Identity & Access Management , Incident & Breach Response , Security Operations

After Customers Get Breached, Snowflake Refines Security

Mandatory Multifactor Authentication Among New Features Given to Administrators
After Customers Get Breached, Snowflake Refines Security
After hackers breached customer accounts that did have multifactor authentication, the company now allows admins to make MFA mandatory for users. (Image: Shutterstock)

In the wake of multiple customers of Snowflake collectively losing terabytes of data to attackers, the cloud-based data warehousing platform has rolled out a swath of cybersecurity improvements.

See Also: On Demand I Security First I Cyber Readiness in a Changing World

For the first time, administrators can mandate that each of their Snowflake account users employs strong authentication to safeguard account access. Other tools allow admins to monitor for credential theft, overprivileged accounts and "stale users" who may no longer require access to the service.

All of the new capabilities are now "available free of charge in all Snowflake editions" and in some cases already active by default, said Snowflake CISO Brad Jones and product security head Anoosh Saboori in a Tuesday blog post.

Default multifactor authentication for all new users will become the norm. "Soon, Snowflake will require MFA for all human users in newly created Snowflake accounts," they said.

The new functionality - and a promise that more security improvements are on the way - come following the breach of 165 organizations' Snowflake accounts via credential stuffing attacks in which attackers reused username and password pairs stolen or otherwise obtained from other services or data leaks. The breach of Snowflake accounts first came to light publicly on May 30, after data stolen from Live Nation Entertainment's Ticketmaster appeared for sale on the criminal marketplace BreachForums. Subsequently, some Snowflake customers whose data was stolen received ransom demands from attackers, who asked for up to $5 million in exchange for a promise to delete stolen data.

Security experts have welcomed Snowflake's security improvements, saying they are needed to safeguard accounts against copycat attacks. "This solves all the inherent product weaknesses from the prior setup, they did a good job," British cybersecurity expert Kevin Beaumont said in a post to Mastodon.

"This is a welcome move from Snowflake, and I would encourage all users of the platform to enable MFA," said Brian Honan, head of Dublin-based cybersecurity consultancy BH Consulting. "Where possible, those working in large organizations should try and integrate their access to Snowflake into their overall identity and access management solution, and Snowflake should assist those organizations in doing this."

In an investigation conducted with CrowdStrike and Mandiant, Snowflake concluded that attackers breached customers' accounts via credential stuffing attacks. While most victims have not been publicly named, known victims include Santander Bank, automotive parts supplier Advance Auto Parts, the Los Angeles Unified School District and luxury retailer Neiman Marcus.

While MFA isn't foolproof - attackers continue to refine their tactics for bypassing the defense, including via social engineering and look-alike phishing pages - security experts recommend using it wherever possible. Multifactor adds cost and complexity to attacks and in many cases, it stops them outright.

"My view is that we have gone a long way from having MFA as an optional feature, and we are quickly approaching the event horizon of: MFA has to be a mandatory feature," said Ian Thornton-Trump, CISO of Cyjax.

While administrators couldn't previously force their Snowflake users to enable MFA, they now have this ability.

"To help admins enforce usage of MFA, we've enhanced our Snowflake authentication policies to include a new option that requires MFA for all users in an account," Jones and Saboori said. "The admin can decide whether the scope of this policy should apply to local users or include single sign-on (SSO) users too."

Even if administrators don't make MFA mandatory for their Snowflake account users, the platform has begun to actively nudge users to activate MFA anyway.

"When users without MFA log on to Snowsight, they will be prompted to enable MFA and guided through the configuration steps," they said. "This dialog can be dismissed, but it will reappear in three days if MFA has not been configured for the user."

Snowflake's MFA documentation says the only way to access this feature is through the Duo Security service, although the company said users only need the app. "Users do not need to separately sign up with Duo or perform any tasks, other than installing the Duo Mobile application, which is supported on multiple smartphone platforms," it says.

Snowflake said that organizations should not activate MFA for "service users," by which it means third-party tools or other machine-to-machine communications that involve logging into an organization's Snowflake account - for example, to execute SQL code. "For such users, move away from passwords to key-pair authentication or external OAuth," it said.

As of Tuesday, new features have gone live in Snowflake's Trust Center, which the company says is the web-based interface for administrators to manage their organization's "risk posture" with the platform, including users' compliance with security policies they set. These are checked via scheduled background processes, called scanners, which watch for potential security risks.

The Trust Center now features a Security Essentials scanner package that Snowflake said will review users' compliance with MFA and other network policies, as well as a CIS Benchmarks scanner package, developed with the Center for Internet Security.

Snowflake said these enhancements are "the product of a community consensus process" and consist of "secure configuration guidelines developed for Snowflake." It said they are designed to detect credential reuse, "overprivileged entities, stale users who have not logged in for the past 90 days" and other items of concern.

"By default, the Security Essentials scanner package is enabled and cannot be disabled," Snowflake said. "The Security Essentials scanner package does not incur serverless compute cost."

Snowflake said it will continue to revamp its capabilities to monitor security, risk and compliance. "We will continue adding features to the Trust Center to help Snowflake customers better detect threats and attacks against their accounts. We will share more details in upcoming months," Jones and Saboori said.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.