Snowflake Data Encryption


EncryptionThere’s no argument that data encryption is a necessary security measure. But when it comes to protecting data on its way to a cloud, is it enough? If you’re using Snowflake to store data, it’s not. That’s because PII data used in a Snowflake table is not anonymized, which means anyone with administrative privileges to the table (at the customer or Snowflake level) can access the data in clear text. Once data is transferred to Snowflake and is “at-rest,” it’s secure, but when it’s in use and being transferred, it needs an extra level of protection.

Encryption is a no-brainer. But it’s only part of the line of defense.

To understand why multiple levels of security are needed, it’s essential to consider how encryption works. Encryption converts data into ciphertext, preventing hackers’ access to it. But, if they find a vulnerability somewhere along the data encryption path or by getting ahold of your data encryption keys, your encrypted data can still be hacked and your enterprise compromised.

There are four reasons encryption isn’t enough.

  1. It involves limited protection. No matter how high its level, encryption alone doesn’t prevent hacking. Email, in particular, is highly vulnerable because it can be intercepted and read.
  2. Online threats are still a risk. A recent survey found that businesses with known data encryption issues cited unencrypted cloud services as a significant part of the problem. So relying only on the cloud for data storage and communication with inadequate encryption could be a costly problem.
  3. It doesn’t replace basic network security. This is where security training and awareness come in for all enterprise employees.
  4. Not vetting vendors can create vulnerability. Take time to ensure your vendors take proper precautions to protect their systems.

De-identifying data is a critical step to a secure enterprise.

We’ve established that it’s vulnerable as data moves into the cloud. Therefore, it’s paramount that you partner with a vendor who can work with your cloud provider (In this case, Snowflake) to de-identify data on its way to the cloud, adding additional privacy protection. You need to de-identify data on the fly and then selectively re-identify data in Snowflake based on authorized roles.

Does Snowflake encrypt data in transit?

The short answer is yes. Snowflake allows all connections between the console and the database to be end-to-end encrypted at the network level with keys that Snowflake can provide or the customer using snowflake.

What types of data encryption does Snowflake offer?

Snowflake offers data protection that includes encryption, tokenization, and masking. However, these levels of protection have vulnerabilities, which another provider, like Baffle, can provide extra protection against.

Snowflake data security gaps and how Baffle addresses them.

Baffle’s integration with Snowflake is the only solution that de-identifies data end-to-end in the data pipeline. It supports multiple database, files, and file system encryption modes, including NIST-certified and FIPS-validated AES modes. It offers encryption at the database field level and protects data in use. Its fine-grained, role-based controls better protect sensitive data from breaches and offer features that mask data for use in test and dev environments.

Dynamic data masking, external tokenization, and data encryption are strengthened with Baffle.

Dynamic data masking has benefits, like allowing sensitive data to be selectively masked based on access control policies set up in Snowflake. But it still leaves sensitive data vulnerable in the Snowflake environment, allowing hackers to access it directly and exfiltrate it.

External tokenization also has benefits and is essential. But it’s also not enough. While it makes data within the Snowflake environment never accessible in the clear in a server running Snowflake, it exposes raw data in the memory, and the results of a computation can be seen in the clear in the Snowflake environment.

So, when it comes to data encryption vulnerabilities within Snowflake, Baffle can obfuscate data, meaning that even the administrator at Snowflake won’t be able to see it. For data masking vulnerabilities, Baffle adds an extra layer of dynamic data masking, where even the last digits of a social security number, for example, will be obfuscated. Baffle can also tokenize data within snowflake so that raw data can’t be seen in the Snowflake environment.

What are the different levels of security that Snowflake provides?

Snowflake offers protection for data at rest and in transit when it comes to security. When Baffle gets added to the equation, data “in use” is also protected, which is critical to securing data.

Better data protection for Snowflake

As organizations continue to move more data to the cloud in the current ecosystem, security can often be treated as an afterthought. Baffle Data Protection Services for Snowflake is purpose-built software designed to simplify the end-to-end security of the modern big data pipeline.

As a cloud provider, Baffle DPS for Snowflake supports operations on AES 256-bit encrypted data in cloud services so that security issues don’t impact enterprises. How?

It seamlessly integrates with database migration services or other ETL solutions for data encryption to tokenize or encrypt data on the fly as it migrates from on-premise to the cloud. In addition, it supports multiple modes of encryption and tokenization to simplify data protection at the field level. It’s also a transparent, no-code data security mesh that allows application and SQL-type queries to function without any code modifications while securing access and controlling decryption and re-identification of data stored in Snowflake.

When it comes to protecting your data in use, no other solution provides a more transparent and easily deployable solution.

As an enterprise, it’s important to have as many levels of data security when data is moving as you do when it’s in the cloud. And with cyber threats growing by the day, there’s not a better time than now to look at your vendors and determine if the security you have in place is enough.

To learn more about how Baffle DPS can de-identify and secure the data pipeline end-to-end and protect your critical data, schedule a live demo with one of our solutions experts and get answers to all your questions.

Join our newsletter

Schedule a Demo with the Baffle team

Meet with Baffle team to ask questions and find out how Baffle can protect your sensitive data.


No application code modification required


Deploy in hours not weeks


One solution for masking, tokenization, and encryption


AES cryptographic protection


No impact to user experience