust DSP should offer automated tools for quickly identifying and classifying sensitive data. This capability ensures that high-risk data is discovered and protected promptly, meeting compliance requirements. Automated classification tools help streamline the identification process, reducing the manual effort involved and ensuring that all sensitive data is accounted for and adequately secured.

Automated Access Controls

Look for a DSP that allows you to set up automated access controls with dynamic data masking capabilities. These controls ensure that only credentialed users can access sensitive information, minimizing the risk of unauthorized access. They also help maintain security policies consistently across the organization, reducing the potential for human error and enhancing overall data protection.

Real-time Data Activity Monitoring

Effective DSPs provide real-time observability over how sensitive data is consumed in the cloud. This includes active alerts for unauthorized requests, allowing immediate response to potential security breaches. Real-time data activity monitoring is essential for maintaining an up-to-date security posture and ensuring that any suspicious activity is detected and addressed promptly.

Integrated Data Security

Choose a DSP that offers integrated data security from source to cloud. Automated data access governance ensures that sensitive data is never at risk, providing comprehensive protection throughout its lifecycle. Integrated security measures help unify the approach to data protection, ensuring that all aspects of data security are covered and reducing the complexity involved in managing multiple security tools.

User-Friendly Policy Implementation

A good DSP should allow non-technical users to implement policies and simplify data ownership. This ensures that data security processes can remain streamlined and automated without requiring extensive technical knowledge. User-friendly interfaces and straightforward policy implementation tools enable broader participation in data governance, helping to maintain consistent security practices across the organization.   

Wrapping Up

Managing data access control is vital for protecting sensitive information, but complexity can create numerous risks and challenges. By recognizing the signs and choosing the right Data Security Platform (DSP), you can create more robust and manageable data security environment.

‍

‍

In a previous post, Jonathan Sander details the primary differences between a Data Security Posture Management (DSPM) solution and a Data Security Platform (DSP). He highlights that the most notable difference between a DSPM and a DSP is in the “policy definition and policy enforcement” aspects of a DSP. He explains that while some applications allow for simple API calls to manage access or security policies, such as removing a user’s group membership in Active Directory, implementing policy definition and enforcement at a deeper level for platforms like Snowflake becomes exceedingly challenging, if not impossible, for a DSPM.

Recent events have reignited my interest in understanding how ALTR distinguishes itself from a DSPM. The first event was the potential acquisition of Wiz by Google. Wiz, a cloud security posture management (CSPM) tool, is often confused with a DSPM. This has led customers to inquire about the differences between CSPM and DSPM and, subsequently, the distinctions between DSPM and DSP. Although the Wiz/Google deal fell through, it sparked an insightful discussion on Linkedin initiated by Pramod Gosavi from JupiterOne. I participated in this discussion, which delved into why Google should reconsider buying a tool like Wiz.

The other recent event that brings DSPM v DSP back into spotlight is the word ‘remediation’, which has been used by some DSPM providers lately. The word remediation in this context indicates a DSPMs ability to react to one of their findings. For example, a remediation might be removing a user’s access from a system or making a public-facing internet resource private. These types of remediations are simple and straightforward and should easily be achievable by a DSPM. But lately, some of the DSPM players have been making mention of remediations for platforms like Snowflake stating their platforms can do complex operations such as RBAC, data masking, and data security such as encryption or tokenization.  This is where the analogy "All squares are rectangles, but not all rectangles are squares" comes in handy. In this scenario, the DSPM is the square, and the DSP is the rectangle. A DSP can perform all the functions of a DSPM, but a DSPM cannot perform all the functions of a DSP. Let me explain.

The largest difference between a DSPM and a DSP is not the type or number of data stores supported, or the workflows within the platforms, but rather the biggest difference is the integration methods with the data stores. DSP’s live in the line of fire. We sit in the hardest place a vendor can sit, in the critical path of data. It’s the only way a DSP can provide capabilities like real-time database activity monitoring (DAM), data encryption or tokenization, data loss prevention, and others. Without this position in the stack, our ability to stop, or remediate, an out of policy data access request is minimized.

DSPM’s on the other hand do not live in the critical path of data access. They often exist outside the normal access patterns connecting to systems such as databases or file shares without fear of latency or uptime. A DSP has the unfortunate burden of having to essentially match the uptimes and availability of the platforms they control, often requiring significant investments in engineering and operations that DSPM do not have. It's these requirements of uptime, throughput, and strict performance metrics that make it nearly impossible for a DSPM to offer value over a DSP when it comes to complex operations in a platform like Snowflake. Since a DSP is already in line with the systems they are controlling and protecting, it is conceivable that a DSP could offer a wide overlap of the features of a DSPM, if it wanted to.

For customers, this means taking the time to understand the specific challenges you need to address for platforms like Snowflake, particularly regarding access controls and security. The multiple layers of roles and attributes assigned to users, the vast amount of data that moves and transforms inside the Snowflake platform daily, and the performance requirements of encryption on your downstream application is complex. These are hard problems for any business. And solving these challenge is what is going to fully unlock the value of your Snowflake instance.

Wrapping Up

Be cautious of any DSPM that claims to solve the complex governance and security challenges of Snowflake effortlessly. Always request detailed case studies to validate their claims. While it's not necessarily impossible, these claims often resemble a square trying to fit into a rectangle.

‍

Data is the fuel propelling modern business. From customer information to financial records, proprietary data forms the foundation upon which businesses operate and innovate. However, as companies grow and data volumes explode, securing this data becomes exponentially more complex. This is where the importance of scalability in data security comes into sharp focus.

The Scalable Security Imperative

Scalability in data security is not a luxury; it is a necessity. As organizations expand, they generate and collect vast amounts of data. This growth demands a data security solution that can scale seamlessly with the volume, velocity, and variety of data. Organizations expose themselves to heightened risks, increased vulnerabilities, and potential catastrophic breaches without scalable security measures. 

Core Pillars of Scalable Data Security

To understand the nuances of scalable security, we must delve into its core pillars: flexibility, performance, automation, and comprehensive coverage. 

1. Flexibility

Flexibility is the cornerstone of scalable security. A rigid security solution that cannot adapt to changing needs and expanding data environments is destined to fail. Scalable security solutions must be flexible enough to integrate with a wide array of data sources, applications, and infrastructures, whether on-premises, in the cloud, or hybrid environments.

Flexibility also means accommodating varying security policies and compliance requirements. As regulations evolve and new threats emerge, a scalable security platform must allow for rapid adjustments to policies and controls without disrupting operations.

2. Performance

As data volumes grow, maintaining performance is crucial. Security measures that introduce latency or degrade performance are counterproductive and can hinder business operations and user experience. Scalable data security solutions must be designed to handle high throughput and large-scale environments without compromising o speed or efficiency.

Performance in scalable security also involves optimizing resource utilization. Efficient use of computational resources ensures that security operations, such as encryption, decryption, and monitoring, do not become bottlenecks as data scales. 

3. Automation

Automation is a critical component of scalability in data security. Manual processes are time-consuming, error-prone, and incapable of keeping up with the dynamic nature of modern data environments. For instance, manually writing and maintaining SQL queries for data access control can be labour-intensive and prone to mistakes. Scalable security platforms leverage automation to ensure continuous protection without requiring constant human intervention.

Automated access policies, tokenization, and policy enforcement allow organizations to scale their security operations in line with their data growth. This automation enhances security posture and frees up valuable human resources to focus on strategic initiatives.

4. Comprehensive Coverage

Scalable security requires comprehensive coverage across all data assets and environments. It is insufficient to secure only certain parts of the data ecosystem while leaving others vulnerable. A genuinely scalable security solution provides end-to-end protection, encompassing data at rest, in transit, and use. 

Comprehensive coverage also means detecting and mitigating threats across the entire attack surface. This includes monitoring for insider threats, external attacks, and vulnerabilities within the data infrastructure. Scalable security platforms employ advanced analytics and machine learning to provide real-time insights and proactive threat management.

The Nuances of Scalable Security

The complexity of scalable security lies in its ability to balance the varying demands of growth, performance, and protection. Here are some critical nuances to consider:

Future-Proofing

Scalable security solutions must be designed with future growth in mind. This involves anticipating the increase in data volume and users, the evolution of threat landscapes, and regulatory requirements. Future-proofing ensures that security investments remain practical and relevant as the organization evolves.

Interoperability

Interoperability is critical in a diverse data ecosystem. Scalable security platforms must seamlessly integrate with existing tools, applications, and processes. This integration capability ensures that security measures do not operate in silos but rather enhance the overall security posture through cohesive and collaborative defenses.

Cost-Effectiveness

As data scales, so do the costs associated with securing it. Scalable security solutions must provide a cost-effective approach to protection, balancing the need for robust security with budget constraints. One approach is to leverage native architectures to manage costs effectively.

The Stakes of Inadequate Scalability

The consequences of failing to implement scalable security measures are dire. As data grows unchecked by scalable security, organizations face an increased risk of data breaches, regulatory fines, and reputational damage. Here are some potential pitfalls:

Data Breaches

Without scalable security, the likelihood of data breaches increases significantly. Cybercriminals exploit vulnerabilities in outdated or inadequate security measures, leading to unauthorized access, data theft, and financial losses.

Regulatory Non-Compliance

Data protection regulations are becoming increasingly stringent. Organizations that fail to scale their security measures in accordance with these requirements risk non-compliance, which can result in hefty fines and legal repercussions.

Operational Disruptions

Inadequate security stability can lead to operational disruptions. Performance bottlenecks, system downtime, and compromised data integrity can impede business operations, leading to loss of productivity and revenue. Additionally, when security measures fail to scale, legitimate users may be unable to access critical data, causing further delays and hindering decision-making processes. This not only frustrates employees but also hampers overall business efficiency and agility.

Wrapping Up

In a world where data is both a valuable asset and a potential liability, the importance of scalable security cannot be overstated. As businesses continue to expand and generate more data, the need for robust, scalable security measures will only become more critical. Embracing scalable security is about protecting data today and preparing for tomorrow's challenges. The time to act is now.

‍

Imagine waking up to the news that your company's sensitive data has been compromised, all due to stolen credentials. With recent high-profile data breaches making headlines, this nightmare scenario has become all too real for many organizations. The stakes are higher than ever, and ensuring robust security measures to protect your sensitive data in Snowflake is not just important—it's essential.

Snowflake's white paper, "Best Practices to Mitigate the Risk of Credential Compromise," is your roadmap to fortified security. This comprehensive guide reveals how to leverage Snowflake's native platform features to enforce strong authentication and mitigate the ever-present risks associated with credential theft. This blog will dive into the key takeaways and best practices recommended by Snowflake to safeguard your organization's data.

The Pillars of Security

Snowflake's approach to security is built on three key pillars:  

Prompt

Encourage users to adopt security best practices, such as configuring multifactor authentication (MFA). This proactive approach ensures that users are aware of security protocols and actively engage with them. It's about creating a culture of security and mindfulness. ‍

Enforce

Enable administrators to enforce security measures by default. This means implementing policies that automatically apply security best practices across the board, reducing the likelihood of human error or oversight.‍

Monitor

Provide visibility into security policy adherence. Monitoring ensures that security measures are not just in place but are being followed and are effective. Continuous visibility allows for timely adjustments and responses to potential threats.

By grounding its security framework in these pillars, Snowflake ensures a comprehensive approach to protecting sensitive data from unauthorized access.

Best Practices for Enforcing Authentication and Network Policies

To safeguard your Snowflake account, it's crucial to follow these essential steps:

1. Create Authentication Policies for Service Users

Use key pair or OAuth for programmatic access and enforce this through authentication policies. Service accounts, which are often targeted by attackers, should have the most stringent security measures. By using key pairs or OAuth, you ensure a higher security level than traditional username/password combinations. ‍

2. Enforce MFA for Human Users

Leverage your own SAML identity providers with MFA solutions. For added security, enforce Snowflake's native MFA for users relying on native passwords. MFA adds an additional layer of security, making it significantly harder for attackers to gain access using stolen credentials. ‍

3. Establish Robust Password Policies

Implement stringent password requirements and regular password changes. Strong passwords and regular updates reduce the risk of password-based attacks. Policies should include guidelines on password complexity and the frequency of changes. ‍

4. Implement Session Policies

Define policies to enforce reauthentication after periods of inactivity. This helps to minimize the risk of unauthorized access from inactive sessions. Policies should specify session timeout periods and conditions for reauthentication. ‍

5. Apply Account-level Network Policies

Restrict access to authorized and trusted sources only. By defining network policies, you can ensure that only trusted IP addresses and networks can access your Snowflake account, reducing the attack surface.‍

6. Protect Service Users

Differentiate between human and service users by setting user types, which helps in applying appropriate security measures. Service users often have elevated permissions, making them prime targets for attacks. By categorizing them appropriately, you can apply stricter security controls. ‍

7. Apply and Test Policies

Apply password and session policies at the account level and test service users to ensure their effectiveness. Regular testing and validation of policies help identify potential gaps and ensure that security measures are working as intended. ‍

8. Enforce Account-Level MFA

Apply MFA enforcement policies to ensure all human interactive users use MFA. This universal application of MFA ensures that every user accessing the system is authenticated through multiple factors, significantly enhancing security. ‍

9. Leverage Snowflake's Trust Center

Utilize Snowflake's Trust Center to monitor MFA and network policy enforcement continuously. Monitoring helps maintain a robust security posture by providing insights into policy adherence and identifying areas for improvement. Additionally, consider CIS benchmarks for industry-standard security practices and guidelines. ‍

Wrapping Up

The digital landscape is fraught with threats, and credential compromise remains a top concern for organizations. Implementing the best practices outlined here is your first line of defense. However, it's not enough to set these measures and forget them. Continuous vigilance, regular updates, and a proactive stance are crucial.  

Snowflake is your ally in this ongoing battle, providing the necessary tools and insights to effectively monitor and enforce security policies. By leveraging Snowflake's robust security framework, you can ensure your organization stays ahead of potential threats.

‍

In today's hyper-connected world, businesses thrive on data. Every transaction, customer interaction, and strategic decision is driven by the vast amounts of information collected and stored. This data fuels innovation, enhances customer experiences, and propels growth. Yet, with this immense power comes a chilling reality: data breaches are an ever-present threat. From stolen customer information to compromised intellectual property, the consequences for businesses can be catastrophic. As these threats escalate, the burning question remains - how much data security is truly enough for your business?

Unfortunately, the answer is frustrating – there might not be a magic number. Here's why:

The Impenetrability Illusion

Imagine a bank vault guarded by the most advanced security system. This is the traditional security mindset – an impenetrable fortress. However, cyberattacks are a relentless foe, constantly evolving to exploit new vulnerabilities faster than patches can be deployed. No system is truly invincible.

The Security-Usability Tightrope

The ideal security system for a business might resemble Fort Knox, but that's not practical for everyday operations. Requiring retinal scans, fingerprints, voice verification, and a complex 30-character password just to access your company's internal systems would be excessively secure but also frustrating and inefficient for employees. Striking a balance between robust security and user-friendly access controls is crucial for businesses to navigate the security-usability tightrope effectively. Companies must implement security measures that protect sensitive data without impeding productivity or causing undue stress for users.

The Cost Conundrum

Investing in a million-dollar security system might make sense for a financial institution safeguarding sensitive data, but it would be overkill for a small business.Security measures come with a price tag – software, hardware, and trained personnel. The cost of these measures must be weighed against the potential damage of a breach. Prioritizing security investments based on the specific risks and needs of the business is crucial to ensure that resources are used effectively and efficiently. Companies must find the right balance between adequate protection and financial feasibility.

The Insider Threat

Imagine a trusted employee leaking sensitive data. Even the most sophisticated security cannot defend against disgruntled employees or social engineering attacks. Human error and malicious intent are ever-present dangers. Security awareness training and a culture of data responsibility are essential.

The Evolving Threat Landscape

Hackers continuously shift tactics from brute-force attacks to phishing campaigns exploiting software vulnerabilities. As these threats evolve, security measures must also be dynamic and adaptable. Businesses must treat security as a fluid process, constantly changing to counter new and emerging threats effectively. This continuous adaptation is essential for staying ahead in the ever-changing landscape of cyber threats.

The Data Value Spectrum

Not all data is created equal. Financial records, medical information, and intellectual property require the highest level of security. Less sensitive data, like movie preferences, can be protected with less stringent measures. Security needs to be tailored based on data value. 

So, what's the answer?

Perhaps it's not about achieving "enough" security but adopting a proactive security posture. This posture acknowledges the inherent risks, prioritizes data based on value, and employs a multi-layered defense strategy.

The Pillars of a Proactive Security Posture

While absolute security may be a myth, building a robust security posture can significantly reduce the risk of breaches and minimize damage if one occurs. Here are the key pillars of this approach, expanded for a deeper understanding:

Defense in Depth

Imagine a castle with a moat, drawbridge, and heavily fortified walls. This layered approach is the essence of in-depth defense. It involves deploying a variety of security controls at different points within a system. Firewalls act as the first line of defense, filtering incoming and outgoing traffic. Access controls ensure that only authorized users can access specific data. Encryption scrambles data at rest and in transit, making it unreadable even if intercepted.

This layering creates redundancy. If one control fails, others can still impede attackers. Additionally, it makes a complete breach significantly more difficult. Hackers must bypass multiple layers, considerably increasing the time and effort required for a successful attack.

Assume Breach

Security needs a"fire drill" mentality. We must assume a breach will occur and have a well-defined incident response plan in place. This plan outlines the steps to take upon detecting a breach, such as isolating compromised systems, containing the damage, notifying authorities, and restoring affected data. A well-practiced plan minimizes downtime, data loss, and reputational damage.

Continuous Monitoring

Security isn't a one-time fix; it's a continuous process requiring constant vigilance. This entails regularly scanning systems for vulnerabilities, updating software with the latest security patches, and educating employees about cybersecurity best practices. By continuously monitoring systems and fostering a culture of security awareness, businesses can significantly reduce the risk of successful attacks and ensure their data security remains robust and adaptive to evolving threats.

Security by Design

Integrating security considerations into every stage of the product or system development life cycle is crucial. Security features shouldn't be an afterthought bolted onto a finished product but should be an integral part of the design and development process from the very beginning. This proactive approach ensures that security is woven into the fabric of the system, providing a more robust, more resilient defense against potential threats.

Wrapping Up

In an era where data breaches are not a matter of if but when, businesses must adopt a proactive and holistic approach to data security. The question of how much data security is enough is not about reaching an endpoint but about creating a resilient and adaptive security posture. It's about balancing cost with risk, leveraging technology while addressing the human element, and continuously evolving to meet new challenges. In the end, the right amount of security is the amount that protects your business, your customers, and your reputation in an increasingly hostile digital landscape.

Recently, a significant data exfiltration event targeting Snowflake customer databases came to light, orchestrated by a financially motivated threat actor group, UNC5537. This group successfully compromised numerous Snowflake customer instances, resulting in data theft and extortion attempts. It's important to note that Mandiant's thorough investigation found no evidence suggesting that the cyber threats originated from Snowflake's own environment. Instead, every incident was traced back to compromised customer credentials. 

In this blog post, we’ll dive into the key takeaways from Mandiant’s investigation. We’ll also share some actionable insight to bolster your data security – because staying alert and proactive is your best defense in safeguarding your organization’s data integrity.  

Key Findings 

Credential Compromise

The attacks primarily involved the use of stolen customer credentials, leading to unauthorized access and data theft. 

Threat Hunting Guidance

Mandiant provided comprehensive threat hunting queries to detect abnormal and malicious activities, which are crucial for identifying potential incidents. 

Common Attack Patterns

• Roles and Permissions Changes: Attackers frequently used the SHOW GRANT command to enumerate resources and adjust permissions, enabling broader access. ‍‍
• ‍Abnormal Database Access: Unusual spikes in access to databases, schemas, views, and tables were noted, indicating potential reconnaissance or data exfiltration activities. 
• ‍User and Query Analysis: Identifying patterns in user creation, deletion, and query frequencies helped in detecting anomalous behaviors. ‍‍
• ‍Error Rate Analysis: High error rates in query executions often indicated brute force attempts or misconfigured accounts used by attackers. 
• ‍High Resource Consumption: Large volumes of data queries and compression activities were linked to data staging and exfiltration efforts. 

4 Critical Recommendations to Enhance Snowflake Security 

Given these findings, it's imperative forSnowflake users to bolster their security measures. Here are some critical steps: 

• ‍Implement Multi-Factor Authentication (MFA): Ensure MFA is enabled for all user accounts to prevent unauthorized access even if credentials are compromised. ‍‍
• ‍Regular IAM Reviews: Conduct frequent reviews of roles and permissions to detect and mitigate any unauthorized changes. ‍‍
• ‍Enhanced Monitoring: Use advanced monitoring tools such as database activity monitoring (DAM) to track abnormal access patterns, high error rates, and unusual resource consumption. ‍‍
• ‍Threat Hunting Practices: Regularly perform threat hunting exercises using the guidance provided by Mandiant to stay ahead of potential issues. 

Ask Yourself these Questions  

As you reflect on the recent incidents, it’s crucial to reflect on the broader implications to your organization’s security. To ensure you are well-prepared and resilient against emerging threats, consider the following questions: 

1. Are your current security measures sufficient to detect and prevent unauthorized access, especially from compromised credentials? 

2. How often do you review and update your access controls and permissions? Is this easy to do for your business? 

3. Do you have robust monitoring in place to detect unusual activities and high error rates in real-time? 

4. What proactive threat detection strategies are you employing to identify potential issues before they cause significant damage? 

 By addressing these questions and strengthening your security posture, you can better protect your Snowflake environment from similar threats. If you're looking to enhance your data security capabilities or you are not confident in your answers to the above questions, consider investing in advanced data security software purpose-built for Snowflake. ALTR’s solutions offer comprehensive protection, continuous monitoring, and proactive threat detection to safeguard your valuable data assets. 

Would you like to explore how our data security solutions can help you secure your Snowflake environment? Contact ALTR today to learn more and schedule a demo. 

‍

Data, its meticulous management, stringent security, and strict compliance have become pivotal to businesses' operational integrity and reputation across many sectors. However, the intricate maze of evolving compliance laws and regulations, as we discussed in a recent blog, poses a formidable challenge to data teams and stakeholders. This dynamic regulatory environment complicates the already intricate workflows of data engineers, who stand on the frontlines of ensuring data compliance, constantly navigating through a sea of changes to maintain adherence.‍

The Compliance Conundrum

The landscape of data compliance has shifted from a mere checkbox exercise to a continuous commitment to safeguarding data privacy and integrity. The advent of stringent regulations like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States, among others, has escalated the stakes. Each regulation has its unique set of demands, and failure to comply can lead to severe repercussions, including substantial fines and a damaged reputation. A recent study from Drata found that 74% of organizations state compliance is a burden, and 35% spend 1,000 to 4,999 hours on compliance activities.

For data engineers, this presents an incredibly daunting task. They are tasked with the critical responsibility of ensuring that the data architectures they develop, the databases they oversee, and the analytics they perform are in strict alignment with a complex array of regulations that vary not only by jurisdiction but also by the nature of the data. This requires a vigilant eye on the ever-changing regulatory landscape, an in-depth understanding of each law, and a clear comprehension of its applicability to the data they manage. This constant state of monitoring and adaptation disrupts standard workflows, delays projects, and introduces a layer of uncertainty into data operations.

Navigating Through With Automation and Scalable Data Security

Amid these challenges, automation and scalable data security shine as beacons of hope, promising to alleviate the burden on data engineers and enable them to concentrate on their core tasks.

Data Classification: The Starting Point

The critical process of data classification is at the heart of any robust data security and compliance strategy. It tackles the initial hurdle of deciphering which regulations apply to specific data sets by identifying and categorizing data based on sensitivity. Automating this foundational step ensures that data is consistently managed in line with its classification, simplifying the maze of compliance with regulations like GDPR and CCPA.  

Dynamic Data Masking: Protecting Data in Real-Time

Dynamic Data Masking (DDM) emerges as a practical solution for the real-time protection of sensitive data, ensuring it remains accessible only to those with authorization. This tool is particularly pertinent to complying with regulations demanding strict data privacy and access controls, allowing data engineers to implement scalable data access policies without altering the actual data.

Database Activity Monitoring: The Watchful Eye

The continuous surveillance of database activities through Database Activity Monitoring is crucial for maintaining compliance. It enables the early detection of unauthorized access or anomalous data handling, which could indicate potential breaches or non-compliance. This tool is instrumental in keeping an audit trail, a prerequisite for many data protection regulations, ensuring any deviations from standard data access patterns are promptly addressed.

Tokenization: Minimizing Exposure Risk

Tokenization is a formidable shield for susceptible data types, such as Personal Health Information (PHI) or Payment Card Information (PCI), often under stringent regulatory scrutiny. By substituting sensitive data with non-sensitive equivalents, tokenization significantly reduces the risk of data exposure. It eases the compliance burden by narrowing the scope of data subjected to the most stringent regulations.  

Format Preserving Encryption: Balancing Security and Usability  

Format Preserving Encryption (FPE) allows organizations to secure data while preserving its usability, an essential factor for operational systems bound by data protection regulations. FPE ensures encrypted data remains functional within applications without modification, thus supporting compliance efforts by safeguarding data without hindering business processes.

Open Source Integrations: Streamlining Compliance

Integrating open-source tools for data governance facilitates a smoother compliance journey by automating and simplifying data management tasks. These integrations ensure consistent data handling practices, enhance data quality, and foster a comprehensive data governance framework capable of adapting to evolving regulations, thereby bolstering an organization's compliance posture in a scalable and efficient manner.

How Streamlined Compliance Fuels Business Growth

Navigating data compliance with automation and advanced data management brings significant benefits beyond mere regulatory adherence, enhancing operational efficiency and competitive positioning.

Accelerated Project Delivery

Automating compliance tasks liberates data engineers to concentrate on their core functions, significantly speeding up project timelines. Automation facilitates rapid adaptation to regulatory changes and maintains a constant state of compliance readiness, boosting productivity and enabling businesses to respond swiftly to market demands.

Elevated Data Quality

Implementing precise data classification and stringent access controls reduces the risk of errors and inconsistencies. This ensures a steady flow of accurate and reliable data through organizational pipelines, crucial for informed decision-making and maintaining operational integrity.

Competitive Edge

In today's data-sensitive environment, a strong reputation for data security and compliance can enhance customer trust and loyalty, offering a distinct competitive advantage. Demonstrable data protection meets regulatory requirements and fosters customer retention and brand differentiation, turning compliance into a strategic business asset.

Wrapping Up

While the ever-evolving landscape of compliance laws poses significant challenges, the path forward isn't about memorizing every regulation but about leveraging technology to create a culture of informed compliance. This allows data engineers to shift their focus from frantic firefighting to strategic data management, ultimately unlocking the true potential of the information they hold.

When talking to customers about data protection in Snowflake, a few things get a little mixed up with one another. Snowflake’s Tri-Secret Secure and masking are sometimes considered redundant with ALTR’s tokenization and format-preserving encryption (FPE) - or vice versa. What we’ll do in this piece is untangle the knots by clarifying what each of these is, when you would use each, and the advantages you have because you can choose which option to apply to each challenge you come across.

Snowflake’s Tri-Secret Secure is a built-in feature, and it requires that your Snowflake account is on the Business Critical Edition. Tri-Secret is a hybrid of the “bring your own key” (BYOK) and the “hold your own key” (HYOK) approaches to using customer-managed keys for the encryption of data at rest. [ProTip for the Snowflake docs: Tri-SecretSecure is essentially a brand name for the customer-managed keys approach, and if you read these docs understanding that, then these docs are a little clearer.] When you use customer-managed keys, there is often a choice between having to supply the key to the third party (Snowflake in this case) on an ongoing basis or only giving it when needed – BYOK and HYOK respectively. Snowflake effectively combines these approaches by having you provide an encrypted version of the key, which can only be decrypted when it calls back to your crucial management systems. So, you bring an encrypted version of the customer-managed key to Snowflake but hold the key that can decrypt it. Tri-Secret is used for the actual files that rest on disks in your chosen Snowflake cloud provider and is a transparent data encryption – meaning this encryption doesn’t require a user to be aware of the encryption involved. It protects the files on disk without affecting anything at run time.

Snowflake’s Dynamic Data Masking is a very simple yet powerful feature. This feature requires Enterprise Edition (or higher). When a masking policy is used to protect a column in Snowflake, at run time, a decision is made to return either the contents of a column or a masked value (e.g., a set of “****” characters). You can apply this protection to a column either directly as a column policy or via a tag placed on a column associated with a tag-based policy. When you need to ensure that certain individuals can never see the legitimate values in a column, then Dynamic Data Masking is a perfect solution. The canonical example is ensuring that the database administrators can never see the values of sensitive information when performing administrative tasks. However, there are slightly more complex instances of hiding information where masking falls short. You can easily imagine a circumstance where users may be identifiable across many tables by values that are sensitive (e.g., credit card numbers, phone numbers, or government ID numbers). You want users doing large analytics work to be able to join these objects by the identifiers, but simultaneously, you’re obligated to protect the values of those identifiers in the process. Clearly, turning them into a series of “***” won’t do that job.

This is where ALTR’s Tokenization and Format-Preserving Encryption (FPE) enter the story. We could spend hours parsing out the debate about if tokenization is a super class of FPE, vice versa, or neither. There are people with strong arguments on every side of this. We’ll focus on the simpler questions of what each feature is, and when it is best applied. First, let’s define what they are:

-       Tokenization replaces values with tokens in a deterministic way. This means that you can rely on the fact that if there is a value “12345” in a cell and it’s replaced by the token “notin” in one table, then if you encounter that value in another table, it will also be “notin” each time it started as “12345.” So now you can join the two tables by those cells and get the correct result. A key concept here is that the token (“notin” in this example) contains no data about the original values in any way. It is a simple token that you swap in and out.

-       Format-Preserving Encryption (FPE) is like tokenization since you’re also swapping values. However, the “tokens” in this case are created through an encryption process where the resulting value maintains both the information and its format. FPE might replace a phone number value of “(800) 416-4710" with “(201)867-5309.” Like the tokens, that replacement will be consistent so one can use it in joins and other cross-object operations. Unlike the tokens, these values are in the same “format” (hence the name and the phone number token looking exactly like a different phone number), which means they will be usable in applications and other upstream operations without any code changes. In other words, FPE won’t break anything; it only protects information.

ALTR has both Tokenization and Format-Preserving Encryption solutions for Snowflake, which are cloud-native and immensely scalable. In other words, they can both keep up with the insane scale demands of Snowflake workloads. The application-friendly FPE often seems like the only solution you need at first glance. However, there are reasons for choosing to use only Tokenization or perhaps both Tokenization and FPE in combination. The most common reason for going Tokenization only is due to regulatory constraints. Since the ALTR Tokenization solution can be run in a separate PCI scope, it gives folks the power to leverage Snowflake for workloads that need PCI data without having to drag Snowflake as a whole into PCI auditing scope. The most common reason we see folks run both Tokenization and FPE together is to stick to a strict least-privilege model of access. Since Tokenization removes all the information about the data it protects, some will choose to tokenize data while it flows through pipelines into and out of Snowflake and transform it to FPE while inside Snowflake to get the most out of the data in the trusted data platform.

Hopefully, it’s clear by now that the answer to the question “Which one of these should I use?” is: it depends. If you’re already on Snowflake’s Business Critical Edition, then using Tri-Secret Secure seems like a no-brainer. The extra costs involved are nominal, and the extra protection afforded is substantial. The real questions come when applying Snowflake’s Dynamic Data Masking and either or ALTR’s Tokenization and Format Preserving Encryption (FPE). Masking is a great option for many administrative use cases. If you’re not concerned about the user being able to do cross-object operations like joins and need to hide the data from them, then masking is easily the best choice. The moment there is the need for joins or similar operations, then ALTR’s Tokenization and FPE are the right places to turn. Picking between them is mostly a matter of technical questions. If you have concerns about application compatibility with the protected data, then FPE is your choice. If you want to keep the protected data away from the data platform, then Tokenization is the best option since FPE runs natively in Snowflake. And there are clearly times when you may have workloads complex enough that all of these can be used in combination for the best results. You’ve got all the options you could ever need for Snowflake data protection. So now it’s time to get to work making your data safer than ever.

‍