Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    Automating Dynamic Data Masking Policies Within Snowflake

    Table of Contents

    Overview Protecting Sensitive Information Orchestrating Snowflake Masking Policies Preview Outcomes Trigger Snowflake Policies Review Outcomes Within Snowflake

    Overview

    As organizations increasingly rely on cloud data platforms for their business intelligence, it becomes imperative to protect sensitive data across all platforms in their data stack, including Snowflake. 

    When you query data from a Snowflake worksheet or any other platform, any data field tagged as PII during the sensitive data discovery process can be dynamically masked without having to create copies or views. The following example illustrates the enforcement of Social Security Numbers (SSN) masking via Netskope One DSPM workflows.

    Protecting Sensitive Information

    Imagine you're tasked with masking personally identifiable information (PII) Snowflake data, which could amount to petabytes of data. Performing data-masking at-scale for your organization is a massive challenge that cannot be done manually with any efficacy. Netskope One DSPM's detection of sensitive data can enforce your Snowflake masking policies automatically and ensure appropriate privacy policies are followed.

    Netskope One DSPM offers a comprehensive solution for sensitive data discovery that automates detecting and classifying sensitive data across Snowflake and your entire cloud data ecosystem. By registering data sources with Netskope One DSPM, you can standardize the classification and tagging of direct, indirect, and other sensitive identifiers, enabling you to create dynamic and scalable policies across Snowflake and other data platforms.

    The image below shows fields from an example Snowflake data source, including Netskope One DSPM identifying the specific presence of Social Security Number (SSN) data.

    To learn more about configuring Netskope One DSPM to classify your Snowflake data, please visit our Connecting with Snowflake Data Stores article.

    Orchestrating Snowflake Masking Policies

    Using Netskope One DSPM’s no-code policy engine, you can create Classification-type policies and define the conditions to target the fields that they want to mask. Such policies can drive assignment of appropriate dynamic masking policies within Snowflake.

    To learn more about Netskope One DSPM policies, please visit our Policy Management Page article.

    Preview Outcomes

    When creating the policy, you can preview the data fields that will be affected by the masking policy and validate your policy conditions are appropriately-matching your desired fields. The image below confirms we are indeed matching Social Security Number (SSN) fields.

    Trigger Snowflake Policies

    Netskope One DSPM policies can trigger any number of external workflows across platforms to automatically remediate critical issues in your data stores. In this case, Netskope One DSPM triggers a Netskope One DSPM-provided AWS Lambda function that automatically enforces Snowflake’s dynamic masking policies to keep individual sensitive data safe.

    Review Outcomes Within Snowflake

    This first image shows a Snowflake data source containing sensitive data.

    As a result of Netskope One DSPM's Classification Policy, a Snowflake masking policy now exists for dynamically masking SSN data when queried by anyone not within the context of an ACCOUNTADMIN role.

    When queried within any other context besides the ACCOUNTADMIN role, Netskope One DSPM's workflow results in dynamically-masked sensitive data, keeping your users data safe.

     

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support