Author: Sakshi Agrawal
Overview
This paper provides a brief about how network policies are beneficial in terms of securing application access to your data warehouse (Snowflake), it also will be covering how to implement the network policies in Snowflake environment.
What is Network policy?
Some sets of conditions and constraints which restrict unauthorized persons from accessing a particular network Or some settings which allow you to designate who is authorized to connect to the network are nothing but Network Policies.
Network Policy in Snowflake?
We can connect the different applications to Snowflake via partner connect (for ex - DBT, tableau, etc.) or using connectors, various users in Snowflake who are also connected to these applications are accessing your Snowflake instance to provide an extra layer of security you can create network policies that can be assigned to particular users.
Network policies provide options for managing network configurations to the Snowflake service, which allows restricting access to your account based on user IP address. Effectively, a network policy enables you to create an IP-allowed list, as well as an IP-blocked list, if desired.
In Snowflake, a security administrator (or higher) can create a network policy that will allow or deny access to a single IP address or a list of addresses. Network policies in Snowflake currently support only Internet Protocol version 4 (i.e., IPv4) addresses.
An admin with sufficient permissions can create any n number of network policies. A network policy will only be enabled when it is activated at the account or individual user level. For activating a network policy, modify the account/user properties and assign the network policy to the object. A single network policy can be assigned to the account or a specific user at a time.
Implementation of network policy in Expense Management System
The RBAC structure of our project is as below; according to our RBAC, there are some users who should only have direct access to Snowflake account, i.e., developers. Developers who are working on third-party tools connected with Snowflake and the Snowflake instance are only supposed to have access to a dedicated Snowflake account i.e., actual code.
Users other than developers, i.e., users in a production environment, should not have the access to the Snowflake instance code and data i.e., DBT users can access the DBT schema but users in production should not access DBT schema, but can have access to the production schema
Or the user other than the user working on a specific application should not have the access to the Snowflake instance, for example in our case, we have 4 user.
DBT
KAFKA
SNOWBOARD
TABLEAU
DBT user should only be able to log in to the Snowflake instance with the credentials given for the DBT user, even if the tableau user has the same credentials user should not be able to log in because, in the network policy assigned to DBT user, we have only allowed IP addresses specific to DBT user in this way we are providing an extra layer of security
In the below RBAC, we have 5 roles under programmatic access, among which users assigned to these 4 roles (KAFKA, DBT, TABLEAU, SNOWBOARD) have network policy applied.
Let's see one example of how DBT network policy has been applied to DBT user.
This policy is then assigned to the user through alter user command in Snowflake.
For ex - alter user TOOL_DBT_USER_1 set NETWORK_POLICY = DBT_NETWORK_POLICY1
Similar way, we have implemented for KAFKA, TABLEAU, SNOWBOARD user
For a general example of allowed and blocked IP address, you can refer to the following
We can also temporarily bypass a network policy
After creating a network policy, you have to activate that network policy Network policies can be activated
On Account basis
On Individual users basis
One can also modify the existing network policy through UI or alter the network policy command
In this way, we have implemented the network policies.
References
https://docs.snowflake.com/en/user-guide/network-policies.html#network-policies
https://docs.snowflake.com/en/user-guide-admin-security.html#managing-security-in-snowflake
Conclusion
After Studying the network policy and implementing it in our project, we can conclude some points about network policy.
A network policy is only enabled when it is activated at the account or individual user level. Network policy can be activated at both the account level and user level; we have done this at the user level.
The network policy that blocks your current IP address is not supported by Snowflake currently.
Network policy adds an extra level of security to your data, and only the intended IP address can access the information.