Recent attacks have targeted at least 100 Snowflake customers’ databases, pointing out important security lapses. Attacks primarily focused on databases that lacked multifactor authentication (MFA), making them vulnerable to breaches.
Snowflake attributes these incidents to the customers’ failure to activate MFA and the leakage of credentials, rather than to any inherent vulnerabilities or misconfigurations in Snowflake’s systems. The company does not enforce MFA by default, nor does it require its customers to use this security measure, a choice that has come under recent scrutiny.
Lack of enforced MFA has exposed a critical weakness in cloud security practices. With the growing prevalence of cyber attacks, the importance of basic security measures like MFA cannot be overstated.
As more organizations migrate to cloud-based solutions, the responsibility of securing data becomes a shared burden between the service provider and the customer. In this case, the absence of default MFA configurations has left many Snowflake customers exposed to identity-based attacks, underscoring the need for stricter security protocols.
CISA’s Secure-by-Design Principles
The Cybersecurity and Infrastructure Security Agency (CISA) explains the necessity of incorporating MFA into services by design and having it enabled by default.
This principle is central to CISA’s secure-by-design initiative, which was launched in April 2023. The initiative aims to foster secure development practices among technology companies. Since its inception, 140 companies have pledged to adopt these practices, although Snowflake has not yet committed to this pledge.
CISA’s initiative is a proactive step towards improving the overall security posture of technology services. Encouraging companies to build security into their products from the ground up, means CISA mitigates the risks associated with cyber threats.
The participation of 140 companies signifies a collective movement towards more secure development practices, yet the absence of key players like Snowflake indicates that there is still work to be done to achieve widespread adoption.
Why security experts are blasting companies for poor practices
Chester Wisniewski, a director and global field CTO at Sophos, has been vocal about the shortcomings of current security practices. He argues that the very existence of secure-by-design pledges points to a fundamental issue: many companies are not inherently prioritizing security.
Wisniewski asserts that when given a choice, a significant portion of organizations will opt for convenience over security, which can lead to avoidable vulnerabilities. He advocates for raising the minimum standards of security to prevent such lapses.
Wisniewski’s criticism is a strong reminder of the ongoing challenges in cybersecurity.
His perspective highlights a key dilemma: balancing usability with robust security measures. The tendency of organizations to default to less secure configurations calls for a more stringent approach to security, one that reduces the reliance on individual choice and emphasizes mandatory protections.
Snowflake’s response to the attacks
Snowflake maintains that the recent attacks were a result of stolen credentials and the lack of MFA, rather than vulnerabilities or misconfigurations within its own systems.
The company’s MFA solution, which is limited to Cisco Duo, does not allow administrators to enforce MFA for specific roles, placing the onus on individual users to opt-in. The setup has inherent limitations, as it leaves the decision to activate MFA to the discretion of the users, many of whom may not prioritize security.
Snowflake’s approach reflects a broader challenge within the cloud industry: the balance of responsibility between the provider and the customer.
Attributing the cause of the attacks to user behavior lends itself to the shared responsibility model, where customers are expected to actively manage their security configurations. However, this stance also raises questions about the adequacy of default security measures provided by the vendor.
Snowflake’s upcoming security changes
In response to the growing pressure, Snowflake is in the process of developing a plan to mandate the implementation of advanced security controls, such as MFA or network policies, for its customers.
Although specific details about these new requirements are currently sparse, the move indicates a shift towards more stringent security practices.
Upcoming changes are a key step for Snowflake as it seeks to restore confidence and improve the security of its platform. Lack of clarity on the specifics of these plans, however, leaves customers and industry observers eager for more information.
How effective these new measures are will ultimately depend on their implementation and enforcement, as well as on the company’s ability to communicate and support these changes to its user base.
What cybersecurity experts think
Multifactor authentication (MFA) is widely regarded as a key control for protecting enterprise infrastructure. It provides an additional layer of security by requiring users to provide multiple forms of verification before accessing sensitive systems.
Despite its importance, many organizations neglect to implement MFA, leaving themselves vulnerable to breaches.
Experts argue that when security measures are optional, many organizations will opt for convenience over security, exposing themselves to significant risks.
A key reason for this behavior is the perceived complexity and inconvenience associated with MFA. Businesses often prioritize operational efficiency and user experience, sometimes at the expense of robust security measures.
Choices like this can lead to catastrophic outcomes, as evidenced by the numerous breaches that occur due to weak or stolen credentials.
According to a Mandiant report, in 2023, compromised credentials were used in nearly 40% of ransomware attacks where the initial access vector was identified; which clearly shows the importance of MFA in protecting against unauthorized access and highlights the need for it to be a mandatory security measure.
The shared responsibility model
The shared responsibility model in cloud security delineates the division of security tasks between the cloud provider and the customer. Under this model, cloud providers are responsible for securing the underlying infrastructure, while customers are responsible for securing their data and managing user access.
While practical, this model often leads to ambiguities regarding where the responsibilities of the provider end and the customer’s begin.
Experts believe that vendors should implement secure defaults to mitigate the risk of customer misconfigurations and oversight. Providing built-in security features that are active by default can help customers who may not have deep security expertise.
Kaustubh Medhe from Cyble points out that overburdening technology vendors with security responsibilities could dilute the collective responsibility necessary for effective cloud security. He suggests that a balanced approach, where vendors provide secure defaults and customers actively manage their data security, is crucial for maintaining robust cloud security.
How cloud providers are rethinking MFA
Making security the default
Recent developments prioritize security over convenience, compelling users to adopt best practices without the need for additional configuration. For instance, certain providers now enable MFA by default, reducing the likelihood of breaches due to credential theft.
Some cloud providers are taking proactive steps by making their services secure by default, especially in high-risk scenarios.
Charlie Winckless from Gartner explains that by offering secure defaults and educating clients on the associated risks, providers can enhance their credibility and help clients make more informed decisions.
Rising security standards
With cyber threats becoming more sophisticated, there is a growing demand for higher minimum security standards. Customers now expect cloud providers to offer robust security features out of the box, rather than optional add-ons. This trend is pushing providers to innovate and implement more stringent security measures as part of their standard offerings.
The importance of MFA
Experts consistently emphasize the importance of MFA in safeguarding sensitive information. Adding an extra layer of security with MFA reduces the risk of unauthorized access and helps prevent data breaches.
Despite its proven effectiveness, its implementation is still not universal, leaving many organizations exposed to potential threats. This gap in security practice underscores the need for MFA to be a standard requirement rather than an optional feature.
The great cloud security debate
The debate over responsibility in cloud security continues to change, with a growing push for higher default security standards.
As the industry grapples with balancing convenience, security, and shared responsibility, it becomes clear that both vendors and customers must adapt to the changing landscape. Vendors need to provide secure defaults and robust security features, while customers must actively manage and configure their security settings to protect their data effectively.
Adoption of secure-by-design practices
The adoption of secure-by-design practices is gaining momentum, reflecting a broader shift towards more proactive security measures.
Achieving widespread adoption requires concerted efforts from both technology vendors and their customers. As more companies commit to these practices, the overall security posture of cloud services is expected to improve, paving the way for a safer digital environment.
