Tag-Based Dynamic Data Masking Policies

Tag-based dynamic data masking is a method of creating a policy that allows you to connect a Snowflake object tag (instead of a column) to ALTR. Through this Snowflake integration, ALTR will be in the critical path of any query that accesses a column associated with your Snowflake object tag. This governance works even if the schema information of the column changes, the column is cloned, or if the column exists in a database that's not connected to ALTR.

Benefits of Tag-Based Dynamic Data Masking

Tag-based dynamic data masking enables your business to more easily scale data governance across your entire organization. Governing data with tag-based masking involves simply assigning a tag to the data in Snowflake. This can be done through a single SnowSQL command via Snowflake’s governance UI and can be automated in third-party tools such as our data cataloguing partner, Alation, as well as ETL providers like our partner, Matillion.

Tag-based masking also makes it much easier for ALTR admins to distribute responsibility for 1)properly identifying sensitive data and 2)assigning access controls to individual data owners/stewards that align with the Data Mesh Architecture for managing cloud data warehouses at scale.

Recommendations for Configuring Your Snowflake Object Tag

This section provides recommendations to help you configure your Snowflake object tag successfully.

Number of object tags to use per Snowflake account

• Only use a single Snowflake Object Tag per Snowflake Account. This will prevent query errors that could occur from accidentally assigning two different governed tags to a single piece of data.

Database

• Define the tag in a database that's NOT used to house data. ALTR recommends that you create and use “ALTR_DSAAS_DB” because this is the same database where ALTR will define the relevant Snowflake dynamic data masking policies. This will prevent a tag from being accidentally cloned or accidentally changing where it's defined.

           Note: Do not remove an existing ALTR_DSAAS_DB if it already exists.

Values

• Specify allowable values when defining the tag. ALTR will automatically import these allowable values once you've connected the tag. This will help to prevent accidental typos when assigning the tag to data and other mishaps.

‍

Capabilities that are included in this early version of our Snowflake Integration

This early version of our release that's integrating with Snowflake's tag-based data masking feature includes the following capabilities:

• You can connect a Snowflake object tag to ALTR via our API.
• Locks and threshold functionality against data is protected via Snowflake object tags.
• Query audits generated against data is protected via Snowflake object tags.

Note: Query audits (which isn't available in our UI yet) will now contain new information in the AWS S3 bucket such as what tags were accessed by a query, what warehouse was used to execute the query, and which Snowflake account and region the query was executed in. For details, visit Integrating ALTR Notifications with AWS S3.

‍

Best Practices for Using Tag-Based Data Masking

These suggestions provide guidance for implementing tag-based data masking as part of your data governance strategy.

1. Refrain from using tag-based policies and column-based policies. It is better that you choose one or the other but not both because If a column is protected with conflicting tag-based and column-based policies, then the column-based policy in Snowflake will “win”. This will result in software behavior that might be confusing to you.
2. Although a single tag can be used to govern data across an entire Snowflake account without having to connect individual databases, you should still re-run the stored procedure occasionally to make sure that ALTR’s service user has appropriate permissions. This is especially critical if you introduce new Warehouses into your Snowflake account.
3. Limit access to the database where your policy tag is defined to only ALTR’s service user unless you need to modify the allowable values of a tag.

Sample SnowSQL for creating an ALTR_DSAAS database and a new Snowflake tag used dedicated to policy

<div class="code-snippet-container"><a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a><div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown"><div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0"><div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div><div class="text-block show-snippet">View code snippet</div><div class="text-block close-snippet">Close code snippet</div></div> <nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1"><div class="code-snippet w-richtext" id="code-1"><!--Set language as class--><pre><code fs-copyclip-element="copy-this" class="language-sql"><!--insert code here-->CREATE DATABASE IF NOT EXISTS ALTR_DSAAS_DB;
USE DATABASE ALTR_DSAAS;
CREATE SCHEMA IF NOT EXISTS TAG_SCHEMA;
USE SCHEMA ALTR_TAG_SCHEMA;
CREATE TAG ACCESS_CONTROL_LEVEL
   allowed_values 'AUDIT', GREEN', 'YELLOW', 'RED';<!--stop inserting code--></code></pre></div></nav></div></div>

Sample SnowSQL for assigning tags to columns

<div class="code-snippet-container">
  <a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click-1" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a>
   <div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown">
    <div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0">
    <div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div>
      <div class="text-block show-snippet">View code snippet</div>
       <div class="text-block close-snippet">Close code snippet</div>
    </div>
    <nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1">
    <div class="code-snippet w-richtext" id="code-1">
             <!--Set language as class-->
             <pre><code fs-copyclip-element="copy-this-1" class="language-sql">ALTER TABLE &lt;database&gt;.&lt;schema&gt;.&lt;table&gt;
 MODIFY COLUMN &lt;column&gt;
 SET TAG ALTR_DSAAS_DB.TAG_SCHEMA.ACCESS_CONTROL_LEVEL = 'RED';</code></pre>
</div>
      </nav>
    </div>
</div>

Sample SnowSQL for unassigning tags from columns

<div class="code-snippet-container">
  <a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click-2" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a>
   <div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown">
    <div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0">
    <div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div>
      <div class="text-block show-snippet">View code snippet</div>
       <div class="text-block close-snippet">Close code snippet</div>
    </div>
    <nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1">
    <div class="code-snippet w-richtext" id="code-1">
             <!--Set language as class-->
             <pre><code fs-copyclip-element="copy-this-2" class="language-sql">ALTER TABLE &lt;database&gt;.&lt;schema&gt;.&lt;table&gt;
 MODIFY COLUMN &lt;column&gt;
 UNSET TAG ALTR_DSAAS_DB.TAG_SCHEMA.ACCESS_CONTROL_LEVEL;</code></pre>
</div>
      </nav>
    </div>
</div>

Sample SnowSQL for assigning a tag to an entire table

<div class="tip-component"><img src="https://assets.website-files.com/6168874b33b7804322d78118/6450264c370288e48bb9659e_icon-tip-outline.svg" loading="lazy" alt="" class="component-icon"><div class="tip-text"><p>Assigning a tag to a table (or schema, or database) will associate that tag with every single column within that table. This will generate query audits and apply masking rules to every column within that schema object.</p><p>If you apply different tag values to both a table and a column within that table, Snowflake will execute the policy against the <em>more specific</em> schema object - in this case, the column.</p></div></div>

<div class="code-snippet-container">
  <a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click-3" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a>
   <div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown">
    <div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0">
    <div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div>
      <div class="text-block show-snippet">View code snippet</div>
       <div class="text-block close-snippet">Close code snippet</div>
    </div>
    <nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1">
    <div class="code-snippet w-richtext" id="code-1">
             <!--Set language as class-->
             <pre><code fs-copyclip-element="copy-this-3" class="language-sql">ALTER TABLE &lt;database&gt;.&lt;schema&gt;.&lt;table&gt;
ALTER TABLE &lt;whatevertableyouwant&gt;
 SET TAG ALTR_DSAAS_DB.TAG_SCHEMA.ACCESS_CONTROL_LEVEL = 'RED';</code></pre>
</div>
      </nav>
    </div>
</div>

Sample SnowSQL for updating the allowable values on a tag

<div class="tip-component"><img src="https://assets.website-files.com/6168874b33b7804322d78118/6450264c370288e48bb9659e_icon-tip-outline.svg" loading="lazy" alt="" class="component-icon"><div class="tip-text"><p>Reach out to product to learn how to get new allowable values imported to ALTR to use in locks. This process is not straightforward in the MVP.</p><p>Essentially, you will need to assign the new values to columns in a connected database and then run a snowflake tag import against that database.</p></div></div>

<div class="code-snippet-container">
  <a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click-4" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a>
   <div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown">
    <div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0">
    <div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div>
      <div class="text-block show-snippet">View code snippet</div>
       <div class="text-block close-snippet">Close code snippet</div>
    </div>
    <nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1">
    <div class="code-snippet w-richtext" id="code-1">
             <!--Set language as class-->
             <pre><code fs-copyclip-element="copy-this-4" class="language-sql">ALTER TAG ALTR_DSAAS_DB.TAG_SCHEMA.ACCESS_CONTROL_LEVEL
   ADD allowed_values 'ORANGE';

ALTER TAG ALTR_DSAAS_DB.TAG_SCHEMA.ACCESS_CONTROL_LEVEL
   DROP allowed_values 'ORANGE';</code></pre>
</div>
      </nav>
    </div>
</div>

Sample API Body to connect a tag to ALTR

<div class="code-snippet-container">
  <a href="#" class="copy-button button-2 w-button" fs-copyclip-element="click-5" fs-copyclip-message="Copied" fs-copyclip-duration="3000"><!--Edit the button text-->Copy Code Snippet<!--stop editing the button--></a>
   <div data-hover="false" data-delay="250" data-w-id="a87f6f50-5ff6-8b71-849c-52b063899ad8" class="code-dropdown w-dropdown">
    <div class="dropdown-toggle w-dropdown-toggle" aria-controls="w-dropdown-list-1" role="button" tabindex="0">
    <div class="icon-2 w-icon-dropdown-toggle" aria-hidden="true"></div>
      <div class="text-block show-snippet">View code snippet</div>
       <div class="text-block close-snippet">Close code snippet</div>
    </div>
    <nav class="dropdown-code-list w-dropdown-list" id="w-dropdown-list-1">
    <div class="code-snippet w-richtext" id="code-1">
             <!--Set language as class-->
             <pre><code fs-copyclip-element="copy-this-5" class="language-sql">PUT https://api.preview.altr.com/v1/tag/masking
{
 "database_id": 528,
 "database_name": "ALTR_DSAAS_DB",
 "friendly_name": "carl_test_tag_1_20230816",
 "masking": {
   "mask_data_type_list": [
     "VARCHAR",
     "NUMBER"
   ]
 },
 "schema_name": "CARL_TAG_SCHEMA",
 "tag_name": "CARL_POLICY_TAG_1"
}</code></pre>
</div>
      </nav>
    </div>
</div>

‍

Eligibility Requirements and How Tag-Based Masking Works

You must be a subscriber of our Enterprise Plus plan to leverage this feature. Once you've moved to this tier plan, then the ability to connect a Snowflake object tag to ALTR for governance is gated behind an entitlement - “feat_tagmasking”. This entitlement is enabled by default for all Enterprise Plus customers and can be manually enabled for relevant non-Enterprise Plus customers by sending a Change Request to support@altr.com

Once the entitlement is enabled, then you can connect a tag using the PUT endpoint. For details, visit Tag Masking API

NOTE: You must have at least one healthy connected database to use this endpoint and the service user for that connection needs to be permissioned to access the database where the Snowflake object tag is located.

Once a tag is connected to ALTR, then any queries against tagged data will automatically start generating query audits. You can also create locks and thresholds against values of that tag to dictate access policy.

For details about our Enterprise Plus plan visit ALTR Pricing.

Migrate from Column-Based to Tag-Based Masking

Follow the steps below to migrate from column-based to tag-based masking policies.

1. Define the Snowflake object tag and allowable values (preferably in ALTR_DSAAS_DB).
2. Run the Stored Procedure.
3. Connect the tag to ALTR.
4. Tag the sensitive data in Snowflake as relevant.
5. Define new locks and thresholds on the tag as relevant.
6. Un-govern the old columns in ALTR.
7. Remove the old locks and thresholds from ALTR.

...

Frequently Asked Questions

Access

Q. How can our organization access tag-based dynamic data masking?

A. The entitlement “feat_tagmasking” is available in the MVP by default to all organizations who are subscribers of our Enterprise Plus plan. It can also be made available to non-Enterprise Plus subscribers by submitting a Change Request to support@altr.com

Connectivity

Q. How do you connect a Snowflake object tag to ALTR?

A. Connecting a Snowflake object tag to ALTR is only available by using the PUT tag masking endpoint.

Data

Q. What types of data does ALTR support with tag-based masking?

A. ALTR supports the same data for tag-based masking as it does for column-based masking except variant and geometry.

Q. Can allowable values be added or removed from a Snowflake object tag after I've created it?

A. Yes. However, you'll need tag data with the new values and run a tag import against it for ALTR to pick on any new allowable values for the tag. We intend to build an easier way to refresh the allowable values list in the future.

‍