It’s been nearly impossible to miss the recent data breach suffered by cloud storage and analytics company Snowflake.
Snowflake is a cloud-based data warehousing service that enables scalable and efficient data storage and analytics, and can be hosted on AWS, Google Cloud, and Azure. The company has experienced massive growth in recent years, serving over 9,400 customers globally.
Unfortunately, today they are in the headlines not for the excellence of their service, but because of a significant cybersecurity incident.
Dubbed by Wired as potentially one of the largest data breaches of all time, the scale of Snowflake’s incident is allegedly unprecedented, exposing potentially millions (perhaps even billions) of sensitive information from large entreprise across the world.
The plunge in Snowflake’s stock value, shedding over 20% since the breach was first reported, is a — sad yet vivid — illustration of the extent of the breach, which alludes to both the financial and brand reputation damages caused by the incident.
In this article, we delve into the details of the Snowflake breach, assess its impact, and discuss encryption key management as a preventive measure that can safeguard against similar incidents
Let’s start with what happened.
Snowflake Breach
On 23 May 2024 Snowflake publicly identified the breach, confirming that some of its customer accounts had been compromised.
The stolen data purportedly includes sensitive personal information of millions of individuals and billions of tracking pixel data records from as many as 165 customers, including Santander, TicketMaster, Pure Storage, and Advance Auto Part, among others.
The extent and exposure of the breach is yet still unknown as investigations are still underway.
The threat actor, known as UNC5537, alleged that they breached Snowflake, though this claim has neither been confirmed by Snowflake nor explicitly denied, as far as we know.
So, how did this happen?
Underlying Causes
According to reports, the breach can be traced back to the compromise of a Snowflake employee’s account and login credentials from past infostealer malware attacks (dating back 2020).
The attackers are said to have bypassed authentication mechanisms and used session tokens to gain unauthorised access to the company’s systems hosted on Amazon Web Service (AWS).
This allowed the attackers to potentially access data from a variety of Snowflake’s customers, including high-profile companies like Ticketmaster and Santander.
While this breach underscores the critical need for robust security protocols to protect against increasingly sophisticated cyber threats, it most interestingly sheds lights on the importance of encryption key management, and more specifically, on controlling encryption keys.
Preventive Measure: Encryption Key Management
One critical security measure that could have mitigated the impact of the Snowflake breach is, in fact, the use of customer-provided encryption keys, since Snowflake is a Platform as a Service (PaaS) that can be hosted on AWS, Google Cloud, or Microsoft Azure.
AWS offers the External Key Store (AWS XKS) service, which supports the integration of customer-provided encryption keys and is compatible with Snowflake.
This service, which lets organisations manage encryption keys outside of AWS, allows to maintain complete control over their encryption keys while utilising Snowflake’s data warehousing capabilities on AWS’s robust cloud infrastructure.
By retaining control over the master keys, companies can ensure that Snowflake’s data stored in the AWS cloud remains secure (since they are encrypted) even if service credentials are compromised.
AWS has collaborated with various Hardware Security Modules (HSM) and key management providers for its XKS feature, including DuoKey for AWS XKS.
DuoKey for AWS XKS features secure Multi-Party Computation (MPC), which generates key material in a distributed process, preventing the exposure of the root key material to any single entity, including the cloud provider.
This method significantly reduces the risk of a single point of compromise and enhance control over encryption keys.
Conclusion
The Snowflake incident is a crucial reminder of the vulnerabilities inherent in digital platforms and the continuous need for robust security measures.
Managing encryption keys externally is a significant step in enhancing data security. Organisations must adopt comprehensive, layered security strategies to protect their digital assets against sophisticated cyber threats.
For those interested in enhancing their encryption key management, solutions like DuoKey for AWS XKS offer robust tools for managing external keys within AWS environments, helping prevent breaches similar to what Snowflake experienced.
If you’re looking to strengthen your organisation’s data security, consider exploring external key management solutions:
Download our free product sheet on DuoKey for AWS XKS for more information.
References
- DuoKey for AWS XKS: https://duokey.com/products/aws-xks
- Snowflake Breach Exposes 165 Customers’ Data in Ongoing Extortion Campaign: https://thehackernews.com/2024/06/snowflake-breach-exposes-165-customers.html
- Snowflake compromised? Attackers exploit stolen credentials: https://www.helpnetsecurity.com/2024/05/31/snowflake-compromised-data-theft/
- The Snowflake Attack May Be Turning Into One of the Largest Data Breaches Ever: https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/
- UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion: https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
- AWS KMS concepts: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk