The Snowflake Breach: Reminders for Comprehensive Data Security

By now, most anyone concerned with data security has heard about the recently revealed security breaches on the Snowflake platform at Ticketmaster, Santander Bank, and possibly other customers. 

According to media reports, hackers accessed massive amounts of customer data by obtaining individual customer account credentials to Snowflake via targeted phishing, malware, or some other means. Snowflake is emphasizing that these breaches didn’t occur because of any compromise of the Snowflake platform.

Regardless of how the breaches occurred, these security incidents are yet another reminder that cyber breaches are inevitable. Somehow, some way hackers will gain access to your organization’s computer systems. The real question for organizations is not if a breach will occur but how damaging it could be.

And these days, data security is becoming increasingly complex. Cloud transformation is still going strong and now generative AI is further complicating how organizations track and protect their data.

Fortunately, organizations can implement a set of best practices and modern security tools (such as Bedrock) to ensure that even the most sophisticated cyber thieves can’t access customer information, intellectual property, or other critical information.

Five Steps to Breach-Proofing Your Data

Whether you use Snowflake or other cloud platforms and services, organizations need to follow a set of fundamental security practices to protect their most important data from exfiltration in the event of a breach.

#1: Manage Your Passwords

It is the most basic of security protections, but many breaches are often aided by hackers stealing an individual’s password from one site and using it on another. 

These recent breaches are a reminder that organizations must redouble their efforts to enforce basic password management best practices. This includes using a quality password manager that can help all employees generate robust passwords for any of their accounts, as well as ensuring employees routinely change their passwords. This greatly reduces the chances that an old password could be used to access another account.

This tactic goes well beyond data security and is essential for protecting all parts of a corporate network. There are many good tools on the market to help with this, but ultimately it is up to organizations to establish and enforce this best practice.

#2: Take Responsibility

In the cloud era, it has become a dangerous trend for organizations to assume cloud providers and SaaS platforms will offer all the security necessary to protect their data. This is simply not true.

Cloud computing is a shared responsibility. Cloud companies are obligated to ensure the security of their platform infrastructure. But organizations are responsible for their data, particularly since it rarely stays just on one computing environment.

As it is used, copied, and shared, organizations need to have full visibility into where that data is traveling and who has access to it. But the growing volume and variety of data and computing environments is making such visibility and control increasingly difficult. 

That is why Bedrock created a far more scalable and efficient data security platform to help organizations keep up with the growing demands of today’s data ecosystems. With Bedrock, organizations have full visibility into where their data is and who has access, regardless of computing environments or data repositories, both in the cloud and on-premises.

#3: Harden Your Data

A major aid in protecting against breaches from credential theft is multi-factor authentication (MFA). This ensures that even if a hacker obtains a legitimate password, they would still have to provide additional information to access an account. This is usually done by sending a code to a user’s personal device such as a cell phone or email address that the hacker doesn’t have access to.

There are also other techniques to “harden” data access such as tokenization, fingerprint scans, or security questions.

Regardless of these methods, organizations need to be able to apply the right level of data hardening to the right data. Common MFA techniques are appropriate for most applications, while tokenization or other methods are likely too onerous for all kinds of data.

For data hardening, the Bedrock Security platform makes it easy for organizations to apply the appropriate level of data protection to the right data, helping ensure the necessary security measures without slowing down the business. For example, organizations can use Bedrock to create tokenization policies to apply to customer data while assigning basic MFA protections to less critical data and applications.

#4: Enforce Least Privilege

Least privilege is a security concept that limits access to the minimum amount of data and resources required for an individual to carry out specific tasks.

This seems like an obvious security tactic but the increasing speed of business and growing complexity of computing environments (SaaS, multi-cloud, on-premises) are making least privilege difficult to consistently enforce.

In particular, access to certain data is needed only on a temporary basis. Often, access is granted but then left open well after the need has passed. At the same time, employees or outside contractors might be granted access to one application or data repository that allows them secondary access to other resources.

Bedrock helps with both these issues. It is easy to set up a policy to provide access to a specific dataset for a limited time period and to restrict access to sensitive data types to only those people who need it for their job. And, critically, Bedrock excels at identifying unintended data access routes by comprehensively walking the entire access entitlement tree to identify secondary and tertiary routes to other data sources. It can even provide a “blast radius” map to show all the resources that could be reached by an individual account in the case it is compromised.

#5: Keep Data Where It Belongs

Snowflake is a data analytics environment. In most cases, it should not permanently store highly sensitive data such as financial information. Certainly, some data needs to be there to conduct data science work. But once that is done, sensitive data needs to be removed and live only in its main data store where it can be more securely protected. Any use of sensitive data should be time-limited and tightly scoped.

Snowflake is just one example of this challenge. Modern data is being copied and moved in and out of all kinds of environments, all the time.

Organizations need to have the visibility and control to always know where their sensitive data is and who is using it. Data teams can use Bedrock to conduct comprehensive inventories on platforms like Snowflake to quickly understand if any critical data is there and how it is being used.

And with Bedrock, organizations can further minimize data exposure by setting policies that automatically remove data from an environment if it is not being used. 

Breach-Proofing Your Data

The recent news about the Snowflake incident is a reminder that it is impossible for organizations to stop cyber breaches. But with the right data security practices in place, organizations can effectively safeguard sensitive data to ensure such attacks don’t cause significant harm to their business.

To learn more about how Bedrock Security can make modern data security easy for your organization, contact our experts today.