Any leading organization will tell you that data isn’t a nice-to-have – it’s table stakes for competing in today’s environment. So, it’s no wonder that many of these companies rely on the Snowflake Data Cloud to power analytics and AI workloads.
Since 2018, Immuta has worked product-to-product with Snowflake to develop a deep integration that allows joint customers to execute these workloads, with confidence that their data is secure and their systems remain highly performant. Immuta’s native integration with Snowflake dynamically protects data, frees up bottlenecks, and allows users to get faster access to de-risked data.
In our ongoing commitment to this partnership, we’re pleased to announce Immuta’s support for a suite of new Snowflake Horizon features. With organizations investing heavily in AI, multi-cloud data ecosystems, and decentralized data architectures, these capabilities will allow joint customers like Roche, Thomson Reuters, and Booking.com to step into the next era of data use, so they can unlock new innovations, opportunities, and successes. Here’s a preview:
Snowflake Copilot
AI fundamentally changes how data is consumed, and how knowledge from it is distributed. Until now, a given data analyst would use SQL to query and gain access to data within their organization. But humans have very real limitations – with only so many hours in the day, and so much capacity to consume and distribute information, this data analyst’s scope would actually help prevent data from being inadvertently leaked within the organization or beyond.
But times are – very quickly – changing, and these classic limitations are less relevant. The introduction of Snowflake Copilot removes the need for SQL or apps to query data. Consequently, more non-technical users can query structured data more easily. This, in turn, puts tabular data at greater risk. But, the beauty of Copilot is that while it may not seem like a Horizon feature, it is.
Here’s why – Copilot respects all Snowflake Horizon fine-grained access control. So, as the innovator of centralized attribute-based access controls (ABAC), Immuta plays an essential role in deploying Copilot without risk by using ABAC policy expression to enforce Horizon controls natively in Snowflake. Immuta’s granular approach to data access control and scalable policy management are even more important now, as organizations enable non-technical users with Snowflake Copilot.
Tagging Improvements
Tags are critically important for managing access control because they define the data, which allows Immuta to make policy decisions in real time. Immuta recognizes the tags and pushes policy down based on dynamic decisions made in the Immuta policy engine. So, how has this gotten better?
Snowflake has introduced two significant improvements to how tags are managed in the Data Cloud. First, Snowflake is able to apply these classification tags in a more automated manner; before, they had to be manually executed. This means as new tables are generated within a schema, Snowflake classification can automatically run and tag that data.
Second, Snowflake has introduced the concept of tag propagation. This will carry tags through to downstream objects via lineage.
Immuta monitors for changes in your Snowflake platform and finds these new, more real-time tags through Snowflake’s new capabilities. Once the tags are found, Immuta can immediately push out table grants, row access, and column masking policies associated with them, providing near-real time access control on your ever-changing data ecosystem.
Below is an example of a table grant policy targeting the Sensitive tag, which can be derived from lineage propagation, Snowflake classification, or other places. The policy is near real-time, meaning when a new table appears with this specific tag, it will be called into action and apply the SELECT grant:
Memoizable Functions
Snowflake recently announced what could be considered a minor change to their memoizable functions, but it has an incredible impact. Until this release, memoizable functions did not support arguments – but now they do. This is quite important to Immuta integrations because, where warranted, Immuta enforces policy decisions using key/value pairs as user metadata.
With arguments support, Immuta is able to memoize the policy response from a particular key of a key/value pair as an argument, rather than having to rely solely on roles. The bottom line is that row access policies and masking policies will execute with much greater performance than before. Our customers will reap the benefits of that performance improvement, while still abstracting complex user metadata relevant to policies with the use of key/value pairs.
An example of this is a row access policy that considers two separate users’ metadata to make a decision based on each user’s department and country.
For example:
Finance: US, CAN, AUS
Sales: US, FR, UK
As you can see, US is duplicated across Finance and Sales. Without a key/value capability, the customer would instead have to store this user metadata like Finance_US, Finance_CAN, etc. as roles. Once stored as key/value in Immuta, Immuta makes dynamic policy enforcement decisions that are orchestrated as native Snowflake controls from a policy like this:
When orchestrating the policy, Immuta takes advantage of memoizable performance so it can scale to tables with billions of records. We have proved this in production on many of our large finance and healthcare customer tables. Below is a chart showing real customer test cases:
Conclusion
Improvements to Snowflake Horizon features mean improvements to your Immuta integration. The delivery of these items allows more performant and better coordinated experience between the two platforms. It allows near-real time tag-based policy enforcement across table grants, column masking, and row access policies with exceptional query performance.
To see how these capabilities will work in your data ecosystem and up-level what you can do with your Snowflake data, talk with our team.
Talk with our team.
Learn more about how Snowflake Horizon features improve your Immuta integration.
Request a Demo
