Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Best Practices to Secure Data Access in Snowflake

Published 08/08/2024

Best Practices to Secure Data Access in Snowflake

Originally published by Oasis Security.


In the last few days, there has been a lot of noise about an alleged Snowflake breach that impacted several companies' supply chains. While the details remain unconfirmed, it appears that the attack is once more identity-based. It is important to remain vigilant and ensure we are doing everything in our power to maximize the security posture of mission-critical systems that store sensitive data. In this article, we want to share best practices for implementing secure data access to Snowflake by humans and machines.

Access Control in Snowflake

Snowflake uses various authentication methods for user accounts, including passwords combined with multi-factor authentication (MFA), client certificates, and OAuth2 tokens. An important aspect to be aware of is that Snowflake doesn’t use different types of accounts for humans and machines - in Snowflake, a user is a user regardless if human or not. It is a common best practice for organizations to follow a standardized naming convention for service accounts, a type of non-human identity (NHI) used for integrations and automated processes such as sfdc_svc_connector or api_usr. These accounts typically authenticate using certificates or OAuth2 tokens and, in some legacy systems, a password.

Snowflake recommends the following security measures:

  1. Enforce Multi-Factor Authentication on all accounts;
  2. Set up Network Policy Rules to only allow authorized sources or only allow traffic from trusted locations;
  3. Reset and rotate Snowflake credentials.

Furthermore, we recommend taking an additional step and disabling Snowflake password authentication for human users if your company has implemented a single sign-on (SSO) solution.

Best Practices to Secure Program Access to Snowflake

Securing Snowflake user accounts used by programs and presents a unique challenge. These user accounts that often have wide-ranging privileges, but, like other Non-Human Identities, can’t rely on smartphones or other devices to support MFA. So, while employees enter codes from their mobile apps, these non-human users can’t and therefore are at higher risk.

To account for the different nature of NHIs, we recommend implementing the following security best practices:

  1. Contextual Visibility: Create and maintain a real-time inventory of NHIs with contextual information about consumers, owners, and access patterns. This helps identify unusual or unauthorized activities quickly.
  2. Rotate Credentials Regularly: To minimize the risk of unauthorized access, rotate credentials and secrets associated with NHIs regularly.
  3. Right-Size Privileges: Ensure that NHIs have the right level of necessary privileges required for their purpose. Overprivileged accounts increase the attack surface.
  4. Remove stale accounts: Ensure that accounts that are no longer in use, for example, user or program accounts previously owned by an offboarded employee, are properly and promptly decommissioned.

Share this content on your favorite social network today!