Blogs & Resources

Transient shares on cloned data in data warehouses

Supreeth Rao

One of the biggest accelerators in the new data economy will be the ability to quickly share data between organizations to minimize the time and effort to achieve maximum economic benefit from data management. One of the biggest enablers of that acceleration is also one of the biggest feature advantages of cloud data warehousing – sharing data with third parties or internally with other business units.

This blog will discuss transient shares, combined with data cloning, which could increase the attack surface beyond a traditional security team's controls.

Transient shares allow you to share a transient database, schema, or table for a specific amount of time with another warehouse account. Clones are copies of a database, schema, or table in the cloud warehouse that can be used for various purposes, such as testing, development, or data analysis. 

Using transient shares on a clone within a cloud warehouse takes four simple steps:

  1. Create a clone of the database, schema, or table you want to share.
  2. Create a transient share that grants clone access to the warehouse account you want to share with.
  3. Share the transient share ID with another warehouse account.
  4. The other warehouse account can use the transient share ID to access the clone.

This process clones a database, schema, or table in a cloud warehouse that creates a separate object that can be modified independently of the original object, thus maintaining the integrity of the original data. Once cloned, the company can create transient shares to allow another warehouse account to utilize this rich data without affecting the original data. 

It only takes those four quick steps, and your cloned data can be shared externally with another cloud warehouse account without changing the original data. This is good from a convenience perspective from both the sharing entity, which might want to monetize their data, and from a consuming entity which can gain deeper insights from this new dimension of data analysis. Still, these sharing activities could create a new security problem by opening up a new attack surface. Suppose a company is considering transient data sharing. In that case, there are a couple of recommended actions to minimize this new attack surface risk:

  • Control and monitor who is creating clones and how the clones are being accessed using transient shares.
  • Understand and govern access to the most critical data. Data is easy to clone and share, which means it can also be easy to expose to more risk.

The new data economy will provide many opportunities for companies to monetize data, but care should be taken to do this as securely as possible. Transient sharing is just one of the ways data can leave your cloud data warehouse instance, but there are more. One of the best ways to get complete control over your data from your cloud warehouse instance is to deploy Theom inside your data warehouse, lake, or store.

Theom deploys in minutes with no agents, no proxies, or impact on performance. Theom supports Snowflake, Databricks, AWS, and Azure data stores. 

5-day Proof of Value (POV) - Try us out and see immediate value.