Understanding the Shared Responsibility Model in SaaS
Published 08/13/2024
Originally published by Valence.
Written by Jason Silberman.
The recent attacks targeting data in customers of Snowflake, a SaaS application focused on data storage, serve as a critical reminder of the importance of understanding the Shared Responsibility Model in SaaS security. While initial reports claimed threat actors had breached Snowflake's production system to compromise data at companies like Santander Bank and Ticketmaster, the situation unfolded differently.
Snowflake clarified that there was no internal vulnerability or misconfiguration within their platform exploited. Mandiant, who subsequently conducted an independent investigation, found no evidence “to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment.” Instead, attackers gained unauthorized access to Snowflake customer environments through two main methods:
- Compromised Customer Credentials: Attackers obtained login credentials for Snowflake accounts, likely through unrelated cyberattacks like malware infections or previous data breaches. These stolen credentials might have been for personal or work accounts, reused across different platforms.
- Lack of Multi-Factor Authentication (MFA): The threat actors were able to successfully target accounts with single-factor authentication. Armed with the stolen credentials with a high level of access, they had a clear path to access the Snowflake customer environments. Even with compromised credentials, additional security measures like MFA can significantly hinder attackers. Unfortunately, the targeted Snowflake customer accounts lacked MFA, allowing attackers relatively easy access once they had valid login credentials.
This incident underscores a critical aspect of SaaS security: the Shared Responsibility Model.
What is the Shared Responsibility Model?
The Shared Responsibility Model in SaaS defines the security boundaries between the SaaS provider (a SaaS vendor like Snowflake) and its customers. It outlines the specific security controls each party is responsible for within the SaaS ecosystem. Imagine the security of your SaaS environment as a well-maintained bridge. The SaaS provider builds the core structure, ensuring a strong foundation (physical, application, and network security). However, the railings, signage, and upkeep (data security, access controls, user behavior) are your responsibility as the customer.
SaaS Security is a Collaborative Effort
SaaS Provider Responsibilities
In the Shared responsibility Model, the SaaS provider is responsible for securing the underlying infrastructure of the application. Breaking it down into more detail, the provider is responsible for:
Secure Platform Design: Designing a secure platform with robust features like strong password policies and MFA prompts, nudging customers towards best practices and reducing reliance on user enrollment. Building MFA into cloud services by design is a cornerstone of the Cybersecurity and Infrastructure Security Agency’s secure-by-design principles. Enforcing MFA by default whenever possible. Notably, Snowflake’s CISO Brad Jones talked vaguely about future plans to require customers to implement MFA, something other SaaS providers like Microsoft have begun to do.
Physical Security: This includes securing data centers, with access control systems and security cameras, as well as implementing environmental controls like fire suppression and temperature regulation to protect hardware.
Network Security: Securing the network infrastructure with firewalls and intrusion detection/prevention systems, and segmenting the network to isolate customer data and prevent unauthorized access.
System and Application Security: Regular patching and updating operating systems and databases, implementing secure coding practices, and data encryption at rest and in transit are crucial.
Vulnerability Management: The SaaS provider should continuously scan for vulnerabilities and prioritize remediation. Any critical vulnerabilities must be communicated to customers immediately.
Incident Response: A documented plan for detecting, responding to, and recovering from security incidents, with clear communication to customers.
SaaS Customer Responsibilities
While Snowflake is responsible for offering a secure platform, SaaS customers, like those in the recent incidents, are ultimately responsible for securing access to the data in their accounts. This includes enforcing strong authentication, restricting network access, and implementing basic security hygiene. Responsibilities include:
Enforcing Strong Authentication: Implement strong authentication measures including MFA and Single Sign-On (SSO) for all accounts and enforce strong password policies with regular rotations.
Securing Data: This includes data encryption, knowing where your data resides and which is of a sensitive nature, and implementing monitoring capabilities to see when data is transferred or shared both internally and externally.
Granular Access Controls: Follow the principle of least privilege (PoLP), granting users only the access they need. Regularly review and audit access, and ensure proper user lifecycle management (including offboarding from all applications). Deprovisioning dormant accounts helps to reduce the attack surface.
Maintaining Hygiene: Educate users on cybersecurity best practices (phishing awareness), vet third-party application security practices, and monitor user activity for suspicious behavior.
Governing SaaS-to-SaaS Integrations: Carefully evaluate the security posture of third-party SaaS applications before integrating them, understand and govern data flows between integrated SaaS applications. In addition, closely audit non-human identities (API keys, OAuth token, and service accounts) that power these integrations and revoke inactive and unnecessary ones.
Threat Monitoring and Threat Hunting: Continuously monitor user activity for anomalies and suspicious behaviors that might indicate a potential breach. Proactively hunt for threats within your SaaS environment to identify and address hidden vulnerabilities. Mandiant created a useful threat hunting guide for Snowflake customer environments.
Implementing the Shared Responsibility Model:
Effective implementation of the Shared Responsibility Model requires both parties to be proactive. Customers should leverage the security features offered by the SaaS provider and prioritize data security practices. SaaS vendors, in turn, should continuously improve their security posture and educate customers on best practices.
Beyond the Model - Additional Considerations
- Regular Risk Assessments: Conducting regular risk assessments of SaaS environments identifies potential vulnerabilities and facilitates proactive mitigation strategies.
- Communication and Transparency: Open communication between customers and vendors is essential for building trust and addressing security concerns effectively.
By understanding and implementing the Shared Responsibility Model, both customers and SaaS providers can create a robust security posture in the cloud, minimizing the risk of such breaches.
Related Articles:
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024
9 Tips to Simplify and Improve Unstructured Data Security
Published: 11/18/2024