A Quick Overview of Dynamic Data Masking in Snowflake

Dynamic Data Masking (DDM) in Snowflake is a powerful feature that provides a dynamic, role-based approach to securing sensitive data. By applying masking policies at query runtime, DDM ensures that the data itself remains intact, but access to sensitive information is limited based on the user’s role.

This is a feature only available in the Enterprise Edition of Snowflake

Key Highlights#

• On-the-Fly Masking: Masking policies are applied only when data is queried, not at the point of storage. This preserves the original data and allows for dynamic control over visibility.

• Role-Based Access Control: DDM works in conjunction with Snowflake’s role-based access system, meaning the data visibility is customised depending on the user’s assigned role in the organisation.

• Flexible Masking Policies: You can create highly flexible masking policies, using conditional logic to show full data to some users while presenting masked or partial information to others.

Please note: Data Masking may change over time, so it is recommended to review the latest Snowflake documentation ↗ for up-to-date pricing and features.

Example of a Masking Policy:#

CREATE MASKING POLICY email_mask AS (email STRING) RETURNS STRING ->
CASE
    WHEN CURRENT_ROLE() = 'ADMIN' THEN email
    ELSE '*****@domain.com'
END;

ALTER TABLE customer_data MODIFY COLUMN email SET MASKING POLICY email_mask;

External Tokenization:#

For extra security, external tokenization can be used where data is replaced with tokens, and detokenised upon query based on user permissions.

Best Practices:#

• Start Simple: Avoid overly complex masking policies for better performance.

• Regular Audits: Ensure policies are consistently applied and tested, especially when role hierarchies change.

Dynamic Data Masking is essential for organisations handling sensitive data, ensuring compliance with regulations while maintaining efficient data access for authorised users.