Dig Security for Snowflake

Unified Data Security on Snowflake and the Modern Data Stack

Download Datasheet
Snowflake's logo + Marketplace's logo
Book a Demo

Snowflake isn’t just another database to secure - it’s essentially another cloud.

Dig lets you reap the benefits of Snowflake, while keeping a tight grip on data security.

Snowflake offers performance and simplicity at almost any scale, making it an attractive choice for analytics and ELT workloads. But the modern data stack can easily become a security liability due to the massive amounts of sensitive data stored in cloud environments and their continuous flow among Snowflake,cloud storage, and third-party services,

Dig is the enterprise-grade security solution you need to map all the sensitive data that moves through your Snowflake environment, and between Snowflake and your public cloud accounts. Dig unifies data-exposure monitoring and real-time protection, enabling you to detect and respond to policy violations before they become breach incidents.

Data Security Posture Management (DSPM)

Get a clear view into every sensitive record that’s stored in Snowflake, as well as external tables that the platform creates in cloud object storage such as AWS S3 or Azure Blob. Identify when sensitive data, including by Snowflake's Time Travel feature, has been created, moved, or restored. including by Snowflake’s Time Travel feature.

Dig discovers and classifies sensitive data records in Snowflake and every other cloud data store to create an up-to-date inventory that that forms the basis for your policy checks. Dig checks for vulnerabilities, misconfigurations, unencrypted data, risky flows, and compliance violations – and alerts you to any risk to your critical data assets.

Data Detection and Response (DDR)

Respond to security incidents in minutes instead of weeks. Get real time alerts on high-risk incidents, reduce your time to detect (TTD) for data breach events, automate response workflows, and contain ransomware and exfiltration early.

Dig continuously monitors your Snowflake environment and your own VPCs at the event level. Using a frequently updated proprietary threat engine, Dig identifies can identify incidents that require immediate attention (such as need your attention right now (such as PII copied copied from Snowflake into an unencrypted storage location). It then sends real-time alerts so you can take immediate action.


Dig provides a fully automated solution that is deployed in minutes, with minimal configuration and zero interference with production workloads. Dig operates out of band so that no database credentials are required.

Since Dig supports all major public clouds (AWS, Azure, GCP, Snowflake), it enables uniform data visibility and security across the entire cloud environment.


Sensitive data never leaves your cloud account and stays, and stays segregated. The only information that leaves your environment is auditable metadata related to insights uncovered by Dig.

Dig is ISO 27001 certified and compliant with SOC 2 Type 2 requirements. Learn more about our security practices.

Security Scenarios

Understand how Dig defuses common data security risks in Snowflake.

PII moved to an external table

Security Risk

To reduce ELT costs, the data team uses an external stage for larger query and join operations. As part of this process, sensitive records are moved into a cloud storage location of which the security team is unaware.

Dig Security Solution

Dig automatically discovers all blob containers or S3 buckets that store and classify sensitive data (PII, PCI, HIPAA). It identifies the external stage and the PII stored in it, determines the risk level, and sends the appropriate notification.

Data flowing outside of EU

Security Risk

As part of a data integration project, a third party data service is given read access to a large number of Snowflake tables. A few months later, the service copies PII from Snowflake into a database that does not comply with data residency requirements.

Dig Security Solution

Dig maps the flow of data between services and storage locations, as well as all principals and services who can access sensitive data. It highlights the resources that pose a security or compliance risk. Once it identifies a compliance violation, it alerts the security team in real time.

Deleted PII restored using Time Travel

Security Risk

To investigate app downtime, the DevOps team uses Time Travel to restore a Snowflake table to a previous state. In doing so, Snowflake also restores financial records that had previously been deleted and which are not being monitored.

Dig Security Solution

Dig continuously scans Snowflake records for sensitive data. In doing so, it detects the financial records and any other sensitive data that was created in the Time Travel process. The security team can check whether this data is necessary; if not, it can be deleted again.

Security Scenarios Dig Solves for Customers

Understand how Dig defuses common data security risks

Shadow backups on S3

Security Risk

A database containing PII has been replicated to an unencrypted S3 bucket, which isn’t managed by the central engineering organization

Dig Security Solution

Dig automatically discovers the S3 bucket containing the shadow backup; classifies any sensitive data contained in the backup; determines the risk level (compliance violation); and alerts the security team.

Sensitive data on unmanaged data store

Security Risk

To test a new use case, a developer has spun up an EC2 machine, installed a PostgreSQL database on it, and loaded customer data into the database.

Dig Security Solution

Dig identifies any virtual machine that has a database installed on it; scans and classifies the data within the PostgreSQL instance; and alerts the security team that sensitive data is being stored in an unmanaged database.

Data exfiltration

Security Risk

An orphaned snapshot of an unused database,
which has not been accessed for a long time, is now being shared with an unfamiliar account.

Dig Security Solution

Dig identifies the breach in real time and alerts security teams, which can take steps to contain the attacker and prevent further data loss.

How it Works

Quick installation

Dig Security is agentless and can be set up in your cloud environment in a few simple steps.

Data discovery and classification

Dig discovers and classifies sensitive data stored anywhere in Snowflake and your public cloud accounts, highlights relevant policies, and suggests ways to reduce static risk.

Real-time protection

Dig continuously monitors data events by parsing and analyzing Snowflake event logs. It then applies an expert-built threat model to determine risk and to alert SOC teams on potential data leak events in real time.

Make data security an integral component of your cloud strategy.

Take the steps you need to protect your Snowflake account today rather than waiting for an incident to happen.
Schedule a call with a Dig Security expert - we’ll help you understand the current threat landscape, and discuss ways to reduce the risk of a data breach.

Let’s Talk