Snowflake Summit 2025 | Brad Jones, Snowflake & Adam DeMonaco, Rakuten

Clips
News
More from Snowflake Summit 2025

Brad Jones

CISO, VP of Information Security

Snowflake

Adam DeMonaco

Chief Information Security Officer

Rakuten

Three insights you might have missed from theCUBE’s coverage of Snowflake Summit

Agentic AI is rewriting the rules of enterprise data engineering, turning passive infrastructure into intelligent systems that act, adapt and automate at scale.Gone are the days when platforms simply stored and queried data. Today’s data stacks are being rearchitected to support agentic workflows — systems where metadata, governance and orchestration layers work in concert to guide machine reasoning. Snowflake Inc.’s embrace of open formats such as Apache Iceberg signals a broader shift: Enterprises are building environments where intelligence is embedded into the fabric of data itself

Data governance takes center stage in AI-driven cybersecurity

Data governance is fast becoming a pillar of enterprise security strategy as organizations confront data sprawl, multicloud complexity and the urgent need for responsible artificial intelligence integration.As businesses strive to simplify data operations without sacrificing security or compliance, unified platforms are gaining traction for their ability to streamline controls and centralize oversight. This momentum is evident at Ebates Performance Marketing Inc., d/b/a Rakuten Rewards, which uses Snowflake Inc.’s data platform to strengthen its cybersecurity and compliance posture, according to Adam DeMonaco (pictured, left), chief information security officer at Rakuten Rewards

play_circle_outline Enhancing Security: AI Classification and Centralization of Data for Better Controls

play_circle_outline Tool sprawl and reducing vendors in security stack

play_circle_outline Leveraging Snowflake for data governance and security controls

play_circle_outline Maximizing Data Governance with AI Models and Anomaly Detection Technologies

Info
Transcript

Brad Jones, Snowflake & Adam DeMonaco, Rakuten

Brad Jones

CISO, VP of Information Security Snowflake

Adam DeMonaco

Chief Information Security Officer Rakuten

In this live segment from Snowflake Summit 2025, Brad Jones, CISO at Snowflake, and Adam DeMonaco, CISO at Rakuten Rewards, sit down with theCUBE’s Dave Vellante and John Furrier to unpack the new realities of data security in an AI-first world. Broadcasting straight from the show floor, the conversation explores how Snowflake’s Security Advantage and “AI Data Cloud” vision are shaping enterprise strategies for building, scaling and governing intelligent systems.

Jones details Snowflake’s approach to securing the entire AI lifecycle – from automated da... Read more

explore Keep Exploring

What is the primary focus of using Snowflake in terms of security and data centralization? add

What are CISOs and their peers seeing with regard to the complexity of security tool sprawl? add

What challenges and considerations did the organization face in terms of data governance and security controls, especially when data is replicated outside of Snowflake? add

What are the benefits of bringing data into a platform like Snowflake in terms of governance and AI operations? add

bolt Powered by CUBE AI

Brad Jones, Snowflake & Adam DeMonaco, Rakuten

search

Rebecca Knight

>> Good morning everyone, and welcome back to day two of theCUBE's live coverage of the Snowflake Summit 2025 here at San Francisco's Moscone Center. I'm your host, Rebecca Knight, alongside my co-host and analyst, Dave Vellante. We've got two terrific guests for this next segment. I would like to welcome Brad Jones, CISO and VP of Information Security at Snowflake. Welcome, Brad.

Brad Jones

>> Thank you.

Rebecca Knight

>> And Adam DeMonaco, Chief Information Security Officer at Rakuten. Thank you so much for coming on the show.

Adam DeMonaco

>> Thanks for having me.

Rebecca Knight

>> For our viewers who are maybe a little not in the know, can you describe your company a little bit? And then we want to talk about how you work together with Snowflake.

Adam DeMonaco

>> Sure. Rakuten Rewards is a online shopping platform that provides rewards and cash back for common shopping experiences.

Rebecca Knight

>> And so how has Snowflake helped you move away from patchwork security to create a more consistent, unified approach to how you approach security?

Adam DeMonaco

>> Our big focus has really been on centralizing our data and then making the best use of our data from a analytical perspective. We've been able to move from a distributed model to more of a centralized model, and then being able to centralize security controls based on the classification through discovery, and been able to really centralize that platform quite a bit.

Dave Vellante

>> And you are using AI to do that classification?

Adam DeMonaco

>> We're using a bunch of different tools, but AI is a bit of that and some LOMs to be able to discover and then classify, and then ensure that we have the proper security controls based on the compliance requirements and best practices as well.

Dave Vellante

>> Guys, you are CISOs, CSOs, your job is to protect us. Everybody's crazy about AI, everybody loves AI. Every CSO I talk to is like, "Oh boy." I think about MCP. Oh, everybody's really excited about it. CISO's are like, "Um, hang on." So give us the reality check. How should we be thinking about pursuing the opportunity around AI, while at the same time, balancing the need to protect everybody?

Brad Jones

>> Well, I think any company that doesn't embrace AI is going to be left behind, so there's no path where you don't engage in AI or don't leverage it for your business. The most important thing is you have to establish guardrails and guidelines. Governance structures around what is appropriate use of AI, what's not appropriate use of AI, what data sets are appropriate to use it with which business decisions are appropriate to use it with? Things may be like customer service are a perfect example where it's probably a good opportunity. HR hiring decisions, financial decisions, probably not there right now, but you have to establish those guardrails and it's all risk-based, so the company needs to get alignment on that governance.

Dave Vellante

>> Kind of broad questions.=, if I may on security. I mean, two years ago at RSA, we put out a survey with ETR and we're basically trying to understand the tool sprawl and how CISOs are thinking about that and handling it. There was no evidence that customers were able to reduce the number of vendors in their tool stack. We're starting to see at least some stability going on there. At the same time when we talk to CISOs, they underscore the need to try new stuff that fills gaps that their existing tools don't. So as CISOs and your peers, what are you seeing with regard to that complexity? And then I really want to get into how Snowflake and you guys deal with that. But broadly speaking, what's the gestalt look like?

Adam DeMonaco

>> Yeah, so really what I do is align with the business partners to be able to understand what the strategy is, and then understand where there's risk associated and where there may be tooling to get visibility into that risk. And then what we can do from a security control to provide some reduction of that risk and governance around that risk as well. It doesn't really change just because of AI. I think the fidelity has changed quite a bit in terms of the attacks that can be used, developed using AI and LLMs, so the complexity gets ratcheted up. But from a business strategy perspective, we're just paired very closely with the business to be able to understand where there's gaps, and to be able to empower them to do the work while we can in the back end, provide as much context and visibility into the risk so that we can properly communicate that back to the risk of business to be able to understand whether they want to proceed and whether we can actually be able to give more visibility into that risk and be able to reduce that risk over time as well.

Rebecca Knight

>> As a FinTech company, where are the biggest gaps and what are your pain points and challenges?

Adam DeMonaco

>> The biggest one is the data sprawl, right? Being able to share data with multiple different third parties or second parties in Rakuten's instance, because we're an international organization. Being able to identify the data, being able to secure the data in transit and at rest. And then also to be able to discover that data that's coming in, be able to classify that data and be able to provide the proper controls. Those are the real big challenges, while also keeping up with the compliance requirements, being a global company as well

Rebecca Knight

>> In a highly regulated industry.

Adam DeMonaco

>> Exactly, exactly.

Dave Vellante

>> A lot of the CISOs I talked to say, "Look, a big part of this is cultural. We have to educate people." Lena Smart, who's the CISO of Mongo, I don't know if you know Lena, she says, "Just don't click on links." Okay, but it's hard. I feel like when you're inside of Snowflake, you're protected. I mean, I'm sure it's still important, but good security is always overwhelmed by bad user behavior. So can you protect with your governance and security strategy, can you protect the user from themselves?

Brad Jones

>> Yeah, we think we're best positioned to do that by having a uniform governance and control structure around all of the data from ingestion through business insights. The challenge is when you have third-party tool sprawl, you're trying to take that same governance and control structure and map it to disparate platforms. By having a uniform control structure, governance structure that goes multi-cloud, multi-CSP with Snowflake, you get that uniformity. And then you can allow users to innovate with AI because you know it's working within your security boundary.

Dave Vellante

>> If I may, a couple years ago we came up with this concept called Super-Cloud, and we used Snowflake as the sort of poster child for that concept. The idea was that it was meant to be more than multi-cloud. It was kind of what multi-cloud should have been, where you've got a capability that spans multiple clouds, extracts the underlying primitives and simplifies the world. Again, we used Snowflake as an example. You mentioned multi-cloud, that does bring up complexities. And we said one of the risks to multi-cloud or super-cloud execution was security. So how are you dealing with that sort of common framework across multiple clouds? Clearly, that's something that Snowflake does, and do you guys also participate across cloud?

Brad Jones

>> Yeah, we take that out of the hands of the users, or the responsibility of the users. One of our main tenets is that it's easy to use. We make all that hard stuff underneath transparent to use, so you don't have to deal with the nuances of AWS, a GCP or an Azure. It just works the same, your control policies work uniformly across all of those underlying CSPs.

Dave Vellante

>> And Rakuten Rewards, you choose one cloud or don't care? You're just going through Snowflake? How does that work? Some customers tell me, "I don't know, I don't ever see the cloud primitives. I just see Snowflake, which makes me happy," they say.

Adam DeMonaco

>> Yeah, I think there's a lot of fringe cases, of which we're trying to communicate, educate and build awareness around the use of our platform and Snowflake, and then the controls that we have around it to be able to protect that data from being shared by second and third parties as well. And that's where it really becomes that communication, education and building awareness to be able to ensure that there's an understanding of the service that we provide from a Snowflake perspective, and how they can adopt that as well. And then there's really just governance around and policy around the different types of cloud solutions and how we want to standardize because we have our controls. That allows us to not have to create multiple different controls from multiple different solutions. And it's just really around the standardization across the organization.

Dave Vellante

>> We've all experienced the department of no, whether it's IT, security. And my understanding is that once you get through the MSA and the security checks with customers, that new services that come in, because they're inside of the Snowflake stack, get approved very quickly. Is that technically correct and is that from a business standpoint, how you guys are operating?

Brad Jones

>> It is technically correct in that we put a lot of effort into that. We have our compliance folks that are embedded with our engineering and product teams. As we're developing products and services, we make sure we not only adhere to the standards that we've already signed up for that are part of those MSAs, but are future looking as we anticipate new regulations or sovereign requirements or like DORA or EU AI Act that we have a long line of sight into that and we're building that into our development process.

Rebecca Knight

>> Is that standard practice across a lot of organizations in the sense of making sure the compliance folks are working hand in glove with?

Brad Jones

>> I would hope so. I can't speak for every organization, but it's part of our core understanding that always, anything that we release is going to meet the standards of anything we've already agreed to, and we have that foresight of what we're going to be running into as we get into new regions and specific requirements or emerging standards that come out.

Dave Vellante

>> How prevalent are you seeing Shadow AI and how are you dealing with it? Are there emerging use cases that are challenging? For instance, mobile. "Well, you're not supposed to use whatever this tool," but then somebody goes to their mobile and they're putting confidential information for a product launch that they shouldn't be putting in there because they're trying to write better marketing. How are you dealing? What are you seeing with Shadow AI and the security threats and how are you dealing with it?

Brad Jones

>> Well, I think there's a big difference in the plethora of services out there. There's some that we outright don't trust, things like DeepSeek, the service. There's a lot of things have come out that we shouldn't really trust what they're doing there. Other services, we have better confidence that they're doing what they say they do. As part of getting our ISO 42001 certification where we have an AI governance structure, part of that was educating our employees of what is right and wrong to do with AI. It's okay to query ChatGPT to understand a term, but not okay to be uploading internal documents to it. We've put a lot of effort around providing internal tooling on the Snowflake platform to say, "Hey, you can do all of this stuff internally." When someone tries to go to ChatGPT at Snowflake, they get a splash page, alerts them, "Here's the AI policy that you should understand. Here's a list of all of our internal tools. If these don't meet your needs, please proceed." And there's a button to proceed, but we'd like feedback on what we're not doing, how we're not serving you internally.

Dave Vellante

>> I was surprised. I mean, you're very selective about which models you'll allow inside of Snowflake. I was kind of surprised when I saw how many people sort of embraced the DeepSeek and made it widely available, whether it's in Model Gardens, the hyper-scalers. It was almost like a race that said, "Yeah, we can do this, too." Now, I don't know what kind of controls maybe they put in place, but as I say, you guys are very selective. I mean, you want to have choice, but that choice has got to be secure and governed and-

Brad Jones

>> Yeah, I think there's a big difference between the models and the services. Anytime we bring in a model, we do red-teaming on that model, threat modeling on it, and we have certain protections in place that users can implement, like our Cortex card that gives them kind of an LLM gateway where they can put certain controls, get visibility of what people are doing in that model. But we take a lot of effort to make sure that anything that we bring into our platform, there's a lot of vetting of it.

Rebecca Knight

>> So the stress testing that you're doing in making sure that employees are keeping your company safe. And I'm curious about the culture around AI within your employees. I mean, these are technology companies, so obviously these are people who like to experiment and who like to explore. But yet, there is also this stigma with AI that it is coming for people's jobs. As CISOs and people who are in this space, how do you think about it and how do you bring people along to make sure that in fact, they are experimenting in the right way, but also are excited about it and feel empowered by it?

Brad Jones

>> Well, I think as I said before, you have to lean into it. Anyone who's worried that it's going to be taking their job really needs to be refactoring that to think of, "How it's going to help me do my job in a more efficient way." Think of it as co-pilots that are helping you do more of those menial tasks, getting insights quicker. We look at it as sock analysts like we can quickly bring someone who has the right ideas but may not have the technical chops, how to ask the questions of the data. It's democratizing that such that they can get to those and quickly get to the results they need.

Dave Vellante

>> Adam, how is Rakuten Rewards leveraging what's inside of Snowflake? I wonder if you could paint a picture. There's Horizon, governance, there's obviously the data cloud itself. What are the salient aspects of the Snowflake stack that are helping you meet your mission?

Adam DeMonaco

>> Sure. I think you touched on the Horizon Center, the other one is the Trust Center as well. There's a rapid adoption of Snowflake across our organization, not just with rewards, but international as well as Rakuten Group, which is a global organization. The quick adoption has moved faster than our governance principles, so it's really around using the tooling within Snowflake and partnering with Snowflake to really understand where there's gaps, and being able to fill those gaps as quickly as possible, while also integrating to the security controls that we currently have in place, whether it's from an identity platform perspective, whether it's around policy related to data encryption, masking tokenization, tagging, et cetera, so that we can easily discover that data when we need to and be able to define the controls based on the policies.

Dave Vellante

>> Now, organizationally, you're a relatively novel service, correct?

Adam DeMonaco

>> Correct.

Dave Vellante

>> Versus the broader Rakuten's been around for a long time.

Adam DeMonaco

>> Right.

Dave Vellante

>> I remember in the early days of cloud when all the financial services companies said, "We'll never go to cloud." And of course, they all went to cloud. And there was a big misconception about security. "Well, the cloud's not secure," is what all the on-prem people would say. But the reality is when you talk to practitioners, said, "No, no, the cloud's actually really secure. It's just different than what we have. And we have to get the cloud vendors to certify that they can do security the way we do it." So it's probably not the case for rewards because you're relatively new, but maybe it is, where you have to take a look at what's inside of Snowflake and map it to your security edicts. What did that mapping look like? How much dissonance was there? How did you guys work it out, or did it just come naturally?

Adam DeMonaco

>> No, it's still a work in progress. Data governance is a program that's continuously being built and as it's being built, we're discovering new tooling, most of which is in Snowflake, to be able to identify the discovery aspect of it, the classification, the tagging, the security controls around it. That is just an iterative process that continues to be developed. The real challenge is when that data's replicated outside of Snowflake and the other replication data stores don't have the same controls. That's where we need a better understanding of where that data's going and the controls around that from a second and third party perspective. And that's when you were talking about those sort of cloud aspects, getting a better understanding of where those cloud services are mapping in terms of compliance to ensure that we're not just securing the source of record being Snowflake and all the tertiary data repositories as well.

Dave Vellante

>> But you could do that data sharing inside of Snowflake, could you not? But the issue is the recipient may not have access to Snowflake and you've got to enable them.

Adam DeMonaco

>> Exactly. And that's really a game changer for us as we're leaning into partnerships to be able to drive additional revenue. Those data shares and the adoption more widely of Snowflake has been a real, real opportunity for us.

Dave Vellante

>> I get it. This means you can build your marketplace and Snowflake enables that, so you don't have to do all the technical mumbo-jumbo, that heavy lifting. You can just focus on monetization.

Adam DeMonaco

>> Exactly, right.

Brad Jones

>> Got my vote.

Rebecca Knight

>> Good strategy. There's a growing push to build AI models where the data already lives. I'm curious to hear how you both see that playing out and what you see as the benefits to that approach. You want to start, Brad?

Brad Jones

>> I think the benefits is that if you bring it into a platform like Snowflake, you have your standard governance models in place and your AI is operating out of those. You don't need to create a new set of governance if you pull it out to a third-party tool. By having those strong controls in place, looking through things like Trust Center to understand we have all of those things in place, the Horizon catalog provides you governance from the ingest of data with RBAC, the tagging, masking policies, all of that flows through. So then you can enable the engineers, the data scientists to do what they need to do, but you have that good control boundary around it.

Dave Vellante

>> My last question, who's got the advantage, attackers or defenders right now, specifically in the context of AI?

Brad Jones

>> Well, they're not regulated, so they get to do things a lot differently. I would say with AI and threat actors, I wouldn't say there's new novel attacks, they're just better, faster, better social engineering attacks or phishing attacks, quicker time to finding vulnerabilities and exploits. It's really incumbent on security teams to act that much faster. And there's another technology called the Human Firewall, which we employ, as we still believe there's a lot of value in educating our employees to what to look for. They're still pretty good at some things.

Dave Vellante

>> I lied. I said this was my last question. Nir Zuk, it reminds me of something he said at, I think it was Palo Alto Ignite. I was talking to him in New York and he said, "Pre-AI, humans, we could stop with technology, 99% of the attacks and that 1%, humans could handle. But now with AI, we're overwhelmed. We can't scale the humans. And so you have to rethink, you have to fight AI with AI." I mean, basically saying security's a do-over now. Within your world, you've got a different perspective than having to secure everything, everywhere. But does that premise, the first part of that premise makes sense to you as CISOs?

Brad Jones

>> Absolutely. I mean, I think security today is a data game. You have to have all the data and you have to quickly be able to look and analyze that data and find those anomalies. We use Snowflake, the platform, to protect our platform, our corporate environment. We use a lot of the AI technologies, machine learning to look for anomalies, look for patterns. We're all in on it and believe that's the way forward.

Dave Vellante

>> And you've got the data. Not only the data, you've got the right data.

Brad Jones

>> Right.

Adam DeMonaco

>> Right. And the compute to be able to quant it, and that's a real key piece.

Dave Vellante

>> So you can move fast, you mean?

Adam DeMonaco

>> Key piece, yep.

Dave Vellante

>> Yeah.

Rebecca Knight

>> All right. Well, a fascinating, a little terrifying conversation here. Adam and Brad, thank you both so much for coming on theCUBE.

Brad Jones

>> It was fun.

Adam DeMonaco

>> Yep, thank you.

Rebecca Knight

>> I'm Rebecca Knight for Dave Vellante. Stay tuned for more of theCUBE's live coverage from the Snowflake Summit. You're watching theCUBE, the leader in enterprise tech news and analysis.