Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Don't miss out! Join us for the free, virtual Global AI Symposium from October 22nd - 24th—register today!

Best Practices to Secure Data Access in Snowflake

Published 08/08/2024

Home
Industry Insights
Best Practices to Secure Data Access in Snowflake

Originally published by Oasis Security.


In the last few days, there has been a lot of noise about an alleged Snowflake breach that impacted several companies' supply chains. While the details remain unconfirmed, it appears that the attack is once more identity-based. It is important to remain vigilant and ensure we are doing everything in our power to maximize the security posture of mission-critical systems that store sensitive data. In this article, we want to share best practices for implementing secure data access to Snowflake by humans and machines.

Access Control in Snowflake

Snowflake uses various authentication methods for user accounts, including passwords combined with multi-factor authentication (MFA), client certificates, and OAuth2 tokens. An important aspect to be aware of is that Snowflake doesn’t use different types of accounts for humans and machines - in Snowflake, a user is a user regardless if human or not. It is a common best practice for organizations to follow a standardized naming convention for service accounts, a type of non-human identity (NHI) used for integrations and automated processes such as sfdc_svc_connector or api_usr. These accounts typically authenticate using certificates or OAuth2 tokens and, in some legacy systems, a password.

Snowflake recommends the following security measures:

  1. Enforce Multi-Factor Authentication on all accounts;
  2. Set up Network Policy Rules to only allow authorized sources or only allow traffic from trusted locations;
  3. Reset and rotate Snowflake credentials.

Furthermore, we recommend taking an additional step and disabling Snowflake password authentication for human users if your company has implemented a single sign-on (SSO) solution.

Best Practices to Secure Program Access to Snowflake

Securing Snowflake user accounts used by programs and presents a unique challenge. These user accounts that often have wide-ranging privileges, but, like other Non-Human Identities, can’t rely on smartphones or other devices to support MFA. So, while employees enter codes from their mobile apps, these non-human users can’t and therefore are at higher risk.

To account for the different nature of NHIs, we recommend implementing the following security best practices:

  1. Contextual Visibility: Create and maintain a real-time inventory of NHIs with contextual information about consumers, owners, and access patterns. This helps identify unusual or unauthorized activities quickly.
  2. Rotate Credentials Regularly: To minimize the risk of unauthorized access, rotate credentials and secrets associated with NHIs regularly.
  3. Right-Size Privileges: Ensure that NHIs have the right level of necessary privileges required for their purpose. Overprivileged accounts increase the attack surface.
  4. Remove stale accounts: Ensure that accounts that are no longer in use, for example, user or program accounts previously owned by an offboarded employee, are properly and promptly decommissioned.
Cloud Security Services ManagementData SecurityIdentity and Access Management

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Access the Cybersecurity Awareness Month Bundle
Download the NIST CSF v2 Cloud Community Profile
Strategies for AI Governance & Compliance
Trending This Week
#1 What is a Feistel Cipher?
#2 The 5 SOC 2 Trust Services Criteria Explained
#3 Mechanistic Interpretability 101
#4 Top Takeaways From the Gartner Innovation Insight: Data Security Posture Management
#5 AI Safety vs AI Security: Navigating the Commonality and Differences
Enhance your cloud security skills with CSA's online training options.
Related Articles:
7 Ways Data Access Governance Increases Data ROI

Published: 10/23/2024

The Current Landscape of Global AI Regulations

Published: 10/22/2024

Optimizing Secrets Management to Enhance Security and Reduce Costs

Published: 10/22/2024

Top Threat #4 - Cloudy with a Chance of Breach: The Cloud Security Strategy Storm

Published: 10/21/2024