Enhancing security with key-pair authentication for Snowflake integration

Twilio Segment introduces key-pair authentication, a robust alternative to basic username/password methods to enhance security for Snowflake integrations. It uses cryptographic keys to ensure secure data access, aligning with our commitment to providing secure and efficient solutions.

By Akash Kashyap, Srividhya Gururajan

While the data management landscape continues to evolve, strong security remains critical. At Twilio Segment, customer trust is our number one priority. We are always looking for ways to raise the bar and enhance our platform’s security features.

Segment products like Reverse ETL, Data Warehouses, and Profiles Sync previously connected to Snowflake using username & password. While this is a standard authentication method, it does have certain security limitations. To enhance the security aspect of our Snowflake offering, Segment needed to take advantage of Snowflake’s built-in security features that allow enterprises to securely manage and analyze their data while minimizing risk. 

This blog post delves into our recent enhancement with Snowflake data warehouses with the introduction of key-pair authentication, a significant step towards bolstering security.

How Segment Helps

Segment's integration with data warehouses like Snowflake is a testament to our commitment to providing robust and versatile solutions. Our developer-first approach allows customers to configure these warehouses through Public APIs, Terraform, or directly from the UI and gives the ability to configure Snowflake via key-pair auth -  a popular ask based on our customer research. 

However, the introduction of a new authentication method, key-pair authentication, does come with unique challenges due to the specific requirements and validations required of each kind of data warehouse. Segment takes care of all of that while ensuring backward compatibility. 

Under the hood: Key-pair Authentication

Key-pair authentication is a security measure that uses a pair of cryptographic keys: a private key, which is kept secret, and a public key, which is shared openly. These keys are used to encrypt and decrypt data ensuring secure access. 

In this setup, the Snowflake warehouse has the public key, and Segment has the private key. Segment uses the customer-configured private key for signing a JWT used for authentication. The Snowflake warehouse then uses its public key to verify the signature in the JWT and authenticates the Segment product. As an additional layer of security, Segment encrypts customer’s private keys and security passphrases the same way we encrypt the existing warehouse passwords.

This method of authentication provides a more secure alternative to password-based authentication, offering advantages such as: 

  • Security: The private key never leaves the client's system, which makes it more secure. Even if someone intercepts the public key during transmission, they cannot use it to impersonate the client without the corresponding private key.  

  • No need for password storage: With key-pair authentication, there's no need for the server to store user passwords, which eliminates the risk of password leaks from the server.

Challenges to support key-pair authentication

The introduction of key-pair authentication required non-trivial changes in both the control-plane and data-plane. It necessitated careful planning, testing, and coordination with different Segment teams to ensure backward compatibility and seamless integration in existing Segment product offerings. 

Changes Overview:

  • JSON Schema: Introduction of JSON Schema allowed us the flexibility to validate required settings for different authentication and warehouse types. 

  • Backward Compatibility: There were significant changes to various microservices that connect to Snowflake or any other kinds of warehouses to ensure backward compatibility without disrupting existing workflows.

Despite these challenges, we are dedicated to continuously enhance our platform and provide our customers with the most secure, efficient, and user-friendly experience possible.

How do we configure the key-pair authentication?

The configuration of key-pair authentication involves several steps, as detailed in our documentation linked below. These steps include configuring the Snowflake warehouse and Snowflake integration within Profile Sync/rETL source/Data Warehouse.

Conclusion

The introduction of key-pair authentication for Snowflake integration is a significant step towards continuing Segment’s high level of security on the platform.  This feature ensures secure connections to customer’s Snowflake warehouses and is available to our Business tier customers. We are excited about this development and look forward to continuing to evolve our platform to meet our customers' needs.

References

Acknowledgements

Huge thanks to the entire team: Akash Kashyap, Srividhya Gururajan, Emily Jia, Y Nguyen, Renee Wang, Sulabh Suneja, Gandhar Tannu, Sowjanya Paladugu, Anthony Vylushchak, Shivani Upadhyay, Manan Saraf, Ravi Singh.

Test drive Segment CDP today

It’s free to connect your data sources and destinations to the Segment CDP. Use one API to collect analytics data across any platform.

Recommended articles

Loading

Want to keep updated on Segment launches, events, and updates?