In our previous blog, we explored how securing Snowflake’s cloud involves a shared responsibility model between Snowflake and its customers. To support customers with their security obligations, Snowflake has outlined its Shared Responsibility Model and partnered with the Center for Internet Security (CIS) to provide best practices for securing Snowflake environments.
TrustLogix, as a trusted Snowflake partner enhances this framework by offering CIS-aligned guardrails and actionable insights across critical areas such as Identity and Access Management (IAM), Monitoring and Alerting, Network Security, and Data Protection. TrustLogix’s solutions help automate security controls across Snowflake instances, enabling enterprises to effectively manage data security for compliance, risk management, and real-time visibility to maintain their end of shared responsibility model. Additionally, as part of Data Security Posture Management offering , Truslogix discovers and monitors data access and sharing activities. It alerts to any unexpected data sharing, data exfiltration risks, and overly privileged roles, allowing security teams to manage business risks and avoid data breaches
This, in turn, allows Data Engineering teams to focus on their core projects rather than managing data security, which accelerates data projects, boosts productivity, and reduces the time it takes for data consumers—such as analysts, bots, and AI models—to access data.
Monitoring Policies covering CIS Benchmarks
The CIS Benchmarks for Snowflake offer a comprehensive set of recommendations to securely configure Snowflake environments across several critical areas:
- Identity and Access Management (IAM) : Guidance on multi-factor authentication(MFA), password policies, least privilege access, and separation of duties.
- Monitoring, Auditing, and Logging : Provides directives on enabling activity logging, monitoring log data.
- Network Security : Recommendations such as, VPN access, IP whitelisting, and TLS encryption for data in transit.
- Data Protection: Covers encryption at rest, key management, database firewalls, and data masking controls.
Based on the Snowflake Shared Responsibility Model, customers are responsible for implementing security controls in each of the areas
- Identity and Access Management : Managing entitlements, separation of duties, maintaining least privileged access and MFA for end users is the customer's responsibility.
- Monitoring, Auditing and Logging : Customers are responsible for log review, analysis and integration with SIEM platforms.
- Network Security : Customers must manage their privateLinks, VPCs, whitelisting of IP addresses, and encryption in transit.
- Data Protection : Masking of sensitive data, enforcing appropriate row access policies, encryption of data at rest, key management, are owned by the customer.
-
Identity and Access Management
- Monitor nonmfa_users: Snowflake offers various mechanisms to enable and enforce MFA, but the policy tracks users without MFA enabled, helping to identify vulnerabilities from those relying solely on username and password.
- Monitor_MFA_state_change: Detects any changes in the MFA status, ensuring transitions are legitimate and authorized.
- Monitor_inactive_users: Monitor inactive users to prevent unauthorized access via dormant accounts and ensure compliance with standards like GDPR, SOX, and HIPAA.
- Monitor_unused_system_role_grants : Tracks users with unused high-level system roles (e.g., ACCOUNTADMIN, USERADMIN), helping to manage access and improve security, control database vulnerabilities, manage Regulatory frameworks (like GDPR or HIPAA)
- Detect_users_using_system_roles: Monitor users using highly privileged system roles,enforcing least privilege and protecting critical data.
- Monitor_system_roles_granted_as_default_roles: It tracks any default role assignments, alerting administrators to potential security gaps.
2.Monitoring and Alerting
- Monitor_security_and_storage_integration_modifications: Tracks changes to security and storage settings to ensure data confidentiality, integrity, and compliance. Improper changes could lead to data breaches, loss of access, or data exposure.
- Detect_Stale_Client_versions : identifies outdated client versions, ensuring that users have the latest security updates preventing unpatched vulnerabilities, missing bugs/fixes that could be exploited by attackers potentially allowing unauthorized
access to your Snowflake environment.
3.Network Security
- Detect_network_policy_modifications: Monitor changes to the network policies to prevent unauthorized access or disruptions to operations. Improper modifications could expose your Snowflake account to unauthorized access and compromise on meeting compliance standards.
4. Data Protection
- Control_data_retention_Settings: Manages data retention policies to ensure compliance with regulations and best practices, keeping data only as long as necessary and deleting it when no longer needed to reduce security risks.
- Unprotected Sensitive Data : Ensures data masking is enabled for sensitive information, preventing unauthorized sharing or exposure of critical data.
Some of the other monitoring policies that TrustLogix provides based on the CIS Benchmark are as follows :
| Category | CIS Based Policy |
| Identity and Access Management | 1.8 Ensure that users who did not log in for 90 days are disabled |
| 1.13 Ensure that the ACCOUNTADMIN or SECURITYADMIN role is not granted to any custom role | |
| Monitoring and Alerting | 2.1 Ensure monitoring and alerting exist for ACCOUNTADMIN and SECURITYADMIN role grants |
| 2.2 Ensure monitoring and alerting exist for MANAGE GRANTS privilege grants | |
| 2.4 Ensure monitoring and alerting exist for password sign-in without MFA | |
| 2.8 Ensure monitoring and alerting exists for new share exposures | |
| 2.9 Ensure monitoring and alerting exists for sessions from unsupported Snowflake Connector for Python and JDBC and ODBC drivers | |
| Network Security | 3.1 Ensure that an account-level network policy has been configured to only allow access from trusted IP addresses |
| Data Protection | 4.6 Ensure that the REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION account parameter is set to true |
| 4.7 Ensure that all external stages have storage integrations | |
| 4.8 Ensure that the PREVENT_UNLOAD_TO_INLINE_URL account parameter is set to true |
TrustLogix Monitoring Policies Other than CIS Benchmarks
Beyond the CIS benchmarks, TrustLogix offers additional policies targeting Shadow IT risks and regulatory compliance. Here are a few notable examples:
- Monitor_login_requests_from_shadow_apps: Identifies logins from unapproved third-party apps (Shadow IT), reducing risks like data breaches, non-compliance, and exposure to malware or phishing attacks.
- Detect_password_based_logins_from_suspicious_ip_addresses: Detects password based logins from suspicious IP addresses to identify potential malicious activities such as brute force attacks, credential stuffing,
or unauthorized access attempts from unusual or blacklisted locations. - Monitor_users_with_old_passwords: Tracks users with outdated passwords to reduce vulnerabilities, as old passwords may be compromised or no longer meet current security standards.This reduces the risk of unauthorized access, credential-based attacks, and other security breaches.
- Monitor_ddl_operations: Monitors Data Definition Language (DDL) operations (CREATE, ALTER, DROP) to prevent unauthorized changes or data loss in the database schema.
Some of the other monitoring policies that TrustLogix provides are as follows :
| Policy Name | Description |
| Monitor_password_state_change | Monitor for any password state change |
| Monitor_key_pair_auth_state_change | Monitor for any key pair authentication state change |
| Monitor_auth_policy_state_change | Monitor for authentication policy state change |
| Monitor_classified_data_export | Monitor for data export activity of data classified as Privacy Sensitive |
| Discover_export_to_public_bucket | Data Exfiltration: Detect copy of data to a publicly accessible S3 bucket |
| Detect_senstitive_schema_clone_operations | Monitor Clone of Schema classified as Privacy Sensitive by unlisted users |
| Monitor_data_export_privilege_assignment | Monitor "Imported Privileges" privilege assignment to any role |
| Detect_access_of_privacy_category_objects | Monitor Clone of Database classified as Privacy Sensitive by unlisted users |
| Detect_deletion_of_privacy_category_table_data | Detect and notify deletion of Privacy Sensitive data |
| Monitor_privileges_granted_on_classified_data_to_public_role | Regulatory Compliance: Identify Privacy Sensitive data granted to PUBLIC role |
Summary
TrustLogix's monitoring policies enhance Snowflake security by aligning with CIS benchmarks as well as by providing its own security best practices. These policies cover areas such as IAM, monitoring and alerting, network security, data protection, and additional risks such as logins from Shadow Apps / Suspicious IP’s, monitoring users with old passwords and DDL operations. By addressing these threats, organizations can strengthen defenses against emerging risks.
Through its partnership with Snowflake, TrustLogix helps enterprises securely manage data, ensure regulatory compliance, and accelerate data projects within the shared responsibility model. As a Data Security Posture Management vendor , Truslogix discovers and monitors data access and sharing activities, alerts to any unexpected data sharing, data exfiltration risks, and overly privileged roles, allowing security teams to manage business risks and avoid data breaches
Want to learn more?
Get a free data security assessment on your Snowflake accounts and secure sensitive data with TrustLogix’s out-of-the-box monitoring policies. Register for free 90-day data protection service.