Benchmark: Data Encryption
Overview
All data stored in Snowflake is transparently encrypted using a key hierarchy (with cloud HSM backed root of trust), which provides enhanced security by encrypting individual pieces of data using a different key. Snowflake also offers the use of a customer-managed key (CMK) in this encryption process through a feature called Tri-Secret Secure. Independent of the Tri-secret secure feature, Snowflake rotates the keys every 30 days, ensuring that new data ingested after 30 days is encrypted using a new key hierarchy.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-snowflake-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Data Encryption.
Run this benchmark in your terminal:
powerpipe benchmark run snowflake_compliance.benchmark.security_overview_data_encryptionSnapshot and share results via Turbot Pipes:
powerpipe benchmark run snowflake_compliance.benchmark.security_overview_data_encryption --shareControls
- Use Tri-Secret Secure
- Use automatic key rotation for the CMK as provided by the cloud provider
- Enable Tri-Secret Secure in the target account when using the database Replication
- Enable periodic rekeying in Snowflake
- Use built-in encryption functions in addition to the transparent encryption to encrypt/decrypt certain columns