Snowflake breach? Privacy!

Snowflake breach? Privacy!
Snowflake paints a giant target for hackers

At the end of March, security firm Hudson Rock claimed, according to a conversation with a threat actor, that Snowflake had been breached by stealing an employee's credentials to log into ServiceNow and then access and download data from potentially hundreds of customers. Snowflake's lawyers no doubt got this taken down but it appears that this was somewhat made up, even according to the people asking for a $20m ransom from the act.

What's real though is that several customers' data has been compromised and downloaded, according to both the Australian Signals Directorate and Snowflake themselves. So Snowflake most likely wasn't breached, but their customers found out their data wasn't as private as they were hoping and that Snowflake really hadn't helped them secure their accounts well.

This raises a lot of questions about the company, its best practices, its level of transparency, and the security of data entrusted to them.

But the cloud is more secure

The narrative of "I trust <cloud vendor here>'s security much more than <my company name>" has been repeated ad infinitum to a point where we all believe it. However, just like communism, the fact that we repeat the same message over and over again to convince people doesn't mean it's right. We often don't even think of exactly what we are entrusting to that cloud vendor.

According to Harvard Business Review, 80% of data breaches in 2023 involve data stored in the cloud, and a central "data cloud" like Snowflake is an extraordinarily attractive target.

Misconfiguration in cloud deployments is so common. It's trivial to grant public access to services. Just a couple of clicks and all the data stored in an S3 bucket becomes public for everyone to access. Contrast this to a pre-cloud storage system deployed behind firewalls, intrusion detection systems and being monitored and scanned. Even if no password was set, without MFA (which, still happens and causes data breaches), there would still be no easy way to make the thing accessible over the internet.

The famous verifications.io data breach happened because of a MongoDB database with 763,000,000 email addresses sitting on the internet with no password. Netflix, TD Bank and Ford had data stolen due to a public bucket at Attunity. The lists of cloud breaches go on and on.

Coming to Snowflake, new accounts are trivially created without MFA and only password authentication. Even their own employees do this, and one of them got their credentials stolen. If Snowflake themselves are OK with their employees doing this, they are probably OK with their customers doing it too, which is where we get to...

It's your problem not mine

Snowflake's attitude appears to be that it's their customers' problem. For example, they have released a list of a few dozen IP addresses "associated with suspicious activity" and given the list to their customers to go and deal with themselves, along with pages of recommended SQL. One of the advantages of buying SaaS software is that the vendor is supposed to keep you safe; why isn't it monitoring for suspicious activity on behalf of its customers, rather than retroactively posting SQL queries and handing them off? They should recognise that their product (Snowflake) stores their customers' crown jewels (their business critical enterprise data) and do everything in power to make sure their employees and their customers aren't compromised. Not just calling in a couple of vendors afterwards to work out what happened and doing community postings with lists of IP addresses. The fact that they themselves messed up means they can't tell others to do any better.

Applications composed of SaaS services make this even worse

The quest for faster application development by stitching together SaaS services means that more accounts in more services that are easily made public (or are public) or weakly authenticated and accessed over the internet are sitting all over the place. Sign-up is easy and getting going is easy, which means less security from the get-go. This can even be done from personal laptops where info stealing malware might be lurking. Anywhere without robust MFA and whitelisting is a target at this point.

Then we get the giant target

Snowflake is one of the most attractive targets to breach, simply because it hosts so much structured, valuable, enterprise data. Any place where Snowflake's technology lets their customers get away with weak authentication will be exploited. Snowflake must wake up to this fact and do better.

Where does this leave the trend?

More companies are getting worried about the cost vs. benefit of composing applications of cloud services and running databases on SaaS platforms. Not only does it cost more, but it is statistically less secure. I personally think that colocating services in customers' own cloud accounts and networks (and even data centres) is the best path forward for privacy: Software can be developed there, tested there, data platforms can run there, without public ingress or egress and with users authenticated with MFA, preferably even without passwords. Putting any service on a public network should require a thorough security valuation, just like it used to in the days of data centres, and anything made public should be automatically flagged and reviewed.

At Yellowbrick, we offer a cost-effective alternative to Snowflake for data warehousing and application analytics that doesn't need to be exposed to the public internet, and can work in a decentralised fashion, in customers' own cloud accounts, to avoid the 'big painted target' problem. We call it "private data cloud." That way it is fully secured and protected according to enterprise policy to avoid these sorts of issues happening.