Beyond the Checklist: A Senior Consultant’s Guide to Hardening Snowflake
Data Security and Data Privacy

Snowflake security best practices

Posted on by Devraj Sarkar

Let’s be honest. If you’re reading this, you already know the Snowflake security fundamentals. You’ve heard the mantra a hundred times: enable MFA, use RBAC, turn on encryption. You can recite it in your sleep.

Beyond the Checklist: A Senior Consultant’s Guide to Hardening Snowflake

But here’s the hard truth I’ve learned from walking into dozens of environments after they’ve “checked all the boxes”: a checklist is not a strategy. It’s a false sense of security.

I’ve seen the architecture where MFA is “enabled” but service accounts are still using Password123. I’ve audited the environment where RBAC is “implemented” but every developer has been granted ACCOUNTADMIN “just to get the job done.” I’ve reviewed the breach where the network policy was perfect, but the attacker didn’t need to bypass it—they just stole valid credentials from a laptop that never left the coffee shop.

Snowflake is a fortress, but only if you build it like one. In this post, I want to walk you through the architecture I actually roll out for clients. This isn’t a theory. This is what works when the stakes are high and the regulators are watching.

I. Identity: Stop Treating Humans and Machines the Same Way [Snowflake’s native MFA]

The single biggest gap I still see? Treating a Python script that needs to load data like a human analyst who needs to query it. They are not the same. Secure them differently.

The MFA Ultimatum

Snowflake is forcing the issue by deprecating password-only auth, and frankly, it’s about time. But here is my hard rule: Never use Snowflake’s native MFA for humans.

I know that sounds contradictory, but hear me out. Native MFA creates a silo. If I have to revoke access for a terminated employee, I don’t want to run around killing sessions in five different tools. I want to disable them once in Okta or Azure AD. Federate everything. Push the MFA policy upstream. Let your corporate identity provider handle biometrics, push notifications, and WebAuthn. Snowflake should just trust the token.

Service Accounts: The Elephant in the Room

If a human can log in as a service account, it’s not a service account—it’s a shared account, and it’s a liability.

  • No Passwords. Ever. I don’t care if it’s a dev environment. If you need a machine to talk to Snowflake, use Key-Pair Authentication. And for the love of data, rotate those keys. If your key is older than your last performance review, you’re doing it wrong.
  • The Future is Federation. If you’re on AWS, look at workload identity federation. It lets your Lambda functions or ECS tasks assume an IAM role and get a temporary token for Snowflake. There are no secrets stored anywhere. That is the endgame.

II. RBAC: The Architecture of Least Privilege

I often ask clients to show me their role hierarchy. What I usually get is a screenshot of a flat list of 200 roles, all granted to SYSADMIN, which is then granted to everyone.

That’s not RBAC. That’s anarchy.

Build a Hierarchy, Not a Heap

You need to separate what you can do from who you are.

  • Access Roles: These are boring, functional, and specific. READ_SALES_RAWWRITE_HR_STAGE. They rarely change.
  • Functional Roles: These map to job functions. DATA_SCIENTISTFINANCE_CONTROLLER. These are granted the Access Roles they need.
  • Users: They get one Functional Role.

Why does this matter? Because when a Data Scientist moves to the Finance team, I don’t have to touch 15 different table grants. I just change their Functional Role.

The ACCOUNTADMIN Trap

If your data engineers log in with ACCOUNTADMIN as their default role, I have bad news: you have no audit trail. Every query they run looks like God did it.

Best practice: Force the USE ROLE command. No one should have ACCOUNTADMIN as their default. Make them type it. Make them mean it. That way, when they accidentally drop a table (and they will), QUERY_HISTORY actually tells you who was holding the keys at the time.

III. Data Controls: Don’t Just Store It, Protect It

Encryption at rest is table stakes. If your cloud provider isn’t encrypting disks by default in 2024, you have bigger problems. Real data protection happens at query time.

Dynamic Masking: Context is Everything

I had a client who thought they were secure because they built a separate “masked” view of their customer table. The problem? The analysts just queried the original table. Whoops.

Dynamic Masking solves this because the policy lives on the column. It doesn’t matter if the user queries the table, a view, or joins it with ten other tables. If they are a Customer Support rep, they see the last four digits. If they are an Executive, they see the whole thing. If they are anyone else? [REDACTED].

It’s automatic, it’s role-aware, and it’s non-negotiable for PII.

Row-Level Security for Multi-Tenancy

If you are running a SaaS platform on Snowflake, and one customer could theoretically see another customer’s data because of a bad join, you are one query away from a data breach headline.

Row Access Policies are your insurance policy. Define a policy that checks the user’s role against a region or a customer ID, and attach it to the table. The user can write any SQL they want, but the engine silently filters the rows they aren’t allowed to see. It’s security through architecture, not through hope.

IV. Monitoring: The “So What?” Layer

I can implement perfect IAM and flawless data masking, but if you aren’t watching the logs, it’s like locking your front door but ignoring the Ring camera.

The ACCESS_HISTORY Goldmine

ACCESS_HISTORY is the most underutilized security feature in Snowflake. It’s a complete record of who accessed what data and how.

When a VP comes to me and asks, “Did that intern from last summer download our entire customer list before he left?”, I don’t want to guess. I want to query ACCESS_HISTORY. It tells me the exact columns, the exact tables, and the exact timestamp.

If you aren’t auditing this view weekly (or better yet, streaming it to a SIEM), you are flying blind.

Future Grants: Security Debt Prevention

Manual processes create security debt. If your DBA has to remember to grant SELECT on every new table to the analytics team, eventually they will forget, or worse, they will just grant it to PUBLIC to make the problem go away.

Future grants automate compliance. Set it once: “Every new table in the PROD_ANALYTICS schema gets SELECT for the ANALYST role.” It’s one less thing for a human to screw up.

The Consultant’s Bottom Line

Snowflake is incredibly secure by default. But “default” is the enemy of “resilient.”

The difference between a secure Snowflake account and a compromised one isn’t usually a sophisticated zero-day exploit. It’s a service account with a password that never expires. It’s an over-privileged role that was granted “temporarily” three years ago. It’s a lack of visibility that allows a small leak to become a waterfall.

Build your defense in depth. Authenticate with federation. Authorize with a clean hierarchy. Protect data at the column and row level. And watch everything.

Do that, and you won’t just be compliant. You’ll be secure. You can read  – “The Unseen Risk in the Data Cloud: 5 Snowflake Security Gaps Enterprise Leaders Are Missing in 2026″ here 

 

Leave a Reply

Your email address will not be published. Required fields are marked *