We plan to load sensitive PII data from an Azure Blob Storage (ADLS Gen2) into snowflake using an external stage which is secured by Azure credentials ( service principal) for the container where the data is stored.
However this is not an acceptable solution to the cyber team . The use Encryption key was considered. However the key issues that were raised was the the
Hence I am looking at any best practices or any further suggestions anyone may have that they use when using Azure External Stages to load into Snowflake
You may want to make sure the PII data is encrypted in Azure Blob Storage. Snowflake support ingesting Client-side Encrypted Data into Snowflake. You can read more here: https://docs.snowflake.com/en/user-guide/security-encryption-end-to-end.html#ingesting-client-side-encrypted-data-into-snowflake
And this document discussed on how to create a stage with client-side encryption: https://docs.snowflake.com/en/sql-reference/sql/create-stage.html#external-stage-parameters-externalstageparams
You can add Snowflake VNet subnet IDs to the network rule, restricting access only to the Snowflake VNet subnet IDs, more on this here: https://docs.snowflake.com/en/user-guide/data-load-azure-allow.html