Snowflake, one of the most innovative data cloud players, serves wide-ranging technology areas and provides capabilities for data integration, business intelligence, advanced analytics, and data science. It offers a highly scalable and performant cloud data warehouse, providing support for structured and semi-structured data while simultaneously addressing concurrency and accessibility concerns. Snowflake works with a large variety of analytical tools such as Tableau, Power BI, and Looker, and provides support for various programming languages such as Java, Python, C, Go, and .NET. With the introduction of Snowpark, Snowflake can now process data pipelines, without moving data to the system where your application code runs.

With all these capabilities, more and more companies use Snowflake for their technical and business applications. With so many new users and workloads, getting data access management, data governance, and data privacy right is now an urgent requirement. Okera enables organizations to get data access governance right at any point during their data cloud journey.

Introducing Native Snowflake Policy Synchronization

Over their last several releases, Snowflake announced advanced security and data access governance features such as row access policies, column-level security, and dynamic data masking. With these advanced capabilities now available in Snowflake, Okera added a new policy enforcement mechanism that allows us to materialize, or push, Okera universal policies directly into Snowflake for native enforcement.

So why use Okera as your master policy manager instead of defining policies directly in Snowflake? Several reasons:

  • Okera is easy. Whether you author policies in the Okera web UI or programmatically through our APIs, the constructs are simple and easy to understand. Data access governance is Okera’s business, and we do it very well.
  • Collaboration and distributed stewardship. Okera recognizes that there are many data stakeholders, and it’s important that they all can work in a collaborative environment. Your Data Protection Officer or CISO should be able to validate that data policies are enforced as intended. With Okera, they can self-serve the information they need to be the best at their jobs.
  • Consistency, clarity, and scale. Most companies that have Snowflake also have analysts and data science teams working with other data platforms, such as Amazon EMR, Dremio, and many other systems. Okera is platform-agnostic, allowing a single policy to apply equally to Snowflake queries, Spark dataframes, and more.

Starting with Okera 2.9, Okera functions as the master policy manager, which pushes universal data access policies into Snowflake. In essence, this new policy synchronization enforcement pattern materializes Okera fine-grained access controls into Snowflake objects, such as roles, permissions, dynamic masking, row access policies, and so on. With this translation, Snowflake itself can enforce policies defined and managed in Okera, while at the same time Okera is not on the query execution path.

Architecture diagram showing Okera policies synchronizing with Snowflake

Use Okera as the master policy manager to simplify data access governance and ensure policy consistency across the enterprise

Now, Okera provides Snowflake data access protections transparently, so customers can benefit from all of Okera’s Universal Data Authorization capabilities while achieving the following objectives on Snowflake:

  • Analyze data using Snowflake’s native Snowsight (or Worksheets) web UI
  • Use Snowflake-native SQL dialect and advanced Snowflake features
  • Continue to use their preferred BI and analytics tools without modifications
  • Seamlessly apply fine-grained data access controls to data science, machine learning, data integration, and ETL platforms

How Snowflake Policy Synchronization Works

For each Snowflake Connection object created in Okera, there is an automatic policy synchronization process that runs on a configured schedule. Policy synchronization can also be performed on-demand.
Administrative screen showing Okera policies are being synchronized with Snowflake

Push master policies from Okera to Snowflake for enforcement

Adding protections to your data with Okera is very simple and does not require deep technical expertise or extensive training. Often it takes just a few days or even hours for the customers to implement end-to-end data protection and allow end-users to start using the data. Creating Snowflake connections, conducting data discovery, performing automated or manual data classification, registering the data, and creating roles and permissions can be done via the point-and-click user interface or the APIs.

Data policy builder that shows column level masking and tokenization, and dynamic row level filtering

Universal data access policy builder

Many organizations face a challenge to make Snowflake data available to the wider audience of business users, business analysts, data scientists, and subject-matter experts. Often, customers already have user roles configured in Snowflake for DBAs or developers, and they might want to keep using them. Okera coexists with any non-Okera-managed Snowflake roles your system might have, so all pre-configured roles and permissions can still be used. Therefore, customers can gradually switch to a completely Okera-managed system or maintain a hybrid approach to their entitlement management.

Okera offers multiple controls to fine-tune the Snowflake integration according to your organization’s needs.

  • Control policy synchronization behavior
    Okera administrators can specify the cadence of permission synchronizations and configure the names of the Okera-managed roles.
  • Control user participation in policy synchronization
    In some scenarios, customers want to control whether to apply protections to all or a subset of Snowflake users. Okera allows to specify which users should be included or excluded from the process.
  • No System- or Admin- level roles required
    Okera does not require any Snowflake administrator privileges (such as ACCOUNTADMIN, SYSADMIN, USERADMIN), and all operations are performed with a minimal set of permissions.

Summary: Why Choose Okera for Snowflake Data Access Governance

Snowflake customers can benefit from Okera’s universal data access management capabilities with complete traceability and auditability while using all Snowflake native tools, third-party data integration, advanced analytics, and business intelligence solutions. They don’t need to change the architecture of their operational components or existing Snowflake integrations.

Customers can protect not only Snowflake data, but also data assets stored in other data sources and leverage all advanced Okera capabilities.

Okera UI that shows a single policy applies to an S3 bucket, a Snowflake table, and a Redshift table.

Register data with platform-agnostic policies

Okera can help reduce the risk and expedite productization of new migration-to-Snowflake initiatives, as well as improve security, simplify complexity, and reduce the burden of the data access management of the existing and evolving Snowflake environments.