In early June, the Ticketmaster breach brought widespread attention to the fact that Snowflake accounts did not require multi-factor authentication (MFA) and some were compromised as a result. If only it were that simple. While MFA is an excellent compensating control, it alone is not sufficient to stop data breaches. Adversaries have no governing rules and can leverage several other techniques to bypass compensating controls, including MFA. For example, MFA doesn’t work for non-human identities (that is, service accounts), which can make up 20% or more of a typical organization’s credentials. It isn’t just a question of whether MFA should have been enabled — MFA isn’t enough. The question we really need to ask is, why are adversaries targeting systems like Snowflake and how can we harden these data-rich environments more effectively?
Why Snowflake? Understanding the Target
Snowflake is a data-rich environment holding an organization’s structured and semi-structured data sets for data storage, analysis, and processing. Many organizations use Snowflake because it’s faster, more flexible, and easier to use than other database offerings. It’s designed for the cloud as a self-managed service, ideal for digital transformation initiatives. That ease of use has resulted in the aggregation of vast amounts of sensitive data from multiple sources. Inevitably, these data stores attract cyber adversaries because that data is ideal for identity theft, ransomware, social engineering, and other malicious activities.
Beyond the data held in Snowflake databases, it also offers extensive data integration capabilities that make it easy to move data into and out of the cloud data platform. Snowflake also offers dozens of data integration tools and technologies (Amazon Data Firehose, Google Cloud, Informatica, Apache Kafka, and SAP to name just a few). Its ecosystem of technology partners delivers connectors that make it simple to integrate with popular applications, databases, and cloud platforms. This ecosystem is easy to use, but also increases the potential attack surface for malicious actors. Snowflake is also part of a larger IT stack. As such, it may not always get security team attention. In addition, attackers may target vulnerabilities in other parts of the IT stack to gain access to the troves of data Snowflake holds.
Modern Enterprises Are Data Dumping Grounds
As data continues to grow, organizations seek to find ways to use it, and Snowflake is integral to this use. Data pipelines automate many of the steps organizations had to take manually to transform and optimize those continuous data loads. The pipelines make it easy to move, analyze, use, and store data for future use; all of this is vital for business growth. However, data pipelines become, in effect, business-sanctioned Trojan horses. Lines of business use those pipelines to move customer data to warehouses for analysis without understanding how they may have created new attack paths for adversaries.
Data warehouses are also collaborative; businesses grant wide access to their employees to analyze and use that data, further increasing the data attack surface because it’s so easy to move, copy, and share. Unfortunately, most employees often do not have the same security awareness training or accountability as a database administrator. Nevertheless, their accounts have access to massive amounts of sensitive data. What organizations must understand is that, fundamentally, data itself has no rules unless your organization puts protections in place to secure that data as it grows, moves, and changes.
Reduce the Data Risk Surface
Attackers have already shown that they can access sensitive data using Snowflake accounts; in response, organizations must now act to reduce the data risk surface. They can do this in a few key ways: by minimizing data access, eliminating stale data, and hardening the data they have.
- Minimizing data access is critical when organizations have opened up data warehouses to allow multiple lines of business easy access to data. Security teams need to assess identity access to ensure that they are only granting users the minimum level of access required to perform their jobs, adopting the principle of least privilege. If a user’s account is compromised, the attacker will only have access to a small subset of the data.
- Using role-based access controls (RBAC) to define user roles, for people and non-human identities alike, to manage permissions for reading, writing, and modifying data — with the context of the data being accessed.
- Identifying and eliminating stale data. Security teams must ensure that they know about all the data in the corporate environment. Often, stale data or “ghost” data exists that has been forgotten or lost, increasing the risk surface but providing no benefit to the organization. By finding and removing this information, organizations can reduce the overall risk surface without negatively impacting business outcomes.
- Hardening data is important, but only possible by identifying all sensitive data in order to encrypt, tokenize, mask, and anonymize data. This makes the data much harder for adversaries to use if they do manage to gain access.
- Classifying and mapping data comprehensively and continuously enables security teams to quickly identify the location, type, and business context of data if a breach occurs, thus making it easier to respond quickly and mitigate the impact of a breach.
- Identifying and protecting intellectual property. Many organizations don’t realize that there are categories of data that are part of their core IP. This may be information related to buyer technology, investment strategies, or something else. Regardless, this IP is important to the business and must be identified and protected, whether from a malicious attacker or inadvertent ingestion by an artificial intelligence model or chatbot.
Minimize Overall Risk with Trust Boundaries
Modern organizations must manage and secure vast and growing amounts of data across diverse environments without unnecessarily limiting how the business can use the data. To protect data effectively, organizations need automatic and adaptable controls, such as trust boundaries. A trust boundary is the concept of establishing logical frameworks for grouping and managing data or systems access and control based on the sensitivity or classification level of that data to manage risk. While security teams can control access so that only those with a legitimate need have access to sensitive data, the volume of data today makes it all but impossible to manage without the automation and intelligent adjustments based on data context and needs that a trust boundary can provide. Static rules and human intervention simply cannot keep up with the scale and speed at which modern enterprises use data.
The Ticketmaster breach is far from unique. Indeed, it’s estimated that about 165 of Snowflake’s customer accounts were affected in the recent hacking campaign targeting Snowflake’s customers. This should serve as a wake-up call for organizations worldwide: it’s time to prioritize data security. This is not the responsibility of the data warehouse or technology vendor, but of each organization to ensure that the right people have the right access to the right data at the right time.
About the Author
As VP of Marketing, Kapil leads the Marketing Team at Bedrock Security, a leader in Data Security. As a Cybersecurity Marketing Executive for 20+ years, Kapil has built and led product, marketing, sales, and strategy teams at startups and large cybersecurity brands including CrowdStrike, Zscaler, VMware, and VeriSign.
Before joining the Bedrock team, Kapil led marketing for Preempt Security, which was acquired by CrowdStrike in 2020. He then went on to lead marketing for identity protection, cloud, observability, and zero trust products at CrowdStrike.
Kapil holds a BS in Computer Engineering from the University of Michigan, Ann Arbor, and he is a recognized speaker and author of books on AI, PKI, mobile commerce, biometrics, and other security topics.
Kapil can be reached on LinkedIn or via Bedrock’s website, www.bedrock.security.
