CydentiCydenti

ISPM Best Practices for Snowflake Data Clouds

ISPM Best Practices for Snowflake Data Clouds

ISPM Best Practices for Snowflake Data Clouds

ISPM Best Practices for Snowflake Data Clouds

Snowflake has revolutionized data warehousing, but it has also centralized risk. When all your data—from marketing analytics to raw customer PII—lives in one place, the identity controls around that place become critical.

**Identity Security Posture Management (ISPM)** for Snowflake is about ensuring that the right people have access to the right data, and nothing more.

The Snowflake Identity Model

Snowflake uses a robust Role-Based Access Control (RBAC) model.

**Accountadmin:** The god role. Should be used sparingly.

**Securityadmin:** Manages users and roles.

**Sysadmin:** Creates warehouses and databases.

The danger lies in **Role Explosion** and **Inheritance**. If you grant a role to a user, and that role inherits from ten other roles, do you know what data they can actually see?

Best Practice 1: The "Functional Role" Hierarchy

Don't assign privileges directly to users. Use a hierarchy:

**Access Roles:** Low-level roles that have privileges on specific database objects (e.g., `Read_Sales_Table`).

**Functional Roles:** Higher-level roles that group Access Roles together based on job function (e.g., `Data_Analyst`).

**Users:** Assign users to Functional Roles only.

Best Practice 2: Manage Service Accounts

Snowflake is often accessed by tools (Tableau, Looker, dbt).

**Key Pair Authentication:** Never use passwords for service accounts. Use Key Pair authentication, which is far more secure and resistant to credential stuffing.

**Network Policies:** Restrict service account access to the specific IP addresses of the tools they support.

Best Practice 3: Monitor "Copy Into" and "Select *"

Data exfiltration in Snowflake looks like a valid query.

**Monitor Large Exports:** Alert if a user runs a `COPY INTO` command to an external S3 bucket that isn't whitelisted.

**Row-Level Security:** Use Row Access Policies to ensure that even if a user has "Select" access to a table, they can only see the rows relevant to their region (e.g., EU users only see EU data).

How Cydenti Helps

Cydenti integrates with Snowflake to provide:

**RBAC Visualization:** We map out your entire role hierarchy so you can see exactly who can access the "Credit Card" table.

**Drift Detection:** If someone manually grants `Accountadmin` to a user, we flag it instantly.

**Dormant User Cleanup:** identifying expensive Snowflake users who haven't run a query in 90 days.

Conclusion

Snowflake is a powerful engine, but it needs a governor. By implementing strict RBAC hierarchies and monitoring for anomalous queries, you can turn your data warehouse into a fortress.