New Release: Native Snowflake Policy Enforcement, Dynamic k-anonymization, External Masking

As I prepared to write this blog about the value provided by our latest Immuta features, I couldn’t help but reflect on how we think about privacy – both as a country and planet – is changing right in front of us (I believe for the better). As the COVID-19 pandemic cripples life as we know it, one of the proposed accelerants to end the quarantine is contact-tracing. This concept has brought great hope along with great privacy concerns, and has set the stage again for how we think about tradeoffs between privacy and utility. I believe this is all for the best. The pandemic may just provide a deeper understanding of Privacy Enhancing Technologies (PETs) to the layman, as well as how our own expectations for privacy need to extend well beyond contact-tracing apps. This is what regulations like CCPA and the GDPR have been pushing for all along — and now the discussion is happening on a world stage.

So, back to our latest release. Our customers, partners, and engineers know that gaining utility from data while maintaining strict privacy and security — particularly in cloud-based analytics environments — can be challenging and complex. Immuta’s Automated Data Governance platform now makes it easier and more powerful than ever for organizations to tackle this challenge head on. Our latest features include:

  • Native Snowflake Policy Enforcement – our newest, native integration with leading data and analytics platforms;
  • Dynamic k-anonymization – the latest addition to our growing suite of Privacy Enhancing Technologies (PETs); and
  • External Masking – a new way to maximize cloud security

Let’s dig into these new features and how they help companies maximize utility from their data while preserving privacy and security.

Native Snowflake Policy Enforcement

More and more organizations are migrating sensitive analytics workloads and data sharing applications to cloud environments for greater scalability, flexibility, cost savings and performance. Yet, 53% of U.S. and 60% of EU IT professionals are not confident that their organization currently meets privacy and data protection requirements in the cloud.

Immuta is partnering with leading cloud technology providers to make it easy to tap our powerful automated privacy and governance features natively within cloud-based data platforms. With our latest release, we’re announcing native support for Snowflake’s cloud data platform. Immuta is now able to enforce all access controls and PETs natively in Snowflake. Customers can define policies in Immuta, based on Snowflake tables and/or meta-data describing those tables, and have those policies enforced when users are interacting directly with Snowflake, either in the Snowflake workspace or over JDBC / ODBC. This requires no proxy, no data copies – just live, native enforcement. And the integration supports a full suite of complex PETs offered by Immuta, using an attribute-based access control (ABAC) model for your most complex controls.

Dynamic k-anonymization

When companies are using cloud platforms such as Snowflake to analyze and share sensitive data, privacy is paramount. To date, it’s been a challenge to dynamically and automatically preserve privacy as different users are accessing different (or even the same) data sets in the cloud. Immuta’s suite of PETs solves this problem, and with our latest release we now support one of the most powerful techniques – k-anonymization – to protect against re-identification.

In many situations, organizations must make a binary decision between providing access to a column of sensitive data, or not. Immuta’s k-anonymization now allows organizations to play “in the gray area” between access or no access. K-anonymization is a widely known approach for providing utility from a data column, while removing re-identification risk. However, this technique is typically accomplished by writing data set-specific code or using complex ETL processes – which reduced time-to-data and limited the scale of k-anonymization as a PET.

With this new feature, Immuta applies k-anonymization on the fly based on a simple policy that can be enforced on any database across your organization – eliminating the manual, code-based or ETL approaches. Now, analysts can rapidly derive value from any sensitive data set, without worrying about legal and privacy concerns and without creating data copies.

External masking

Moving any data to the cloud can introduce new security risks – especially on the most sensitive data. In many cases, it is not within an organization’s risk tolerance to allow raw, sensitive values to land in cloud databases or storage (even with encryption in transit and at rest) due to their policies, breach concerns, insider threats from admins, or the level of trust they have with the cloud or cloud service provider.

With External Masking, Immuta now allows organizations to adopt cloud-based analytics and data sharing faster by combining security and privacy controls. Here’s how it works: 1) To address security concerns, an organization encrypts or tokenizes data on ingest into their cloud database; 2) Immuta dynamically decrypts — or de-tokenizes — that data on the fly using an organizations’ external algorithms and keys as defined by an Immuta policy — ensuring total compliance with the organization’s security policies; 3) That decryption/de-tokenization can occur off-cloud, if desired, ensuring no data is ever decrypted outside the organization’s firewall.

Let’s watch a quick demo of these three features together in action:


Immuta’s release is now available to new and existing customers. We’re thrilled to deliver these three new powerful privacy and security capabilities to help organizations safely use the cloud for analytics, data science, data monetization, and lots of other use cases. What do you think about these new features? Do they address the governance challenges you’re facing? Join the conversation on LinkedIn.