Recent Breaches: A Reminder of Shared Responsibility
As Snowflake continues to be rapidly adopted across enterprises, Chief Information Security Officers (CISOs) are increasingly recognizing the importance of securing access to this critical data platform. By focusing more energy on managing entitlements and permissions within the platform, CISOs can significantly enhance their organization’s security posture.
It’s important to note that while every company, including Snowflake, can always strive to improve the security of their platforms, the ultimate responsibility for securing data within Snowflake lies with the CISOs, data owners, data stewards and their stakeholders who have purchased and are using the platform. It’s not reasonable to expect Snowflake to handle or preconfigure all security aspects for every situation and risk level. As CISOs, it’s crucial to understand the permissions within Snowflake and control them properly to ensure the security of the organization’s data.
The recent data breaches involving companies using Snowflake’s cloud storage platform have highlighted significant vulnerabilities in data security practices. High-profile incidents, such as the AT&T breach affecting 110 million customers, underscore the critical need for robust security measures and the shared responsibility between service providers and their customers.
While Snowflake provides a sophisticated and powerful platform for data analytics, the responsibility for securing data does not rest solely on their shoulders. Snowflake operates under a shared responsibility model, where they offer comprehensive guidance on security practices, including multi-factor authentication (MFA), network policies, and regular monitoring. However, it is ultimately up to the customers to implement these measures effectively.
For CISOs and their teams, these breaches serve as a stark reminder to prioritize and enhance their security capabilities. By taking some proactive measures as outlined in this article, CISOs can better protect their organizations’ data and mitigate the risks associated with cloud-based platforms. The focus should be on collaboration and shared responsibility, ensuring that both service providers and customers are aligned in their commitment to data security.
In some cases, leveraging a third-party tool, such as a modern identity security platform, may be the most effective way to gain the necessary visibility and control over Snowflake permissions. These platforms can provide granular insights into who has access to what, help identify misconfigurations, and enable the implementation of least privilege principles. By augmenting Snowflake’s native security features with additional tools and best practices, CISOs can better manage the complex access control challenges that come with large-scale Snowflake deployments.
References:
https://www.virtru.com/blog/cloud-security/att-snowflake-breach
https://www.newsweek.com/customer-data-breach-ticketmaster-santander-snowflake-1907004
https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/
https://www.symmetry-systems.com/blog/what-we-know-so-far-about-the-snowflake-breach/
https://www.cnn.com/2024/07/12/business/att-customers-massive-breach/index.html
https://www.bbc.com/news/articles/c729e3qr48qo
Gain Visibility into Permissions
The first step in securing a Snowflake environment is gaining a clear understanding of who has access to what. This task can be challenging due to several factors:
- Complexity of Snowflake’s role-based access control (RBAC) system: Snowflake supports over 50 privilege types and more than a dozen object types, making it challenging to comprehend even simple privilege statements without deep expertise.
- Scale of enterprise Snowflake deployments: With thousands of users and hundreds of thousands of tables, schemas, and views, managing access at scale becomes a daunting task.
- Siloed access data between Identity Providers and Snowflake: Most organizations manage Snowflake access through an Identity Provider, making it difficult to determine who truly has access to what.
- Pressure on IAM teams to enable quick access: In fast-paced environments, IAM teams often face pressure to grant access rapidly, which can lead to over-provisioning and inadequate due diligence.
To address this, CISOs should consider investing in tools that provide granular visibility into permissions at the object level. This visibility will enable their teams to identify unintended access, reveal misconfigurations, and lay the groundwork for implementing least privilege.
Implement Robust Access Reviews
With improved visibility, regular access reviews become much more effective. CISOs can explore tools that automatically compile, schedule, and assign reviews based on granular permissions. Ensuring reviewers have proper context about the access they’re evaluating is crucial. Automating follow-ups to revoke unnecessary access can also help streamline the process.
Monitor Activity and Identify Over-Provisioned Access
Knowing what access exists is only half the battle. Understanding how that access is used is crucial for applying least privilege. By implementing activity monitoring, CISOs can compare permitted access against actual usage, potentially revealing significant opportunities to reduce privileges and minimize risk. Metrics such as an Over-Provisioned Access Score (OPAS), which compares the number of objects an identity can access to the number actually used over a given period, can be very helpful. In practice, most Snowflake users have an OPAS of over 80%, representing a significant opportunity to reduce risk by removing unused privileges.
Evolution in many organizations’ operating model dynamics make this even more important. The decentralization of IT ownership has led to a new set of challenges for security teams as businesses increasingly shift the management of critical SaaS and data platforms to domain-specific business units. While this change fosters agility and innovation, it also creates a significant blind spot for security teams, who must now navigate a complex landscape where access control is distributed across the organization. Business unit leaders often prioritize speed and efficiency over strict access controls, inadvertently expanding the attack surface and increasing the risk of data breaches, putting security teams in a precarious position as they balance the need for agility with the imperative to maintain strict security controls and protect sensitive data.
Optimize any RBAC Implementation
Role sprawl is a common issue in Snowflake environments. CISOs can work with their teams to optimize RBAC by:
- Removing dormant, duplicative, or rarely used roles can simplify most RBAC structures.
- Splitting overly generic roles with many users into more targeted, less privileged roles.
- Identifying and simplifying complex role hierarchies with multiple layers of inheritance.
- Right-sizing over-permissioned roles based on actual usage and activity data.
Establish Best Practices for Access Requests
To prevent role sprawl from continuously reoccurring, CISOs can collaborate with their IAM teams to implement a system for recommending the least privileged role that satisfies access requests. By analyzing existing roles and identifying the option that grants the needed access with the smallest possible increase in privileges, this approach allows for confident access granting without unnecessary new roles or over-provisioning.
Leverage AI for Advanced Optimization
As AI capabilities mature, CISOs may want to explore leveraging them to:
- Consolidate similar roles and streamline RBAC structures.
- Identify access outliers and anomalies that represent potential security risks.
- Determine optimal role assignments based on past activity.
- Optimize overall role structure to minimize risk and improve performance.
Address Technical Debt
Many organizations have accumulated significant “access debt” in their Snowflake implementations over time. This often manifests as:
- High numbers of super-privileged or “human snowflake” users
- Bloated RBAC implementations with many unused roles
- Deep and complex role hierarchies that obscure true access levels
Addressing this debt is crucial for maintaining a secure environment long-term. CISOs and their teams can use the steps outlined above to systematically identify and reduce this debt over time.
Prepare for Compliance and Audits
Robust access control isn’t just about security—it’s also crucial for compliance with regulatory frameworks such as SOX, GDPR, HIPAA, and more. CISOs should ensure access control measures can stand up to regulatory scrutiny by maintaining clear audit trails, implementing regular access reviews, and being able to demonstrate adherence to least privilege principles during audits.
Conclusion
Securing Snowflake is an ongoing process that requires vigilance, the right tools, and a commitment to best practices. By collaborating with their teams to focus on visibility, least privilege, and continuous optimization, CISOs can significantly reduce the risk of data breaches, compliance failures and unnecessary spending. In today’s data-driven world, the security of Snowflake environments is directly tied to the security of entire organizations, making it a critical priority for all CISOs.
