Hardening Snowflake security — Part 1
Last week, we have witnessed a flood of news articles about security breach attacking multiple customer Snowflake instances. Every article has different theory or agenda or narrative around this breach. In this age of data, security is paramount and Snowflake platform already offers range of security & privacy related features natively. I will cover Snowflake security features that could help us to not entirely eliminate but definitely reduce such incidents for your organizations in this 3 part blog series.
In the part 1, I will address most common root cause reported by all the news articles — stolen credentials. Few are saying credentials of past employee and others are saying credentials of Snowflake employee but the evil has to be Saved Credentials (Not stolen credentials). Bottom line is, if credentials (any type including passwords, RSA Keys, OAuth secrets etc.) are maintained, there is always a possibility of getting it stolen — risk exposure might vary. Let’s find out, how Snowflake Native feature “Trust Center” could help us to execute a recurring security scan and surface such vulnerabilities with few mouse clicks.
To setup Trust Center, login to your Snowflake account and navigate to Monitoring → Trust Center. You will need snowflake.trust_center_viewer and snowflake.trust_center_admin roles granted or ACCOUNTADMIN role granted to your user to perform this navigation.
Once you navigate here, navigate to Scanner Packages that will display CIS Benchmarks package available. Enable the same and schedule to run it at your discretion as below.
Once setup and executed, this scanner package performs 39 different scans including important security scans on your Snowflake instance. Few important security scans are shown below:
Results of the scan can be visualized in the same UI.
As usual, Snowflake makes things simple for you. If you want to leverage these results in some queries through procedure, function, alerts etc., Snowflake provides telemetry data for this through view named FINDINGS. Below is the sample query to identify user having password length below 14.
SELECT
f.value:entity_id::VARCHAR AS entity_id,
f.value:entity_name::VARCHAR AS entity_name,
f.value:entity_object_type::VARCHAR AS entity_object_type,
f.value:entity_detail AS entity_detail
FROM
snowflake.trust_center.findings,
LATERAL FLATTEN(input => at_risk_entities) AS f
WHERE
EVENT_ID = '3510';sqlNow in the context of latest security breach, vulnerability “Ensure that users who did not log in for 90 days are disabled” is very crucial. If your employee leaves your organization and if you do not have central SCIM implemented to manage users & roles across all your IT landscape, this type of vulnerability may occur. This is a serious risk and employee who has left but still holding password to your system is catastrophic. We will see how we can still prevent that employee to login to your systems in next part of this blog series.
Another highlight to this scan is, “Ensure that Snowflake password is unset for SSO users”. If a user has access to Snowflake using SSO, there is no valid reason for the same user to hold password as well.
Once the need for password to the users is validated, scan also highlights need to enable Multi-Factor Authentication for the users through scan “Ensure multi-factor authentication (MFA) is turned on for all human users with password-based authentication”.
We need to understand a point here that, all these alerts can be custom developed by organizations. However, Snowflake as usual, make things easier for its customers and through Trust center, it provides unified view of all these vulnerabilities.
We will other approaches to safe guard our Snowflake account for other areas in the next part of this series.