Cloud-based assaults instigated by Snowflake entities are challenging the conventional shared responsibility paradigm
Snowflake, the data cloud company, has recently acknowledged that a series of attacks on its customers' databases were caused by an attacker's use of stolen credentials for customer systems that were unprotected by Multi-Factor Authentication (MFA).
In response, Snowflake is developing a plan to require its customers to implement advanced security controls such as MFA or network policies. However, the details of this plan are still scant.
The attacks, which have affected at least 100 Snowflake customers' databases, highlight the importance of strong security measures in the digital age. In 2023, attackers used compromised legitimate credentials to gain access to victim environments in almost 40% of ransomware attacks where the initial access vector was identified.
Charlie Winckless, VP analyst at Gartner, emphasizes that some cloud providers have embraced a model where services are default secure, not default convenient, in risky scenarios. He argues that MFA is a baseline control that significantly impacts thwarting attacks.
Snowflake does not enforce MFA by default or require its customers to use the technology. An instance of Cisco Duo is the only MFA solution available to Snowflake's customers, and the company doesn't allow administrators to enforce MFA for a specific role.
Despite this, Snowflake does enforce MFA at the platform level for its own administrative users and strongly encourages—often requiring—customers to enable MFA for their accounts, particularly for sensitive roles and access points. Snowflake provides native MFA options and integrates with external identity providers (IdPs) that support MFA, enabling customers to enforce MFA policies based on their own security requirements.
As of now, Snowflake has publicly committed to advancing cybersecurity best practices, but there is no widely available, detailed update specifically confirming their active participation in the Cybersecurity and Infrastructure Security Agency (CISA)'s secure-by-design pledge. The secure-by-design pledge, launched in April 2023, has been signed by 140 companies, but not Snowflake.
Dozens of major technology companies have made voluntary commitments to embrace secure development practices over the next year as part of CISA's secure-by-design pledge. Providers can improve their credibility by providing secure defaults and helping clients understand the risks they are incurring.
For the absolute latest on Snowflake's stance or official commitments to CISA initiatives or their enforcement strategies around MFA for customers, the best approach is to check Snowflake's official security or compliance pages or announcements directly from CISA or Snowflake communications. Cybersecurity experts argue that MFA is a critical control for customer accounts and is a significant step towards protecting data in the digital age.
- Snowflake is developing a plan to require its customers to implement advanced security controls, such as Multi-Factor Authentication (MFA) or network policies, in response to a recent data breach caused by stolen credentials.
- In 2023, one of the common methods used by attackers in ransomware attacks was compromising legitimate credentials to gain access to victim environments, highlighting the importance of strong security measures like MFA in the digital age.
- Charlie Winckless, VP analyst at Gartner, emphasizes the importance of MFA as a baseline control that significantly impacts thwarting attacks, arguing that some cloud providers should prioritize security over convenience in risky scenarios.
- Despite not enforcing MFA by default, Snowflake does enforce MFA at the platform level for its own administrative users and strongly encourages customers to enable MFA for their accounts, particularly for sensitive roles and access points.
- Snowflake, as of now, has not publicly confirmed their active participation in the Cybersecurity and Infrastructure Security Agency's (CISA) secure-by-design pledge, although dozens of major technology companies have made similar commitments to secure development practices.
