What Can Be Learned from the Snowflake Breach?

11 Jun, 2024
6 min read

What Can Be Learned from the Snowflake Breach?

In the past few weeks, Snowflake, a leading cloud-based data storage and analytics provider, has found itself at the center of a cybersecurity controversy. Reports of the Snowflake breach have emerged, suggesting unauthorized access to its systems, which may have compromised sensitive data belonging to multiple high-profile clients, affecting hundreds of millions of customers. The threat actor is believed to be leveraging compromised credentials using Lumma Stealer, malware that logs keystrokes and other activities.

Although the full details of the breach and its origins are not yet known, some key insights have already become public:

  • Snowflake became aware of potentially unauthorized access to certain customer accounts in May 2024.
  • In a statement, Snowflake suggested the breach resulted from compromised customer credentials rather than a Snowflake misconfiguration.
  • Quickly thereafter, customers’ data sales offers started to appear at various marketplaces, including information on more than 560 million people. The hacker claimed to have names, addresses, email addresses, phone numbers, some credit card details, ticket sales, order details, and more.

Practical Measures You Need to Take

  • Implement MFA across your privileged users and technology stack.
  • Monitor and alert in real-time on data access and data processing behavioral anomalies.
  • Enforce Zero-Trust privileged user access control, using passwordless governance access and sensitive data protection, restricting data access and operations.
  • Protect data at rest with client-side encryption and full key segregation, ensuring sensitive data classifications cannot be compromised while on-cloud or when accessed by unauthorized users.

Securing Data in Cloud Platforms

End-to-End Cloud Data Security with Client-Side Encryption

De-identification is a broad term covering an extensive set of methods to protect data, including dynamic data masking, physical masking, encryption, tokenization, pseudonymization, anonymization, and others. Enforcing client-side encryption over data at rest ensures access to the data is restricted for everyone, while allowing only selective users with valid purposes to gain access to the data. This ensures DBAs, administrators, cloud providers, and other third-party contractors cannot access sensitive data, even at the infrastructure layer.

To achieve this, data needs an additional layer of security: de-identification with full key segregation while ensuring access on a need-to-know basis using the ABAC model, without compromising business operations. De-identification is becoming even more important (and complex) for multinational organizations looking to leverage cloud data platforms as organization-wide analytics platforms. Global operations mean not only GDPR, CCPA, and other privacy regulations but also data sovereignty.

SecuPi enforces strict security models over sensitive data, enabling enforcement of data privacy, sovereignty, PCI4, and healthcare regulatory requirements on sensitive data stored in cloud platforms. SecuPi’s client-side encryption is specifically designed to ensure sensitive data is always secured, from ingestion to consumption, with full key segregation (Hold Your Own Key – HYOK) and is only decrypted on the client-side, and only for authorized users. This approach allows organizations to easily govern and control all data access and data-processing transactions while enforcing end-to-end data security on their cloud data platforms, analytical workloads, and data consumers, ensuring that clear-text data is NEVER accessible globally, and can only be decrypted locally on a need-to-know basis at a defined location.

SecuPi’s client-side encryption offers future-proof technology with enhanced data security posture, ensuring data is never compromised while stored and processed on a cloud platform, reducing security TCO (Total Cost of Ownership). The SecuPi centralized management server is deployed on the customer VPC and self-contained, distributed enforcers are installed in various locations across the data environment:

  • The data ingestion/ETL/Streaming: enforcing encryption of sensitive data upon ingestion (not sharing the key with the CSP).
  • The data consumption layer: enforcing fine-grained access control based on all required attributes before critical data is re-identified, ensuring access on a need-to-know basis.

Real-Time Observability

Monitor and alert in real-time on all data access and data processing activities, alongside behavioral anomalies. The latest evolution of DAM (Database Activity Monitoring) focuses on proactive security measures, implementing fine-grained access control to enforce the principle of least privilege. This approach ensures that users only have access to the data and resources necessary for their roles, reducing the risk of data breaches. Safe Harbor RLS policies and dynamic encryption further enhance data protection, while single sign-on (SSO) and multi-factor authentication (MFA) improve the security of direct database tools. Vaulted credentials using passwordless access, with regular rotation, and privileged account consolidation to prevent rough accounts, have also become standard features in modern solutions.

SecuPi protects both SQL and NoSQL data across on-premises and cloud-based platforms, allowing installation on-premises or in any cloud environment with straightforward configuration. It effectively monitors and regulates activities conducted by DBAs, DevOps, developers, and cloud administrators, leveraging various native database tools, including SQL Server SSMS, PGAdmin, Zeppelin, DBeaver, and MongoDB shell (Mongosh), among many others. SecuPi does not require users to connect through remote desktops, VDIs, or jump servers, and does not require installing agents on databases. This eliminates the need to activate native database audit trails. SecuPi ensures single sign-on (SSO) and multi-factor authentication (MFA) for all direct database tools, including native ones. The platform protects against credential theft attacks by implementing database passwordless access and securely storing all database passwords in a dedicated vault. The authorization process for connecting and executing change procedures seamlessly integrates with existing workflow solutions.

Zero-Trust and Fine-Grained Access Control

Enforce Zero-Trust privileged user access control, using passwordless governance access and sensitive data protection, restricting data access and operations. SecuPi governs all ways to access data through its capability for dynamic Attribute-Based Access Control (ABAC). It is highly tailorable for applying row-level filtering, column-level de-identification using dynamic or static masking as well as PFE decryption on policy logic defined:

  • Based on current values of attribute variables such as the user ID making the query, e.g., user Workday role, Active Directory and LDAP groups, clearance level, location, citizenship, and customer consent/classification.
  • Based on the current values of attribute variables for the data being accessed, e.g., the authorization/clearance level required to see the data, data location, etc.
  • Based on behavioral attributes, such as the end user’s current sensitive data risk level, device in use, or self and peer-comparison of normal accepted access patterns.

Once the target data set is precisely delimited by the policy logic and the combination of these attribute values, SecuPi follows policy rules regarding the presentation of the data, e.g., applying fine-grained auditing, dynamic masking, row-filtering (e.g., filter out customers assigned VIP state), format-preserving encryption (FPE) or tokenization, or presenting clear text. Unlike other tools in the market, SecuPi supports both cloud and on-prem environments with both operational (e.g., business applications) and analytics (e.g., Tableau on Redshift, Databricks, and Teradata) without changing code or data sources.

The SecuPi distributed architecture ensures easy deployment with no changes to the underlying schema, applications, and business processes, enforcing key segregation and ensuring end-to-end cloud data security. SecuPi offers seamless end-to-end data security across your cloud data operations. Full SOD. Zero code.

Key Benefits:

  • Enable secured data collaboration and democratization over cross-cloud, global data operations.
  • Full segregation of duties (SoD) and HYOK, ensuring data is never decrypted on-cloud and never available to the cloud administrator.
  • Seamless enforcement of security, sovereignty, privacy, and governance use cases.
  • Full visibility into every data access and data-processing transaction with full end-user context.
  • Sensitive data is always protected and access controlled across ingestion and consumption technologies.
Want to see our product in action? Join us for a Demo!
Apply for this Job

    Or send your resume at text@secupi.com
    Thank for you applying
    We will be in touch shortly.