4.3 Ensure that the DATA_RETENTION_TIME_IN_DAYS parameter is set to 90 for critical data

Information

Snowflake Time Travel enables accessing historical data (i.e., data that has been changed or deleted) at any point within a defined period. It relies on configuring a data retention period for your critical data assets.

The DATA_RETENTION_TIME_IN_DAYS object parameter is used to set data retention period on the account, database, schema, or table level. When the MIN_DATA_RETENTION_TIME_IN_DAYS parameter is set at the account level, the effective minimum data retention period for an object is determined by MAX(DATA_RETENTION_TIME_IN_DAYS, MIN_DATA_RETENTION_TIME_IN_DAYS)

Time Travel can be used to recover critical data that was maliciously destroyed or encrypted by ransomware.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

An organization's compliance, legal and privacy groups may have important inputs on how long certain data should and can be retained for. For example, in the context of GDPR. It is important to take those inputs into account when data retention periods are determined for critical data.

Programmatically:

For every non-compliant table with critical data set the retention period to 90 days:

ALTER TABLE <table_name>
SET DATA_RETENTION_TIME_IN_DAYS=90;

If all tables within a given schema or database contain critical data, the data retention period can be set on the schema or database level correspondingly.

Impact:

Data retention requires additional storage which will be reflected in the monthly storage charges. For more information about storage charges, see

Storage Costs for Time Travel and Fail-safe

.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: CONTINGENCY PLANNING

References: 800-53|CP-2, 800-53|CP-9, 800-53|CP-10, CSCv7|10.2

Plugin: Snowflake

Control ID: 9c47948650c881fa3c99475cd8aa955d39b6730ea8bb863f924aa4aec87ce401