Best Practices to Secure Data Access in Snowflake
Published 08/08/2024
Originally published by Oasis Security.
In the last few days, there has been a lot of noise about an alleged Snowflake breach that impacted several companies' supply chains. While the details remain unconfirmed, it appears that the attack is once more identity-based. It is important to remain vigilant and ensure we are doing everything in our power to maximize the security posture of mission-critical systems that store sensitive data. In this article, we want to share best practices for implementing secure data access to Snowflake by humans and machines.
Access Control in Snowflake
Snowflake uses various authentication methods for user accounts, including passwords combined with multi-factor authentication (MFA), client certificates, and OAuth2 tokens. An important aspect to be aware of is that Snowflake doesn’t use different types of accounts for humans and machines - in Snowflake, a user is a user regardless if human or not. It is a common best practice for organizations to follow a standardized naming convention for service accounts, a type of non-human identity (NHI) used for integrations and automated processes such as sfdc_svc_connector or api_usr. These accounts typically authenticate using certificates or OAuth2 tokens and, in some legacy systems, a password.
Snowflake recommends the following security measures:
- Enforce Multi-Factor Authentication on all accounts;
- Set up Network Policy Rules to only allow authorized sources or only allow traffic from trusted locations;
- Reset and rotate Snowflake credentials.
Furthermore, we recommend taking an additional step and disabling Snowflake password authentication for human users if your company has implemented a single sign-on (SSO) solution.
Best Practices to Secure Program Access to Snowflake
Securing Snowflake user accounts used by programs and presents a unique challenge. These user accounts that often have wide-ranging privileges, but, like other Non-Human Identities, can’t rely on smartphones or other devices to support MFA. So, while employees enter codes from their mobile apps, these non-human users can’t and therefore are at higher risk.
To account for the different nature of NHIs, we recommend implementing the following security best practices:
- Contextual Visibility: Create and maintain a real-time inventory of NHIs with contextual information about consumers, owners, and access patterns. This helps identify unusual or unauthorized activities quickly.
- Rotate Credentials Regularly: To minimize the risk of unauthorized access, rotate credentials and secrets associated with NHIs regularly.
- Right-Size Privileges: Ensure that NHIs have the right level of necessary privileges required for their purpose. Overprivileged accounts increase the attack surface.
- Remove stale accounts: Ensure that accounts that are no longer in use, for example, user or program accounts previously owned by an offboarded employee, are properly and promptly decommissioned.
Related Articles:
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Top Threat #5 - Third Party Tango: Dancing Around Insecure Resources
Published: 11/18/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024