Data Masking in Snowflake

Baffle Data Protection Services for Snowflake - The Fastest, Easiest, and Most Secure Dynamic Data Masking (DDM) Platform

Snowflake and the Economist Intelligence Unit shared in a recent report that 42% of businesses worry about their data masking policies and the possibility of confidential information being leaked because of sharing data with or obtaining data from outside sources, and 64% of businesses find it challenging to integrate data from multiple sources. In addition, compliance standards from the GDPR, CCPA, and HIPAA regulatory bodies are also weighing heavily on privacy officers. As a result, these regulatory bodies are stressing the governance features of their chosen data masking software or SaaS offering.

Organizations continue to move more data to the cloud to safeguard their sensitive data to benefit from the storage scalability and cloud analytics. Solutions for data lakes or data warehouses, like Snowflake, offer flexible access to data analytics on enormously vast volumes of secure data.

Snowflake, Inc.

Snowflake, Inc. is a cloud-based data warehouse that encompasses storage and analytics. The company has more than 515 million data workloads executed daily across more than 250 petabytes of data.

Snowflake is different from many other warehouses. One noticeable difference is how the platform decouples its compute and storage capabilities. By decoupling, companies using a lot of storage with little CPU needs, or vice versa, can save a lot of money. In addition, data warehouse or data lake solutions like Snowflake provide flexible access to data analytics on vast volumes of secure data.

Baffle Data Protection Service (DPS) enables the deployment of a transparent data security mesh that de-identifies these vast amounts of data, transferring them to cloud storage or staging environments. Baffle DPS is also involved in the masking and data optimization, authentication, and access control for Snowflake data.

In addition, Baffle Data Protection Service for Snowflake allows enterprises to maximize their data governance initiatives and maintain control of their sensitive data in the Snowflake data cloud environment. Utilizing the ability of Snowflake to call external functions, Baffle uses Format-Preserving Encryption (FPE) to tokenize sensitive data with encryption keys that are never visible to Snowflake administrators.

Baffle x Snowflake

How Baffle DPS enables Data Masking in Snowflake

Baffle DPS for Snowflake uses the Data Proxy with Connectors for any HTTP or REST API and a packaged REST API for any application or data store coverage. Below is a simplified graphic of this process.

The Snowflake data masking, encryption, and tokenization solution work by enabling the following:

  • Seamless integration with database migration services or other ETL solutions for data encryption to tokenize or encrypt your data on the fly as it migrates from on-premises to the cloud.
  • Support multiple modes of encryption, tokenization, or format-preserving encryption (FPE) to simplify data protection at the field level.
  • Provides a transparent, no-code data security mesh that allows applications and SQL-type queries to function without any code modifications while securing access and controlling decryption and re-identification of data stored in Snowflake.
  • Supports operations on encrypted data to enable reporting and aggregation on the data platform with no impact on Snowflake users.

Key Management with DPS & Snowflake

The DPS integrates with Baffle's Key Virtualization Layer to leverage existing enterprise key management stores, cloud key stores, HSMs, or secrets managers. This feature allows customers to use their own keys as data is protected during the data consolidation process beginning with migration through ingestion in S3 and transfer to Snowflake. Baffle DPS continues to allow the Snowflake console to query and process tokenized data. It also integrates with the Snowflake policy engine, enabling customized views to be generated based on access rights. Additionally, reporting functions such as aggregation and min/max calculations continue to function while accessing sensitive data.

As data is ingested from on-premises databases to object stores like AWS S3 to data clouds like Snowflake, Baffle protects sensitive data. Consumption of that data continues without disruption, including reporting and operations, while the data owner holds/brings their own keys (HYOK/BYOK).

AES 256-bit & Data Encryption On-The-Fly

Baffle DPS for Snowflake dynamic data masking supports operations on AES 256-bit encrypted data in cloud services so that business users can remain secure. One of the things that makes the Baffle solution unique is our ability to de-identify data on-the-fly as it moves to the cloud. Most IT teams trying to tackle this problem attempt to create clones and transform the data or migrate the data in the clear and then try to figure out how de-identify large amounts of data after it's already been transferred to the cloud.

data encryption

Baffle Snowflake Demo

At a high level, Baffle DPS for Snowflake supports these pipeline data flows:

  • De-identification and data masking on the fly.
  • Support for any existing data schema levels without any changes
  • Multi-channel data ingestion flows, including database migrations, S/FTP, Kafka, and ETL
  • Role-based access control (RBAC) for re-identification of data in data masking in Snowflake

You can watch a Baffle on-demand video of a data pipeline de-identification into Snowflake.

Baffle Data Protection Services for Snowflake is a software solution intended specifically to simplify the end-to-end security of the current big data pipeline. Powerful Data Governance establishes user roles, data access policies, and usage controls and is part of Baffle and Snowflake's powerful solution. See How Baffle can protect your critical data and avoid costly data breaches. Schedule a live demo with one of our solutions experts to get answers to your questions.

Our Solution

Baffle delivers an enterprise-level transparent data security platform that secures databases via a "no code" model at the field or file level. The solution supports tokenization, format-preserving encryption (FPE), database and file AES-256 encryption, and role-based access control. As a transparent solution, cloud-native services are easily supported with almost no performance or functionality impact.

Icon Cubes


No application code modification required

Icon Stopwatch


Deploy in hours
not weeks

Icon Bolt


No impact to user

Icon Command


Bring your own key

Icon Padlock


AES cryptographic

Schedule a live demo with one of our solutions experts to get answers to your questions