Snowflake Security

Snowflake's security model is layered: each control sits at a specific point in the request path, and each layer assumes the layers above and below it are doing their job. The network layer keeps untrusted traffic out, the identity layer authenticates the caller, the data protection layer enforces what the authenticated caller can read, the detection layer records what happened, and the governance layer ties it all back to data classification and policy lineage. This page is the entry point to the deep-dive pages that follow — each takes one slice of the stack and walks through the SQL, the failure modes, and the operational patterns that matter in production.

┌──────────────────────────────────────────────────────────────────────┐
│                       NETWORK LAYER                                  │
│  ┌──────────────────┐  ┌──────────────────┐  ┌──────────────────┐    │
│  │ PrivateLink /    │  │  Network Policy  │  │  Network Rules   │    │
│  │ Private Service  │  │  (allow / deny)  │  │ IPV4 / VPCE /    │    │
│  │ Connect          │  │                  │  │ AzureLinkID      │    │
│  └──────────────────┘  └──────────────────┘  └──────────────────┘    │
└──────────────────────────────────────────────────────────────────────┘
                                   │
                                   ▼
┌──────────────────────────────────────────────────────────────────────┐
│                      IDENTITY LAYER                                  │
│  ┌──────────────────┐  ┌──────────────────┐  ┌──────────────────┐    │
│  │  SSO / SAML 2.0  │  │   MFA / Duo /    │  │  RBAC + System   │    │
│  │  SCIM Provision  │  │   Authenticator  │  │  Roles + Custom  │    │
│  └──────────────────┘  └──────────────────┘  └──────────────────┘    │
└──────────────────────────────────────────────────────────────────────┘
                                   │
                                   ▼
┌──────────────────────────────────────────────────────────────────────┐
│                  DATA PROTECTION LAYER                               │
│  ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌────────────┐   │
│  │ Column       │ │ Row Access   │ │ Tokenization │ │ AES-256    │   │
│  │ Masking      │ │ Policies     │ │ (UDF-based)  │ │ Encryption │   │
│  │ Policies     │ │              │ │              │ │ Hierarchy  │   │
│  └──────────────┘ └──────────────┘ └──────────────┘ └────────────┘   │
└──────────────────────────────────────────────────────────────────────┘
                                   │
                                   ▼
┌──────────────────────────────────────────────────────────────────────┐
│                     DETECTION LAYER                                  │
│  ┌──────────────────┐  ┌──────────────────┐  ┌──────────────────┐    │
│  │  Trust Center    │  │  Access History  │  │  Login History / │    │
│  │  CIS Scanners    │  │  (column lineage)│  │  Sessions Audit  │    │
│  └──────────────────┘  └──────────────────┘  └──────────────────┘    │
└──────────────────────────────────────────────────────────────────────┘
                                   │
                                   ▼
┌──────────────────────────────────────────────────────────────────────┐
│                    GOVERNANCE LAYER                                  │
│  ┌──────────────────┐  ┌──────────────────┐  ┌──────────────────┐    │
│  │ Object Tagging   │  │  Classification  │  │  Replication +   │    │
│  │ + Tag Lineage    │  │  (SYSTEM$CLASSIFY)│ │  Failover Policy │    │
│  └──────────────────┘  └──────────────────┘  └──────────────────┘    │
└──────────────────────────────────────────────────────────────────────┘

Pages in This Section

• Network Policies and PrivateLink — IP allowlists, AWS PrivateLink / Azure Private Link / GCP Private Service Connect, network rules, session policies, and how to lock the account boundary so the public Snowflake URL stops resolving traffic from outside your VPC.
• Row Access and Masking Policies — column-level dynamic masking and row-level filtering driven by CURRENT_ROLE and mapping tables; the SQL pattern that lets one physical table serve every persona without duplicating views.
• Tag-Based Masking and Classification — SYSTEM$CLASSIFY for automated PII detection, tag-driven policy attachment via ALTER TAG SET MASKING POLICY, and the governance reports in ACCOUNT_USAGE that prove every sensitive column is covered.
• Encryption Key Hierarchy — the four-level AES-256 key tree (root → account → table → file), Tri-Secret Secure for customer-managed keys in AWS KMS or Azure Key Vault, periodic rekeying, and the BYOK trade-offs.
• Trust Center and RBAC — vulnerability and threat scanners (CIS, custom packages), the system role hierarchy (ACCOUNTADMIN → SECURITYADMIN → custom roles), FUTURE GRANTS, and role auditing through ACCESS_HISTORY.

↑ Back to Top