Snowflake-linked attacks are testing the cloud’s shared responsibility status quo
A burst of attacks on at least 100 Snowflake customers’ databases, all of which were not configured with multifactor authentication, accentuates the murky waters of responsibility in the cloud.
When Snowflake disclosed the series of identity-based attacks targeting its customers’ environments on May 30, the company mostly pinned the blame on customers that didn’t use MFA and leaked credentials. The cloud-based data warehouse vendor does not enforce MFA by default or require its customers to use the technology.
Having MFA built into services by design and on by default is a cornerstone of the Cybersecurity and Infrastructure Security Agency’s secure-by-design principles.
CISA unveiled the initiative in April 2023 and last month announced voluntary commitments from dozens of major technology companies to embrace secure development practices over the next year. The security-by-design pledge has been signed by 140 companies to date, but not Snowflake.
“The idea of a secure-by-design pledge should just not be a thing. The reason it has to be a thing is companies are not doing the right thing,” said Chester Wisniewski, director and global field CTO at Sophos.
“People, given the choice, will continue to choose the wrong thing,” he said. “The lowest-common denominator of security should be stepped up.”
Snowflake asserts shared responsibility, sets changes in motion
Snowflake says the attacks on customers’ databases were not caused by a vulnerability, misconfiguration or breach of its systems. Rather, the cause was an attacker’s use of stolen credentials for customer systems unprotected by MFA, according to the company and its incident response firms Mandiant and CrowdStrike.
Snowflake’s approach to MFA bears inherent limits for its IT administrators. An instance of Cisco Duo that is managed by Snowflake is the only MFA solution available to its customers, and the company doesn’t allow administrators to enforce MFA for a specific role, according to the company’s MFA support page.
“This means Snowflake leaves it up to every user to decide whether they want to enroll with MFA or not,” Ofer Maor, co-founder and CTO at Mitiga, said via email. “While other vendors may also offer the ability to start without MFA, most SaaS vendors, once deployed as an enterprise solution, allow administrators to enforce MFA.”
As pressure mounted on Snowflake and its customers last week, Snowflake CISO Brad Jones said the company is developing a plan to require customers to implement advanced security controls such as MFA or network policies.
Details of the plan were scant, however, including what exactly Snowflake will require of its customers and if it will turn on MFA by default across its platform. Snowflake did not respond to a request for additional information on its security improvement plan.
MFA options need not apply
Cybersecurity experts acknowledge the merits of Snowflake’s position, buoyed by the cloud sector’s shared responsibility model, wherein vendors protect underlying infrastructure and customers secure their data with proper configuration and management. But many describe MFA as a baseline control that bolsters access to enterprise infrastructure and makes a significant impact in thwarting attacks.
“At every corner, when you give organizations a choice about doing the secure thing or not, a large percentage of them are not going to do the right thing,” said Wisniewski.
“Do we continue to allow people to shoot themselves in the foot?” Wisniewski said. “As a security person, my instinct is to say no. We should take away the option to harm yourself. If we give you the choice to do the right thing, and you can't seem to choose to do the right thing, then maybe it just shouldn't be a choice anymore.”
Without hard and fast rules, balancing responsibilities with these dynamics is a tricky proposition.
Placing too much accountability with technology vendors might be an overcorrection that reduces the collective responsibility all stakeholders have in maintaining security, according to Kaustubh Medhe, VP of research and threat intelligence at Cyble.
Some cloud providers have embraced a measured approach to MFA by making services default secure, not default convenient, in particularly risky scenarios, said Charlie Winckless, VP analyst at Gartner.
“Accountability and responsibility in such a model lies with the client, but the provider is focusing not on convenience and speed, but security — helping their client to be more responsible,” Winckless said. “Providers can improve their credibility by providing secure defaults and helping clients — who may not be security practitioners — understand the risks they are incurring.”
Minimum expectations for security controls are shifting quickly, and the unfortunate reality is that credentials to enterprise systems without MFA are heavily targeted by attackers.
In 2023, attackers used compromised legitimate credentials to gain access to victim environments in almost 40% of ransomware attacks where the initial access vector was identified, Mandiant said this month in a threat intelligence report.
“We’re not living in 2006 anymore,” Wisniewski said. “There’s really not a good reason, when you’re allowing people to potentially store incredibly sensitive information that you’re not ensuring that there’s at least that speed bump in the way.”