Snowflake has announced it will allow admins to enforce multi-factor authentication (MFA) for all users in the wake of the disastrous data breach in May.
In an advisory to customers, Snowflake CISO Brad Jones said MFA will now be enabled by default for new accounts, and the new security policy will give admins the power to impose mandatory MFA practices.
The changes will also include new prompts for users on the Snowsight platform to enable MFA in a bid to drive adoption, Jones said.
“We’re taking steps to promote individual compliance for Snowflake users,” he said. “Starting today, when users without MFA log on to Snowsight, they will be prompted to enable MFA and guided through the configuration steps”.
This prompt can be dismissed, Jones noted, but will reappear within three days if MFA still hasn’t been configured.
Alongside the new policies, Jones confirmed the general availability of the Snowflake Trust Center Security Essentials scanner package. This, he said, will help “mitigate credential theft issues” by confirming whether MFA compliance is being adhered to.
This will also be enabled by default and will be made available to customers free of charge across all Snowflake editions.
“In addition to checks provided by the Security Essentials scanner package, we are also happy to announce general availability of the Trust Center CIS Benchmarks scanner package, which contains more scanners that evaluate your account against the CIS Snowflake Foundations Benchmark,” Jones added.
“These scanners, for example, can detect overprivileged entities, stale users who have not logged in for the past 90 days, ACCOUNTADMIN grants and more.
“We will continue adding features to the Trust Center to help Snowflake customers better detect threats and attacks against their accounts. We will share more details in upcoming months.”
Snowflake isn’t taking any chances
The update from Snowflake follows a lengthy investigation into a highly disruptive breach in May which saw more than 100 customers impacted globally.
Snowflake first discovered unauthorized access to user accounts in late May. This allowed threat actors to access demo accounts and customer environments. Several major organizations, including Ticketmaster and Santander, were affected by the breach.
The incident sparked a major war of words between Snowflake and industry stakeholders, with Jones specifically highlighting that the attack targeted users with single-factor authentication on their production environments.
Javvad Malik, lead security awareness advocate at KnowBe4, said the changes are a positive response from the company that will bolster customer security.
“It’s good to hear that Snowflake is enabling MFA by default. From an account protection perspective, MFA is probably one of the single most effective controls to have in place,” he said.
“Given all the attacks against accounts, including credential stuffing - more organizations should enable MFA by default.”
Malik noted, however, that MFA can only go so far. With threat actors employing increasingly sophisticated social engineering techniques, there is still room for the exploitation of individuals.
“Simply implementing a control like MFA is sometimes not enough. Social engineering can still bypass the best of controls,” he said.
“Therefore, a strong security culture needs to be created whereby people understand the importance of MFA and how to ensure they are using it correctly. Only through a unified approach of people, processes, and technology can we build organizations which are resilient to attacks."
