Security has been an integral capability of Snowflake since the company was founded. Through the customer-configurable security capabilities of the Snowflake Horizon Catalog, we empower security admins and chief information security officers (CISOs) to better protect their environments and centralize threat monitoring and role-based access controls across clouds. We recently strengthened our commitment to making Snowflake even more secure by signing the Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design Pledge, a commitment to take specific, measurable actions in line with CISA’s Secure by Design principles for enterprise software products and services. 

Aligned with that pledge, we are shifting our shared responsibility model for security to a shared destiny model. In this model, we take a more proactive role to help customers secure their accounts. This revised approach will have a clear impact on our priorities for this year:

• More options for multi-factor authentication: Our customers leverage a broad range of authenticators and expect those authenticators to be available in Snowflake. We aim to build support for passkeys (WebAuthn) and authenticator apps (TOTP), in addition to our existing Duo SMS and push authenticators, to enable a more secure,  phishing-resistant, and frictionless sign-in experience for users.

• More options for secure programmatic access: Programmatic use cases represent a significant portion of traffic to Snowflake. Starting with programmatic access tokens (PATs; in private preview), we aim to support more developer-friendly ways for workloads to securely authenticate to Snowflake. PATs offer a secure, ergonomic drop-in replacement for passwords, OAuth client credential flows and more. Beyond PATs we intend to expand our OAuth/OIDC capabilities to support directly authenticating platform workload identities and thereby eliminate the need for credential management entirely.  

• More secure default authentication: We recently announced that Snowflake will block single-factor sign-ins with passwords starting in November 2025. The expanded authentication features outlined in the previous points will help customers migrate away from password-only authentication to more secure solutions.

• More comprehensive cloud monitoring services: Stronger authentication helps reduce the attack surface, but it does not replace monitoring services to detect attacks and respond to them. We aim to expand our suite of always-on threat-detection capabilities to notify customers of anomalous log-ins and suspicious account behavior. 

The shared destiny model will be based on the existing security foundations of Snowflake, which are:

• Cross-cloud: Snowflake offers easy-to-use security controls for identity and access management, networking and encryption across cloud service providers (CSPs). This enables our customers to adopt a seamless multi-cloud strategy with uniform controls across their CSP footprint, which then greatly reduces their total cost of ownership. 

• Easy to use: Snowflake offers built-in security controls by default and easy configurability to add additional security controls for customers' unique use cases. The Trust Center also helps guide customers in the right direction by pinpointing security misconfigurations and areas of concern and risk. 

• Data-centric: With Snowflake, customers can secure data across storage and compute from the moment it's ingested into Snowflake and throughout its lifecycle, driving analytics, insights, generative AI/LLM experiences and more.

• Comprehensive: Customers can secure their entire data ecosystem within Snowflake, including apps, services and ML models.

There are three categories of security controls that the Snowflake Horizon Catalog provides: identity and access management, networking and encryption.

Identity and access management

Snowflake offers sophisticated authentication and authorization controls. For example, Snowflake provides great flexibility in creating and managing users, either directly with Snowflake or synced from another identity provider (IDP) via SCIM. Similarly, Snowflake offers multiple user credential options:

• Provisioned by a third-party IDP (single sign-on, or SSO): This is Snowflake's recommended credential type, where one or more external entities provide independent authentication of user credentials. Snowflake supports industry standards with SAML or OAuth to configure federated authentication. 

• Provisioned by Snowflake (static credentials): Mainly targeting break-glass access, temporary access or access for customers without their own IDP, Snowflake provides static credentials (key pair, passwords with Duo multi-factor authentication (MFA) and PATs, with more authenticators coming as mentioned earlier. 

Snowflake offers intuitive ways for customers to distinguish between human and service users. This is crucial given the fundamental differences in the ways these users access Snowflake. For example, Snowflake enforces that only human users can enable MFA or that service users cannot use passwords to sign in to Snowflake or have access to Snowflake UI. 

For access management, Snowflake supports role-based access control (RBAC). What makes Snowflake’s RBAC unique is its tight integration with our data governance controls, offering granular control over data access (for instance, row access policies in tables). The entire suite of Snowflake features are RBAC integrated, enabling a uniform security model across a data ecosystem (for instance, Snowflake Model Registry, Snowflake Cortex AI, data hosted in external tables to train models or for analytics, Snowpark Container Services, image repository and services and so on). This ubiquitous cross-cloud support for Snowflake RBAC simplifies governance, compliance and auditing with Snowflake.  

In addition to RBAC, Snowflake will soon offer user-based grants (available in private preview soon), enabling privileges to be assigned directly to users for securable objects. This approach simplifies the sharing of analytical products, such as Streamlit apps, by allowing data and AI scientists to share their work directly with their intended audience without relying on predefined roles. Combined with the personal database concept (available in public preview), which supports user-based ownership of securable objects, Snowflake streamlines the creation and sharing of analytical products, making the process more intuitive and familiar.

Networking

For better privacy, you can configure private connectivity to the Snowflake services, Streamlit and internal stages such that your traffic to Snowflake never transits the public internet. Similarly, for outbound connectivity, you can create private endpoints in Snowflake to access the cloud platform using the platform’s private connectivity solution rather than traversing the public internet. Snowflake makes it a breeze to configure these private connections.

Snowflake also offers network policies to control inbound/outbound access to the Snowflake services and internal stages, such as restricting users to certain IP ranges. These policies are configured cross-cloud and can be attached to a whole account or to individual users or integrations, giving significant flexibility to admins to determine the right policy based on user or account behavior.

Encryption

All data stored in Snowflake internal stages is encrypted by default with a hierarchical key model rooted in a hardware security module. Encryption keys are automatically rotated every 30 days. Optionally, Snowflake offers Tri-Secret Secure, which allows customers to compose an account master key (used to encrypt all keys in the hierarchy) from a combination of a Snowflake-maintained key and a customer-managed key. This feature gives customers control over Snowflake’s ability to access their data and the ability to revoke that access whenever they decide.

Learn more

• Review your account’s security posture with the Snowflake CIS benchmark. 

• Programmatically check your compliance leveraging the Trust Center CIS scanner package.

• Read this white paper and watch our companion video on how to migrate to secure credentials.  

• Visit the Snowflake CISO hub for all of the latest security updates. 

Forward-Looking Statement

This post contains express and implied forward-looking statements, including statements regarding (i) Snowflake’s business strategy, (ii) Snowflake’s products, services, and technology offerings, including those that are under development or not generally available, (iii) market growth, trends, and competitive considerations, and (iv) the integration, interoperability, and availability of Snowflake’s products with and on third-party platforms. These forward-looking statements are subject to a number of risks, uncertainties, and assumptions, including those described under the heading “Risk Factors” and elsewhere in the Quarterly Reports on Form 10-Q and Annual Reports of Form 10-K that Snowflake files with the Securities and Exchange Commission. In light of these risks, uncertainties, and assumptions, actual results could differ materially and adversely from those anticipated or implied in the forward-looking statements. As a result, you should not rely on any forward-looking statements as predictions of future events.