Security Best Practices
When your organization uses deployed
Transformer for Snowflake engines, you can use the following security measures to improve the security of your
organization and data:
- Credential stores for connection information
- When your organization uses deployed Transformer for Snowflake engines, you define how to connect to Snowflake using a connection.
- HTTPS and direct engine REST APIs for communication
- When you preview pipeline data, that data passes through Control Hub, by default. To avoid passing preview data through the Control Hub infrastructure, configure the web browser to use direct engine REST APIs to communicate with engines.
- Avoid including sensitive information in configuration properties
- When configuring a Transformer for Snowflake deployment, you can specify sensitive information such as the access key or secret key to your AWS credential store. To avoid including such sensitive information in plain text, save the information elsewhere and call it using IBM StreamSets functions.
Protecting Sensitive Data in Configuration Properties
You configure Transformer for Snowflake configuration properties in the advanced configuration properties of the deployment.
Some properties in the configuration properties, such as the
https.keystore.password
property, require that you enter a
password. Instead of entering the password in clear text, you can store the password
outside of the configuration properties and then use a function to retrieve the
sensitive data.Tip: To access sensitive data in a
credential store, develop a script that retrieves the sensitive data, then use the
exec
function to call the script.You can use functions to retrieve sensitive data in the following ways:
- From a file with the
file
function - Store the sensitive data in a separate file in the Transformer for Snowflake configuration directory, $TRANSFORMER_CONF. Then,
use the
file
function in the configuration properties to retrieve the data, as follows:${file("<filename>")}
- Using a script or executable with the
exec
function - For increased security, store the sensitive data in a separate location, such as a credential store or file. Then, develop a script or executable that retrieves the sensitive data.