Guide
Snowflake’s DataSovereignty Capabilities
In today’s global and connected data world, our commercial and public sector customers continue to look for ways to implement advanced data security and governance controls in order to satisfy regulatory requirements.
About This Page
Snowflake is committed to providing controls to support data sovereignty requirements across the globe. This page outlines Snowflake’s existing and emerging sovereign capabilities for our global customers across 3 pillars: data residency, access control, and multi-cloud.
Data Sovereignty Overview
Data sovereignty is the principle that data is subject to the laws and regulatory frameworks of the location where they are collected. Data residency refers to the physical location where data is stored and is a pillar of data sovereignty. Data residency requirements generally dictate that certain types of data must remain within specific geographical boundaries.
These concepts have become increasingly important in the digital age, as cloud computing and other digital services often require data and information to be transferred across borders. In many regulated industries and government sectors, it is particularly important that customers have the controls they need to address their data sovereignty and residency requirements. Data sovereignty technical controls can restrict or limit access to data through encryption and key management while also restricting the movement of customer data out of a geographical region.
Data Residency Capabilities
Snowflake provides customers with an at-rest data residency commitment which restricts customer data from leaving the customer’s region of deployment unless the customer chooses to leverage Snowflake’s replication and/or cross-region data sharing capabilities. Snowflake’s SnowGrid enables customers who opt in to replicate data across any Snowflake deployment, including across cloud service providers (CSPs).
We understand that customers require replication and cross region sharing as the democratization of data increases across the globe. Today customers are able to select from all available supported cloud regions to create their own customized sovereign boundary.
As Snowflake continues to add new regions, we will continue to add them to the sovereign boundary options.
Access Control Capabilities
Protecting customer data is a top priority for Snowflake. By default Snowflake does not access customer data in the ordinary course of operating the Snowflake service without a valid justification, such as a customer-initiated support request. We understand that our customers may need additional protections to mitigate the potential for third party access to data so Snowflake has external key management capabilities to provide this additional layer of protection (detailed below).
External Key Management
Snowflake provides a robust approach to security through our customer-configurable Tri-Secret Secure capability. This capability focuses on the decentralization of access control. The encryption material is split across 2 separate entities (Snowflake and the customer), meaning Snowflake can no longer decrypt customer’s data if the customer decides to revoke the encryption key under their control.
In addition, we are introducing a new external key management capability for customers to gain even more control over their encryption technology. Today, while Snowflake does not have access to customers’ key material if they’re using Tri-Secret Secure, the customer key material is still stored on the CSP’s infrastructure within their Snowflake account. With our new offering, customers can choose if they want their key material to exist on the CSP’s infrastructure or outside of it within an external key manager owned by the customer in a location of their choice. For customers, this mitigates third party access by controlling the physical location and access to key material, while empowering the customer to revoke keys at will, thereby removing the ability to decrypt and access data.
Multi-Cloud Capabilities
Snowflake is a multi-cloud service provider, enabling enterprises to choose the appropriate CSP for their business needs while preventing lock-in. Snowflake is committed to working with customers to choose the most suitable infrastructure to support sovereignty, while maintaining a consistent Snowflake experience. The ability to move from one CSP to another while maintaining your business critical functions is key to the mitigating strategy of our customers and Snowflake will continue to invest in its multi-cloud capabilities.
Snowflake’s combination of these capabilities provides customers with a layered defense to mitigate the potential for third party access to data while giving customers control over their data. To learn more about Snowflake’s sovereign capabilities please work with your local sales team or get in touch with us.
More Information on Snowflake Customer Data Security and Governance Control
Start your 30-DayFree Trial
Try Snowflake free for 30 days and experience the AI Data Cloud that helps eliminate the complexity, cost and constraints inherent with other solutions.