"In today's data-driven landscape, encryption is no longer a checkbox - it's a strategic imperative. Snowflake's Tri-Secret Secure (TSS) framework exemplifies this shift by combining platform-native security with customer-controlled encryption, offering organizations unprecedented control over their data. What Is Tri-Secret Secure? Tri-Secret Secure is Snowflake's advanced encryption model that blends: Snowflake-managed key (platform root key) Customer-managed key (CMK) hosted in the cloud provider's KMS User authentication"
"Together, these form a composite master key that wraps all keys in Snowflake's encryption hierarchy. Importantly, this composite key never encrypts raw data directly - it wraps lower-level keys like table master keys, which in turn derive file-level encryption keys. Why It Matters The real power of TSS lies in revocation control. If a customer revokes their CMK, Snowflake loses the ability to decrypt data - even though its own key remains intact."
Tri-Secret Secure blends a Snowflake-managed root key, a customer-managed key in the cloud provider's KMS, and user authentication into a composite master key. The composite master key wraps lower-level keys in the encryption hierarchy rather than encrypting raw data directly; table master keys derive file-level encryption keys. Revocation of the customer-managed key prevents Snowflake from decrypting data, providing customers a kill switch for the data. Benefits include data sovereignty, compliance support for PCI-DSS, HIPAA, and HITRUST, and HSM-backed key management with SOC 2 Type II certification. TSS is not compatible with hybrid tables, so accounts must verify TSS status before adopting hybrid table features.
Read at Medium
Unable to calculate read time
Collection
[
|
...
]