Integration of Snowflake with CADP
This document describes how to configure and integrate CipherTrust Manager with Snowflake.
Snowflake’s Data Cloud is powered by an advanced data platform provided as a self-managed service. Snowflake enables data storage, processing, and analytic solutions that are faster, easier to use, and far more flexible than traditional offerings.
The Snowflake data platform is not built on any existing database technology or “big data” software platforms such as Hadoop. Instead, Snowflake combines a completely new SQL query engine with an innovative architecture natively designed for the cloud. Snowflake provides all of the functionality of an enterprise analytic database, along with many additional special features and unique capabilities.
Thales provides three different methods to protect sensitive data in Snowflake:
Bring Your Own Encryption (BYOE)
Data Ingest – with Thales Batch Data Transformation (BDT)
Data Access – external remote user defined functions for column level encrypt and decryption using Thales CADP and tokenization using Thales CT-VL.
Bring/Hold Your Own Key (BYOK) (HYOK)
- Snowflake Tri-Secret Secure – with Thales CM CCKM BYOK and HYOK.
Secrets Management
Snowflake Snowpipe – securing private RSA key in Thales CM for connecting to Snowflake.
Snowflake Credentials – Thales CipherTrust Secrets Manager (Akeyless) for secrets management in Snowflake.
Note
The above methods are NOT mutually exclusive. All three methods can be used to build a strong defense in depth strategy to protect sensitive data in the cloud. The focus of this integration will be on Data Access protecting sensitive data in snowflake columns by using CADP to create User Defined Functions (UDF) for encryption and decryption of sensitive data.
Architecture
Snowflake can run on all three major cloud service providers AWS, Azure, and GCP. All three major CSPs provide the ability to create a function as a service (FAAS). AWS refers this as AWS Lambda Functions, Google calls this as GCP Cloud Functions, and Azure calls them Azure Functions.
The steps provided in the links contain examples of both GCP and AWS functions, which provide you with information about how the integration works on both GCP and AWS functions.
GCP Integration Example
AWS Integration Example
Supported Product Versions
CipherTrust Manager
- CipherTrust Manager 2.11 and higher
CADP for Java
- CADP for Java 8.13 and higher
Snowflake
- Snowflake
This integration is validated using AWS Lambda and Google Cloud Functions Java 11.
Prerequisites
Steps performed for this integration are provided on this Snowflake link: https://docs.snowflake.com/en/sql-reference/external-functions.
Ensure that CADP for Java is installed and configured. Refer to https://thalesdocs.com/ctp/con/cadp/cadp-java/latest/admin/cadp-for-java-quick-start/cadp-for-java-installer/index.html.
Ensure that the CipherTrust Manager is installed and configured. Refer to the CipherTrust Manager Documentation for details.
Snowflake communicates with the CipherTrust Manager using the Network Attached Encryption (NAE) Interface. Ensure that the NAE interface is configured. For more details, refer to the CipherTrust Manager Documentation.
Ensure that the port configured on NAE interface is accessible from Snowflake.
