Joey on SQL Server
The Snowflake Affair: What It Can Teach IT About SaaS Security
Let's start with that disastrous opt-in MFA policy.
- By Joey D'Antoni
- 09/17/2024
Snowflake was at the center of several high-profile data breaches over the summer.
To wit: Threat actors went after Snowflake clients. Using info-stealer software, allegedly, the attackers targeted an MSP in Eastern Europe that had access to many different Snowflake accounts. Importantly, it was the customers, not Snowflake, that employed the MSP. Snowflake and its infrastructure remained secure from attack.
However, though Snowflake maintained the security of its platform, it came under fire from security professionals. On top of that, in the shared responsibility model common to most cloud service providers, the responsibility for security is split between the cloud provider and the customer’s IT staff. Therefore, there was no way to force all Snowflake users to use multifactor authentication; users had to opt in. Additionally, configuring MFA for Snowflake was more challenging than for some other platforms.
Snowflake is not alone in this problem. As I write this article, Databricks announced a vulnerability that was identified by security researchers. Authentication tokens were stored in a Docker container, which was uploaded to a public container repository, allowing researchers to view Databricks' source code. And, of course, Microsoft has been the victim of a number of high-profile attacks in recent years.
So does this mean that the cloud is insecure?
A Deeper Look at Cloud Security
Cloud security has always been a significant challenge for organizations, primarily due to the dramatic changes it introduces to the foundational security model. At the core of all security solutions are two foundational concepts: authentication (verifying the identity of the person or process) and authorization (determining the tasks the authenticated entity is entitled to perform). While these concepts are basic, they are the target of nation-state threat actors and criminal organizations seeking to exploit any security vulnerabilities.
While the cloud does have an increased attack surface compared to a domain controller locked down in your datacenter, it also has some security benefits. For example, Microsoft Azure and Amazon Web Services (AWS) provide better safeguards around application identity (managed identity and IAM service roles), where the service (applications, services, VMs) authenticates without storing passwords.
Additionally, both cloud platforms have strong security controls around MFA, support for advanced methods like YubiKeys and, most importantly, single sign-on (SSO) for external applications. They also make it much easier to implement advanced security controls to protect users better.
The Challenges of Application Integration
The pace of cloud development that IT organizations have started to adapt to can also be challenging for software companies. For example, while SQL Server and Azure SQL Database support using Entra ID for authentication, SQL Server Management Studio has only recently begun supporting YubiKey and passwordless authentication because that tool uses an older client library version. This challenge is only worse with applications from third parties.
Meanwhile, Entra's SSO solution is probably the best tool I've seen in my career. I remember a lot of terrible, nascent attempts at SSO in the early aughts. The fact that the industry has decided on OAuth has simplified this, along with Entra's large presence becoming a de facto standard.
While it is straightforward to add Entra ID authentication to your application, maintaining full compatibility with all the latest features requires your app team to update those libraries and potentially change your end users' log-in experience as Microsoft adds features. While this is technically as simple as updating a library, changing core user experiences like log-ins is not something a SaaS company can do trivially.
What Happened with Snowflake?
I want to give Snowflake credit; it has addressed most of the problems that likely made it a target of attack.
On the other hand, unlike many cloud services, Snowflake left the option to activate MFA down to individual users, which meant administrators could not force all of their users to adopt MFA. Also, Snowflake only supported using Duo for MFA at the time, which limited options for customers who didn't use that solution. In my experience, integrating SSO solutions using Duo is much more challenging than it is for some other products.
These factors, on top of its large and varied customer base, made Snowflake a big target for threat actors. The attackers didn't need to breach Snowflake's core infrastructure; they just could capture customer data directly from customers.
Hard Lessons Learned
Observe the bad press Snowflake received after this attack. While its initial response was to push back on its customers for not fully implementing its flawed MFA design, most of the press (tech and non-tech) blamed Snowflake. Snowflake's share price experienced a steep decline after the attacks.
Security is complex and not the only functionality you need to build into your service. Integrating with popular security platforms like Entra or AWS IAM makes a lot of sense. Still, you want to ensure you are publishing best practices for using those tools with your service, as well as dedicating resources to ensure the user and admin experiences keep up with updates to those security platforms.
Suppose you are a customer who's considering buying a SaaS package. You'll find sales demos will frequently bypass authentication and security matters and focus more on business functionality; that's what impresses decision-makers. However, you need to ask your vendors the hard security questions and hold their feet to the fire. Understand how a new product will fit with your existing security platform and protect your company's data. While you are at it, also ask some questions about their backup and recovery and disaster recovery processes.
The pervasiveness of threats has made security the biggest concern among CIOs and CEOs everywhere. While cloud computing has primarily improved many organizations' security postures and increased their productivity, it is also a big target for threat groups. It is essential to foster a culture of security within your organization so people always have security at the top of their minds. Please, if anything else, ensure you have MFA turned on for everything.
About the Author
Joseph D'Antoni is an Architect and SQL Server MVP with over a decade of experience working in both Fortune 500 and smaller firms. He is currently Principal Consultant for Denny Cherry and Associates Consulting. He holds a BS in Computer Information Systems from Louisiana Tech University and an MBA from North Carolina State University. Joey is the co-president of the Philadelphia SQL Server Users Group . He is a frequent speaker at PASS Summit, TechEd, Code Camps, and SQLSaturday events.