-
Snowflake has been under the microscope after customers including AT&T and Ticketmaster were hacked
-
Experts said the breaches weren't necessarily Snowflake's fault
-
We've got tips for enterprises seeking to better evaluate cloud security
Snowflake has been caught in a heatwave of late. No, we don’t mean the temperature, but a string of customer data breaches that have thrust it into an unwanted spotlight. But were these just a series of unfortunate events, or can they tell us something about cloud security more broadly?
First, there’s the question of who’s to blame for the breaches. Data cloud provider Snowflake (SNOW:NYSE) is the common denominator in the breaches AT&T, Ticketmaster and others suffered. But Snowflake has insisted – with backup from CrowdStrike and Mandiant – that it wasn’t at fault.
So, what’s the truth? Well, it comes down to lax security practices.
“The breach was caused by exploiting the inherent vulnerability of single-factor credentials – stolen Snowflake customer credentials – that were then used in a credential-stuffing attack to gain access to the customer's databases,” Semperis principal technologist Sean Deuby told Fierce.
He continued: “It underscores the need to clearly understand what the customer is responsible for and what the provider is responsible for in the shared responsibility SaaS model. It's all well and good that a vulnerability wasn't exploited, but poor password policy enforcement – no MFA enforced password change on leaked credentials notice – on Snowflake's part make the threat actor's work that much easier.”
In some ways, Snowflake and its customers should have seen this coming.
Matt Shelton, Head of Threat Research and Analysis at Google Cloud, said that aside from misconfigurations, identity access and management is the biggest point of vulnerability in cloud platforms of any size.
In fact, weak or no credential attacks accounted for 47% of intrusions in the first half of 2024, according to Google Cloud’s Threat Horizons report for the first half of 2024. (See chart below.)
“When data is stored in the cloud without any safeguards like MFA or IAM, you’re making it incredibly easy for threat actors to access a trove of data with just credentials,” Shelton explained. “They don’t even need to spend time or resources to create any sophisticated backdoors or malware like they would with an on-prem system.”
What can help prevent attacks like the ones against AT&T from happening, Shelton said, are provisions like Zero Trust controls to effectively manage who can tap into an enterprise’s cloud environment.
Snowmelt?
But blameless or not, the breaches aren’t a good look for Snowflake. Especially not with AT&T explicitly naming it as the third-party cloud platform that was accessed. Will the incidents send customers running into the arms of hyperscale rivals? And would they be any safer if they did make such a move?
The answer to the first question is tricky.
“It's difficult to tell how Snowflake customers including AT&T will respond. As we saw with the Solarwinds incident, no cloud service provider is immune to attack and compromise which can come in many different flavors,” next Curve’s Leonard Lee told us via email. That said, “the data breach does not bode well for Snowflake and raises the question about the security measures and practices they had in place in preventing the incident such as mandating MFA (Multi-Factor Authentication).”
Cybersecurity experts often say the best thing an organization can do to protect itself is practice basic hygiene regardless of their cloud provider, he added.
“Often times catastrophe can be adverted by implementing and practicing the basics well,” Lee said.
And as for the latter question – whether hyperscalers are inherently a safer bet? Not so fast.
“Data cloud platforms are able to implement the same cloud security controls as hyperscale cloud platforms. These security controls can be implemented with varying levels of effectiveness which makes it important for enterprises to select a trusted cloud provider,” Shelton said. “Enterprises should focus on understanding the security measures offered by their cloud provider and supplementing them with additional controls as needed.”
Shelton added enterprises seeking to evaluate a cloud provider’s security should ask some of the following questions:
- How does the cloud provider handle data sovereignty and data protection requirements?
- How do they handle identity and access management?
- What security measures are in place to protect against misconfigurations?
- How does the cloud provider detect and respond to threats?
- What does the cloud provider do to address third-party software risk?
At the close of market today, Snowflake shares were trading at $135.10, down 0.81%.
Read more about the AT&T data breach via our coverage below:
AT&T fallout ensues after massive data heist
AT&T cell, text records exposed in massive breach