Snowflake security incident: A wake-up call for CISOs | Grip

The recent large-scale data breaches at Ticketmaster and Santander Bank may have been due to fundamental flaws in securing data access on a third-party cloud service. While the details of the latest security incident are not yet fully clear, numerous reports point to a worrying trend.

Although Ticketmaster and Santander have not disclosed the identity of the third-party cloud service, several security analysts have identified the provider as Snowflake, a well-known cloud-based data platform. Snowflake, along with CrowdStrike and Mandiant, issued a joint statement saying they found no evidence of a vulnerability, misconfiguration, or security breach in Snowflake’s platform itself. Instead, they suspect this incident is a targeted campaign against single-factor authentication users.

How the Snowflake incident happened

Details of the Snowflake incident are still being disclosed, but it appears that threat actors have taken advantage of credentials previously obtained through malware to steal information. Although reports are inconclusive at the time of this publication, Snowflake found evidence that a threat actor gained access to demo accounts owned by a former Snowflake employee. While these demo accounts did not contain any sensitive data, they were not protected by Okta or multi-factor authentication (MFA), unlike Snowflake’s corporate and production systems.

Recommended actions following the Snowflake incident

Snowflake recommends that organizations immediately enforce MFA on all accounts, set network policy rules to allow only authorized users or traffic from trusted locations (such as VPNs or cloud workload NATs), and reset and rotate Snowflake credentials for affected organizations.

Prevent similar security incidents with Grip

Grip has developed a comprehensive SaaS risk management strategy – SaaS Identity Risk Management (SIRM) to address the changing SaaS landscape and emerging risks. Organizations with a modern and robust SIRM program can avoid breaches like the one at Snowflake. While the SIRM principles are extensive and comprehensive, we can apply specific aspects to these types of breaches.

Free download: The Ultimate Guide to SaaS Identity Risk Management

Discover all Snowflake instances and accounts

The first step is to discover all SaaS applications, including all Snowflake instances and accounts within an organization. This includes unmanaged accounts that employees may have created without proper oversight from IT and security teams. Grip provides complete visibility into your SaaS ecosystem, identifies gaps, and catalogs managed and unmanaged SaaS, IaaS tenants, Snowflake instances, and all associated user accounts, creating a complete and continuously updated inventory.

Assessing “SaaS Identity Risks”

Next, Grip assesses each application’s “SaaS identity risks,” going beyond traditional vendor risks like certifications and privacy policies. Grip uncovers additional risk factors, such as asset risks, usage risks, and authentication risks, collectively known as “SaaS identity risks.” From this, Grip assesses whether applications are inherently risky or benign, whether users authenticate to apps with SSO or MFA, and whether the apps are managed or unmanaged. The Grip SaaS identity risk platform provides an easy-to-understand risk score and assessment for each app, so you can prioritize which risks need to be addressed first.

Reduce risks prescriptively

Finally, Grip helps reduce your SaaS risks effectively and efficiently. Once Grip discovers SaaS instances and accounts and assesses them for risks, it recommends the best course of action. Should your security team find an app useful and allow it, Grip helps secure access more comprehensively, including single sign-on (SSO) and multi-factor authentication (MFA) with built-in recommendations and actions, such as contacting the identity provider (IdP) administrator or business owner to enable SSO/MFA with instructions and context.

If an app is deemed too risky, Grip can revoke access to credential-based apps by rotating passwords, ensuring former employees can no longer access sensitive data and mitigating security breaches by forcing password resets.

Centralized control of shadow SaaS and IaaS assets

In addition to Shadow SaaS, users also create accounts in IaaS tenants and other assets such as Snowflake. Grip finds ways to bring these assets under centralized control where administrators can apply security policies and controls. By providing details about tenants, instances, and user accounts, Grip makes it easier for security teams to contact the right people and integrate their accounts and assets into an established security program.

Breaking the vicious cycle of security breaches

While there is no detailed information on the data theft, the Snowflake incident shows a recurring pattern seen in other hacked organizations: lack of SSO or MFA protection, unsecured access, and exploitation of former employees’ demo or production accounts. Grip helps organizations cover all bases by identifying and mitigating SaaS identity risks through a holistic SIRM program. The Snowflake security incident is just one example of the threats Grip can potentially prevent, while ensuring robust security measures are in place across your entire SaaS and IaaS landscape.

Book time with our team to learn more about the Grip platform and how we can help you secure your SaaS landscape.

‍