Cloud-based assaults linked to Snowflake are challenging the established shared responsibility paradigm
In the wake of a series of attacks targeting at least 100 Snowflake customers' databases, the cloud data platform provider is facing pressure to enhance its security measures. However, the company has not signed the secure-by-design pledge, a voluntary commitment by tech companies to adopt more secure development practices, as part of the Cybersecurity and Infrastructure Security Agency's (CISA) initiative.
Brad Jones, Snowflake's Chief Information Security Officer (CISO), is at the helm of the company's response to these challenges. Jones and his team are developing a plan to require customers to implement advanced security controls such as Multi-Factor Authentication (MFA) or network policies.
The attacks were not caused by a vulnerability, misconfiguration, or breach of Snowflake's systems. Instead, they were the result of the use of stolen credentials for customer systems without MFA. This underscores the importance of MFA as a baseline control that bolsters access to enterprise infrastructure and makes a significant impact in thwarting attacks.
Snowflake's approach to MFA leaves it up to every user to decide whether they want to enroll with MFA, while most Software-as-a-Service (SaaS) vendors allow administrators to enforce MFA once deployed as an enterprise solution. Some cloud providers have embraced a measured approach to MFA by making services default secure, not default convenient, in particularly risky scenarios.
The details of Snowflake's plan are currently scant, including what exactly will be required of its customers and if MFA will be turned on by default across its platform. The company did not respond to a request for additional information on its security improvement plan.
Meanwhile, the CISA's secure-by-design initiative emphasizes integrating proactive security measures early in software development. The approach reflects a broader responsibility for tech companies to secure their products to prevent downstream risks and broader cyber incidents. The initiative encourages the adoption of memory-safe programming languages, the provision of comprehensive software component transparency via Software Bills of Materials (SBOMs), and ensuring secure default software configurations to proactively reduce exploitable vulnerabilities in the supply chain and product ecosystems.
Dozens of major technology companies have made voluntary commitments to embrace secure development practices over the next year as part of the CISA's secure-by-design pledge. Accountability and responsibility in such a model lie with the client, but the provider is focusing not on convenience and speed, but security - helping their clients to be more responsible.
As the cyber threat landscape continues to evolve, it is crucial for tech companies like Snowflake to balance their responsibilities with the dynamics of the industry. Without hard and fast rules, this proposition is a tricky one. However, by adopting secure-by-design principles and prioritising proactive security measures, companies can help build a more secure digital future for all.
[1] Cybersecurity and Infrastructure Security Agency (CISA). (2023). Secure by Design: Guidance for Software Developers. [Accessed 2023-05-01].
[3] National Security Agency (NSA). (2024). Secure by Design: A Collaborative Approach to Cybersecurity. [Accessed 2024-02-28].
- Snowflake, in the aftermath of a data breach affecting over 100 customers, is working diligently to strengthen its cybersecurity measures, with a key focus on incident response and vulnerability management.
- In contrast to Snowflake, many tech companies have signed the secure-by-design pledge, a voluntary commitment to incorporate proactive security measures into their software development processes, initiated by the Cybersecurity and Infrastructure Security Agency (CISA).
- The incident exposed the importance of threat intelligence, ransomware protection, and advanced security controls like Multi-Factor Authentication (MFA), which Snowflake's CISO, Brad Jones, is advocating for its customers to implement.
- As part of this effort, Snowflake plans to require customers to implement MFA or network policies, but the details are still unclear, such as what will be mandatory and if MFA will be default across the platform.
- The finance sector is closely watching this development, as secure-by-design principles and proactive security measures can help prevent future cybersecurity incidents that could impact their financial data and operations.
