Encryption, Alerts, and Notifications

1. Encryption, Alerts, and Notifications

We've covered access control at the object, column, and row level, and tools like tagging, classification, lineage, and the Trust Center. In this video we close out the governance picture with encryption, alerts, and notification integrations.

2. Three Layers of Protection

Even with roles and masking policies in place, a compliance officer at Claro needs confidence at a deeper level. What if the underlying storage were compromised? What if a warehouse suddenly consumed ten times its normal credits? What if a service account started querying tables it's never touched before? Encryption, alerts, and notifications are the answer: three layers that protect, detect, and inform.

3. Encryption at Rest and In-Transit

Snowflake encrypts all data automatically, no configuration required. Data at rest uses AES-256. Encryption keys are rotated automatically on a regular schedule, limiting exposure if a key were compromised. Data in transit between a client and Snowflake, or between Snowflake's internal services is protected using TLS 1.2 or higher. Every credit score and repayment record at Claro is encrypted at every stage of its journey through Snowflake.

4. Key Management Options

By default, Snowflake manages encryption keys on your behalf. For most organizations this is sufficient. But financial services, healthcare, and government organizations may require that the customer holds the master encryption key themselves. Snowflake supports this through integration with cloud key management services: AWS KMS, Azure Key Vault, and GCP KMS. When a customer holds the master key, they retain ultimate control — including the ability to revoke access to their data entirely by revoking the key.

5. Tri-Secret Secure

Tri-Secret Secure takes customer-managed keys one step further. In a standard setup, even with a customer-managed key, Snowflake's own credentials could theoretically access data. Tri-Secret Secure eliminates that by requiring three things simultaneously: Snowflake's own managed key, the customer's key held in their cloud KMS, and successful user authentication through Snowflake. If the customer revokes their key, Snowflake itself cannot access the data. This is available on Business Critical edition and above.

6. What is a Snowflake Alert?

A Snowflake alert evaluates a SQL condition and acts when the answer is yes. There are two trigger modes: scheduled alerts run on a regular interval using CRON or a simple minute/hour setting, and event-driven alerts fire when new data arrives in a stream, no fixed schedule required. When the condition evaluates to true, the alert executes an action, typically a notification. At Claro, an alert might watch for unusual login patterns or anomalies in incoming repayment records.

7. Alert Structure in SQL

CREATE ALERT defines the object and assigns it a warehouse and schedule. The IF block contains the condition a SELECT that returns a result if any failed login attempts occurred in the last hour. The THEN block defines what happens when the condition is true: a notification is sent using SYSTEM$SEND_SNOWFLAKE_NOTIFICATION. The structure is consistent across all alerts: schedule, condition, action. For warehouse credit monitoring, you'll see a more targeted tool in the next chapter: resource monitors.

8. Notification Integrations

Alerts become useful when they reach the right people. Snowflake connects alerts to external systems through notification integrations — pre-configured objects that define a destination. Supported destinations include email, cloud provider queues such as Amazon SNS, Google Cloud Pub/Sub, and Azure Event Grid, and webhooks for tools like Slack, PagerDuty, and Microsoft Teams. At Claro, failed login alerts might route to a Slack channel while compliance findings go to PagerDuty. Notification integrations are created separately from alerts keeping routing configurable and alert logic clean.

9. Let's practice!

That wraps up encryption, alerts, and notifications. Let's put these concepts into practice.

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.