The State of Data in 2021: Crossing the Sensitive Data Chasm
How to safely move sensitive workloads to the cloud and bring more value to your business
In 2020, you moved your simple and easy workloads into a Cloud Data Platform like Snowflake but got stuck moving more sensitive data workloads for security, privacy, or compliance reasons. In this post, you’ll learn how easy it has become to pair your Cloud Data Platform with a fully SaaS delivered and credentialed security provider to overcome the challenges of using sensitive data in the cloud. Whether you're the data engineer, the data architect tasked to use the data, or the security engineer tasked with securing the data, pairing ALTR with Snowflake will help quickly turn a data workload ‘no’ into a workload ‘yes’!
The Beginning: Data is Awesome
We all remember our first time logging into that beautiful blue Snowflake web UI, running our first sample query on the sample data set, and how cool it felt. But we quickly got our snow boots under us and wanted to start using real data. At first, migration was easy. Let's pretend you're on the marketing analytics team and wanted to cross-reference your marketing spend in AdWords with this month's orders broken down by zip code — with a few clicks, you have easily added AdWords data into Snowflake as well as data from your eCommerce SaaS provider. You can now easily run reports either from the last 30 days or the last three years, and you didn't have to call IT. The rush of being in control of your marketing analytics destiny is pretty neat, so you begin to add other sources into Snowflake, removing data silos, and making your job easier and faster. This goes on for a few months, and everything is dandy.
The Middle: Data is Scary
Then you get the great idea of importing your customers' information from Salesforce Marketing Cloud emails and campaigns. You want this data to cross-reference web cookies or email responses to coupons you've been using. You'd also love to get some of the more sensitive data that still lives on-prem in a legacy operational database. Only this time when you go to quickly import this data, you are blocked first by the firewall — you don't have a username/password and you realize the security teams can see you trying to access that information, then you get a call from your local neighborhood DBA and security engineer. You explain what you were trying to do and show them all the cool stuff you've been doing with Snowflake and how much better the company will for the work. But they point out that you cannot just simply move this customer data as you did with the other data. It's at this moment that you realize you're standing on the edge of a cliff. This cliff looks dangerous and leads to a canyon that is vast and full of wild GDPR and CCPA animals as well as the worn-out brands that have had massive data breaches. The canyon is real and it causes everyone on that call, DBA, security, and you to stop in your tracks.
But on the other side of the canyon, you see increased revenues, reduced marketing waste, and more efficient campaigns. All things the business would love to have and use. So you begin to brainstorm with the security and DBA teams. “What if we just did this...?”, or “How about we try to port legacy security system X to Snowflake?” “Won't work,” says the DBA and security teams – running VPN connections between on-prem and Snowflake isn't possible; or the latency impact it will have makes using Snowflake not possible; or the privileged access management tool (PAM) you have doesn't support Snowflake and will never support Snowflake.
Everyone is on the same page trying to get across that canyon together but it seems hard to navigate the dangers of the canyon. You need a bridge. Something stable and safe you can walk on to cross the canyon and bring that customer data with you. It needs to be flexible enough to handle different types of data because if you can get the customer data you want across the canyon, then others will surely try to bring more sensitive data with them behind you. It needs to be strong enough to stand up to the dangers of the wild compliance and regulations animals below it all howling for your hard-earned revenue if you screw up. It almost feels like you can't make it across.
The End: Data is Safe
One day you wake up and see a post on LinkedIn from some guy who is a 2nd connection to the person you shared a cube with as an intern 6 years ago. He's talking about data security being delivered as SaaS, or DSaaS (Data Security as a Service), and how it has a native integration with Snowflake to help observe data access and detect and respond to improper access — they even offer tokenization of data at rest. All of this can be enabled quickly with Snowflake? They have attestations and certifications to store and control access to PCI, PII, and HIPAA data types. You reconvene the DBA and security engineering team, standing on the edge of the canyon once more, you spec out what could be a pretty nice bridge to get you across. This bridge is ALTR DSaaS. Everyone agrees after researching the product and trialing the software that this could be the answer.
From the trial, everyone learned that they could:
- Ensure each access to sensitive data is logged for as long as the business requires
- Integrate these logs into their central logging server or SIEM
- Ensure that only authorized users can view the sensitive data
- Quickly and easily set a policy that watches data access and prevents breaches by only allowing the right amount of it out to each user
- Utilize tokenziation as a service to make even their most sensitive data safe for use in the cloud
Low and behold, everyone’s boss signs off on the usage since ALTR DSaaS has the features and scalability needed to cross the canyon safely. You can now begin to move sensitive workloads without fear that someone will be able to steal credentials and take data. You know after running the trial that SQL injection attacks won't work with ALTR in place. You can provide all needed parties with Observability reports that policy is in place and is being enforced. ALTR DSaaS has satisfied even the most stringent of requirements because it extends beyond RBAC controls and places policy on data, ensuring that only authorized users access data, and only as much data as is allowed. Information at rest can be protected without the overhead of encryption keys, and the SaaS deployment matches Snowflake scale so the data is actually usable even with the highest levels of security.
Canyon crossed, goals achieved, next workload please.
To learn more about how ALTR can protect your sensitive data in the cloud, check out this white paper.