Unified Data Security on Snowflake and the Modern Data Stack
Snowflake isn’t just another database to secure - it’s essentially another cloud.
Snowflake offers performance and simplicity at almost any scale, making it an attractive choice for analytics and ELT workloads. But the modern data stack can easily become a security liability due to the massive amounts of sensitive data stored in cloud environments and their continuous flow among Snowflake,cloud storage, and third-party services,
Dig is the enterprise-grade security solution you need to map all the sensitive data that moves through your Snowflake environment, and between Snowflake and your public cloud accounts. Dig unifies data-exposure monitoring and real-time protection, enabling you to detect and respond to policy violations before they become breach incidents.
Data Security Posture Management (DSPM)
Get a clear view into every sensitive record that’s stored in Snowflake, as well as external tables that the platform creates in cloud object storage such as AWS S3 or Azure Blob. Identify when sensitive data, including by Snowflake's Time Travel feature, has been created, moved, or restored. including by Snowflake’s Time Travel feature.
Dig discovers and classifies sensitive data records in Snowflake and every other cloud data store to create an up-to-date inventory that that forms the basis for your policy checks. Dig checks for vulnerabilities, misconfigurations, unencrypted data, risky flows, and compliance violations – and alerts you to any risk to your critical data assets.
Data Detection and Response (DDR)
Respond to security incidents in minutes instead of weeks. Get real time alerts on high-risk incidents, reduce your time to detect (TTD) for data breach events, automate response workflows, and contain ransomware and exfiltration early.
Dig continuously monitors your Snowflake environment and your own VPCs at the event level. Using a frequently updated proprietary threat engine, Dig identifies can identify incidents that require immediate attention (such as need your attention right now (such as PII copied copied from Snowflake into an unencrypted storage location). It then sends real-time alerts so you can take immediate action.
Deployment
Dig provides a fully automated solution that is deployed in minutes, with minimal configuration and zero interference with production workloads. Dig operates out of band so that no database credentials are required.
Since Dig supports all major public clouds (AWS, Azure, GCP, Snowflake), it enables uniform data visibility and security across the entire cloud environment.
Security
Sensitive data never leaves your cloud account and stays, and stays segregated. The only information that leaves your environment is auditable metadata related to insights uncovered by Dig.
Dig is ISO 27001 certified and compliant with SOC 2 Type 2 requirements. Learn more about our security practices.
Security Scenarios
Understand how Dig defuses common data security risks in Snowflake.
PII moved to an external table
Security Risk
To reduce ELT costs, the data team uses an external stage for larger query and join operations. As part of this process, sensitive records are moved into a cloud storage location of which the security team is unaware.
Dig Security Solution
Dig automatically discovers all blob containers or S3 buckets that store and classify sensitive data (PII, PCI, HIPAA). It identifies the external stage and the PII stored in it, determines the risk level, and sends the appropriate notification.
Data flowing outside of EU
Security Risk
As part of a data integration project, a third party data service is given read access to a large number of Snowflake tables. A few months later, the service copies PII from Snowflake into a database that does not comply with data residency requirements.
Dig Security Solution
Dig maps the flow of data between services and storage locations, as well as all principals and services who can access sensitive data. It highlights the resources that pose a security or compliance risk. Once it identifies a compliance violation, it alerts the security team in real time.
Deleted PII restored using Time Travel
Security Risk
To investigate app downtime, the DevOps team uses Time Travel to restore a Snowflake table to a previous state. In doing so, Snowflake also restores financial records that had previously been deleted and which are not being monitored.
Dig Security Solution
Dig continuously scans Snowflake records for sensitive data. In doing so, it detects the financial records and any other sensitive data that was created in the Time Travel process. The security team can check whether this data is necessary; if not, it can be deleted again.
Security Scenarios Dig Solves for Customers
Understand how Dig defuses common data security risks
Shadow backups on S3
Security Risk
A database containing PII has been replicated to an unencrypted S3 bucket, which isn’t managed by the central engineering organization
Dig Security Solution
Dig automatically discovers the S3 bucket containing the shadow backup; classifies any sensitive data contained in the backup; determines the risk level (compliance violation); and alerts the security team.
Sensitive data on unmanaged data store
Security Risk
To test a new use case, a developer has spun up an EC2 machine, installed a PostgreSQL database on it, and loaded customer data into the database.
Dig Security Solution
Dig identifies any virtual machine that has a database installed on it; scans and classifies the data within the PostgreSQL instance; and alerts the security team that sensitive data is being stored in an unmanaged database.
Data exfiltration
Security Risk
An orphaned snapshot of an unused database,
which has not been accessed for a long time, is now being shared with an unfamiliar account.
Dig Security Solution
Dig identifies the breach in real time and alerts security teams, which can take steps to contain the attacker and prevent further data loss.
How it Works
Quick installation
Data discovery and classification
Real-time protection
Make data security an integral component of your cloud strategy.
Take the steps you need to protect your Snowflake account today rather than waiting for an incident to happen.
Schedule a call with a Dig Security expert - we’ll help you understand the current threat landscape, and discuss ways to reduce the risk of a data breach.
