I've been thinking a lot about the Snowflake incident, as we have a large corpus of data hosted there. The finger pointing revolves around a lack of MFA. There is messaging indicating that Snowflake will move towards a more rigorous MFA requirement in the future. Great! But this feels like a bandaid on a wound that needs more comprehensive medical care. A large number of Snowflake accounts, at least that we have, are service accounts for 3rd party integrations. Snowflake makes no differentiation of a service account vs a human account. We can't MFA service accounts. Many of the 3rd party providers don't use any type of OAuth for accessing Snowflake; so we're stuck creating traditional usernames and passwords and giving those credentials over to another system to access our data. Furthermore, we have developers who need to remotely access these data sets using these service account credentials (vs their own SSO'd login), because they have to replicate data flows in the software they're developing. Using network policies is a challenge, because some of these developers work from home from time to time. Snowflake really should invest in ensuring security differentiation between human and machine logins, and promote better third party integration methods. We spent a non-trivial amount of time hardening our Snowflake environment earlier this year. There are a myriad of technical controls in place that severely limit our exposure. Recognizing the effort that went into getting to where we are, I can only imagine how much work other larger orgs have ahead of them. PS: If you're a consultancy specializing in cloud security, I'd recommend adding Snowflake hardening as an offering.
This is for the community - we put out an open-source tool called YetiHunter to hunt for detect and hunt for suspicious activity in Snowflake, combining several Indicators of Compromise published by the community: https://permiso.io/blog/introducing-yetihunter-an-open-source-tool-to-detect-and-hunt-for-suspicious-activity-in-snowflake
We make a point to rotate svc account creds quarterly which is helpful, but not the end solution.
An idea I toyed with is a virtual SSO IdP that manages service accounts and humans who are allowed assume into those service accounts. The humans are authenticated using federated real IdPs or magic links.
salient points!
Clouding safely.
2wIf you are fortunate enough to have stable egress paths then it’s a good idea to use their ip-allowlisting. Until there is something better.