Modern Data Governance and Security with Support for OAuth with Snowflake and AWS PrivateLink

Joe Goldberg

Director of Product Marketing, Sigma

It’s critical that all data stored in your Cloud Data Warehouse (CDW) and accessed by Analytics and Business Intelligence (ABI) products is properly secured and governed, and that employee access to this data is appropriate for their role and easy to manage.

Sigma has always made data governance and security a priority, ensuring that data accessed via Sigma is only available to the appropriate users and in a secure manner. This is why we are excited to announce support for two new data governance and security capabilities: OAuth with Snowflake and AWS PrivateLink.

These additions to Sigma’s comprehensive product security meet the requirements of organizations, large and small, that analyze sensitive data and have high data governance and security standards. Administrators of Sigma and the CDW, and those responsible for ensuring the security of these systems will benefit greatly from these two new capabilities.

OAuth With Snowflake

Previously, Sigma customers who also used Snowflake often had already set up granular user permission in Snowflake. These customers had to set up similar permissions in Sigma which could be time consuming to manage, and presented a possible security risk if there was a configuration error. They wanted to be able to manage permissions and data access in one place by leveraging permissions established in Snowflake, integrating Sigma and Snowflake with their OAuth provider, and leveraging Single Sign-on (SSO). OAuth is an open standard authentication protocol for access delegation, commonly used as a way for users to securely log into applications without the need for a username and password.

Sigma has responded and is pleased to announce support for OAuth integration with Snowflake and a customer’s OAuth provider, so data access permissions in Snowflake can now be “inherited” by Sigma and end users have a seamless SSO experience. Sigma users now have the same permissions whether they access Snowflake directly or through Sigma. The benefit is that now Snowflake and Sigma administrators can now easily manage permissions and data access in a single location, leading to improved security, reduced administration complexity, and a faster deployment.

This integration ensures joint Sigma and Snowflake customers can expect an even better experience when accessing data in Snowflake through Sigma and further deepens the already expanded partnership between the two companies previously announced here.

The details on how to configure OAuth for Sigma, Snowflake’s external OAuth capabilities, and an OAuth provider can be found in the Sigma documentation here and the configurations are very flexible. For example, a Service Account can be created and there is a “run as service account” setting on individual dashboards. This setting queries the published version of the dashboard using the service account’s credentials whenever it is viewed from within Sigma or run as part of a scheduled report. With this feature, administrators can selectively allow end viewers to see summary charts in a dashboard without having to give them full access to the underlying tables and any sensitive data contained in them. Another example of the flexibility is that even if a Sigma user does not have a Snowflake account, the OAuth provider can map an OAuth user to any Snowflake user or create a default Snowflake user(s) in these instances.

In the Sigma user interface, the configuration to connect to Snowflake and leverage OAuth is relatively simple:

Enable OAuth Authentication for the Sigma Organization
Establish a Connection from Sigma to Snowflake that Leverages OAuth

AWS PrivateLink

Many Sigma customers host their Snowflake account on the AWS cloud platform. Previously, Sigma’s service connected to these Snowflake accounts over their public internet addresses. While this data was encrypted and authenticated, some customers wanted Sigma to support AWS PrivateLink, which provides private connectivity between AWS VPCs (Virtual Private Cloud), AWS services, and on-premises applications entirely on the Amazon private network. AWS PrivateLink was often a requirement for these customers due to industry regulations, including financial services or healthcare, and analyzed extremely sensitive data, such as cardholder or personal health information. Regulations and compliance mandates required this data not traverse the public internet.

Sigma has listened and is delighted to now announce support for AWS PrivateLink so traffic between Sigma and the CDW stays on an AWS private connection and off the public internet. This helps with the aforementioned compliance requirements and also reduces the risk of accidentally exposing traffic.

This capability will work for data warehouses located in any US AWS region, and is currently available for Snowflake, AWS Redshift, and PostgreSQL. More details on how to configure Sigma to leverage AWS PrivateLink is in the Sigma documentation here and general information from AWS on AWS PrivateLink is here.

In the Sigma user interface, the configuration to connect to a CDW and leverage AWS PrivateLink is a simple change in the Account URL used.

If you have further questions on either OAuth with Snowflake or AWS PrivateLink support, please reach out to your Sigma account representative, or email us at support@sigmacomputing.com.

Modern Data Governance and Security With Sigma

OAuth with Snowflake and AWS PrivateLink expand on Sigma’s existing architecture and capabilities that enable governed, secure data analytics.

A key enabler of the modern data governance offered by Sigma is our unique architecture that was designed for the CDW from day one. Sigma connects directly to a CDW via a secure, encrypted connection and pushes all queries to the CDW for execution. The compute resources of the CDW are used to process the queries and data never leaves the CDW. Two major benefits of this include:

  • The risk of data spillage and data loss is minimal. It is much easier to secure data by centralizing and keeping it in a secure CDW where a single set of permissions can ensure it is only accessed by users as appropriate.

This is unlike many other ABI products that require data to be extracted from the CDW and put into desktop/server products where it then may be excessively or inappropriately shared throughout the organization. This “data spillage” increases the risk of data loss by accidental data loss, a malicious employee, or external cyberthreat or hacker who finds this data.

  • All the raw, live data is available and usable for fast, accurate analytics. CDWs leverage the near-unlimited compute resources of the underlying cloud provider so Sigma queries across hundreds of millions of records return fast. Data is always available and current with high data integrity.

This is unlike many other ABI products that do the query processing in their product. These products suffer from scale and speed limitations which means data in the CDW must often be reduced or summarized, and then extracted for processing in the ABI product. This leads to end users performing analysis on only a subset of the raw data so analysis and data exploration is limited. Furthermore, the extracted data quickly gets stale compared to the live data in the CDW, which means reduced data integrity and possibly inaccurate analysis.

Beyond this core cloud architecture of Sigma that enables modern data governance and security, Sigma also offers customers multiple ways to ensure their data is secure and available, including:

  • Fine-grained role-based access control – Control which users or teams have access to what data and what they can do with this data. Documentation can be found here and here.
  • Single sign-on (SSO) and multiple authentication options – Use SAML, Okta, OneLogin, GSuite, or your favorite identity provider.
  • Row-level security – Limit users to seeing only data that’s relevant to them. Documentation on dashboard row-level security here.
  • Encryption in transit (TLS 1.2 Min). Encryption is enforced between clients and Sigma and all components of the Sigma platform using at least TLS 1.2.
  • Audit logs and usage dashboards to record all user actions in Sigma
  • Support for OAuth with Snowflake and AWS PrivateLink mentioned above
  • Sigma clusters are run in multi-zone deployments to ensure high availability of Sigma by the cloud provider in case of a data center or network outage.

Sigma also has achieved third-party validation and/or certification of our strong product security. Sigma is compliant with, or has received certifications for, HIPAA, SOC 1 Type II, SOC 1 Type II, and SOC 3. Sigma also supports General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Privacy Shield, and has a private bug bounty program.

More detail on how Sigma ensures secure data analytics, including the internal processes and technologies internal Sigma engineering and product security uses to secure customer data, is on our website here.

Lastly, if you would like to learn more about data governance, please see: “The Definitive Guide to Data Governance” and “Building a Data Governance Framework that Makes Data Accessible and Minimizes Risk,” and “Enterprise Data Governance.” 

In closing, rest assured Sigma enables you to properly govern and secure the data in the cloud you analyze with the flexibility and simplicity you need. Sigma can meet the high data governance and security standards of the most security-conscious organizations!

Wanna start asking more of your data?

Sigma can help: Schedule a demo or start a free trial today