Experts weigh in on Snowflake database MFA features
In response to a wave of recent attacks on customers, Snowflake introduces new authentication offerings that enable administrators to require MFA for all user accounts.
Snowflake introduced new MFA enforcement options to its platform after a wave of customers suffered identity attacks in recent weeks.
In late May, the cloud storage and analytics giant confirmed that a threat actor tracked as UNC5537 used stolen credentials against a number of its database customers. Cloud security vendor Mitiga, which published the initial research surrounding the campaign, said UNC5537 was using a custom attack tool to primarily target select customers that did not have MFA enabled.
In early June, Snowflake published a joint statement along with Mandiant and CrowdStrike, which were assisting the vendor with incident response, stating that the trio had found no evidence that a vulnerability or misconfiguration was exploited as part of the campaign or that a breach of Snowflake's platform had occurred.
Moreover, the statement claimed that UNC5537's campaign used stolen credentials that were either purchased or obtained via infostealer malware to target single-authentication users. At the time, Snowflake urged customers to enforce MFA on all accounts and set up network policy rules to control user traffic.
In the weeks since Snowflake's disclosure, a number of breaches have been linked to UNC5537's attacks, including those against Ticketmaster, Santander Bank, Neiman Marcus and, most recently, AT&T. Mandiant, which is owned by Google Cloud, said it and Snowflake had identified 165 potentially affected organizations as of June 10.
In an effort to curb further activity and prevent similar campaigns in the future, Snowflake on July 9 launched features that enable customer administrators to make MFA mandatory. Snowflake CISO Brad Jones and Anoosh Saboori, Snowflake principal product manager, said in a blog post that the company will prompt users to set up MFA, enable admins to enforce security by default and enable customers to monitor user adherence to MFA enforcement policies.
"Soon, Snowflake will require MFA for all human users in newly created Snowflake accounts," Jones and Saboori wrote. "We recommend that all customers start using MFA authentication policies and Trust Center now to prepare their environments, and watch for additional features in the coming months."
TechTarget Editorial asked Snowflake why the company opted not to make MFA mandatory across the board, but a spokesperson declined to comment. Some companies such as AWS and GitHub have rolled out mandatory MFA requirements to protect customer accounts against identity-based attacks.
Jason Soroko, senior vice president of product at certificate lifecycle management vendor Sectigo, said Snowflake could have made the feature partially optional for multiple reasons, with a primary one being user experience.
"Prioritizing user experience, they likely aimed to ensure ease of access while minimizing login friction for users," Soroko said. "Balancing security with market demands for simplicity and ease of use could have influenced their decision, as they sought to remain competitive while catering to user preferences."
Analysts and experts weigh in
Todd Thiemann, senior analyst at TechTarget's Enterprise Strategy Group, said Snowflake's new enablement features are a "huge step in the right security direction" and that he expects other cloud services will take similar steps.
"MFA is one of the single most effective security controls available, and more organizations should enable MFA by default," he said. "Snowflake previously had MFA available as an opt-in feature, and there was no prompt for users to enroll in MFA. Users had to navigate into account settings that were buried deep in Snowflake's user interface to enable MFA. I don't think that Snowflake was alone in taking this approach, but they learned from the damage that resulted."
Merritt Maxim, vice president and research director at Forrester Research, told TechTarget Editorial that it is "still discouraging at times" to see organizations make MFA optional and not a requirement. But he acknowledged that because of the nonideal user experience it creates, many organizations have chosen to make MFA optional but highly recommended.
"We know that from a risk-return standpoint, implementing MFA is one of the best security investments you can make to protect yourself against hackers. It doesn't prevent hacks completely, but it is a known and proven mechanism for stopping attacks," Maxim said. "To make it optional and not force enrollment, it's one step forward, but kind of a half-step back."
Similarly, Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, said that "anytime you leave a security choice to admins, they will likely choose ease of use over security."
"If you're going to implement MFA, it should be mandatory rather than optional. Because if you leave it optional, chances are it will remain off," Childs said.
Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.