Friday, 12 July 2024 09:47

Snowflake admins can now make MFA mandatory, thank goodness Featured

By
Snowflake admins can now make MFA mandatory, thank goodness

Snowflake has now released a feature allowing administrators to enforce MFA so users must enroll in it on login. Finally!

Make no mistake, this CIO is a fan of Snowflake and all the power the data and AI cloud platform brings. However, perplexingly and bizarrely Snowflake dragged its feet when it came to MFA. Yes, MFA was possible, but implemented in a terrible way such that users had to set themselves up on it. All a beleagured Snowflake admin could do was ask and ask and remind people over and over again to do it.

MFA was not automatically enabled on a Snowflake account, and nor could the administrator force it to be on for any specific user. Instead, users were required to self-enrol into MFA following the instructions here. Administrators can disable MFA if a user loses a device, but the responsibility to turn it on in the first place sat squarely with the user.

This was not good policy. iTWire has regularly insisted company's must be using MFA as the most minimum, the most basic, of protections because it was never a question of "if" users would be breached via credential theft, but "when." We spoke with Geoff Schomburgk of Yubico here about how enterprises can lead the way by issuing FIDO2 hardware keys to users (such as Yubico's own popular range of Yubikeys, as well as other providers such as FEITIAN). We spoke with Alex Tilley of Secureworks here about the basics of security that everyone needs to do - like MFA. And, Rapid7 research showed a staggering 41% of security incidents in 2023 could have been prevented if only MFA were in place.

Believe me, the messaging from iTWire cannot be more consistent and relentless - if you don't have MFA turned on, then you need to.

And there sure are some Snowflake customers who wish they had MFA on.

It began with the massive Ticketmaster data breach, which in turn affected Australians via Ticketek, whereby some 560 million customers had their personal data leaked because, you guessed it, Ticketmaster didn't have MFA turned on. And, that data was held in Snowflake. While an early, and since debunked, cybersecurity report wrongly claimed Snowflake had been breached, Snowflake were quick to point out they themselves were secure, but the customer - Ticketmaster - had its credentials stolen by a malicious party, which led to the breach. And, Snowflake said, the customer didn't have MFA enabled, and really should have.

Yet, more and more news came out of other compromised Snowflake customers, and while Snowflake itself most definitely had not been breached - it's not like it holds a master record of customer login details anyway, with its product spread out over major clouds and regions - it seemed sophisticated hackers had targeted Snowflake customers. And, the reality is, as much as Snowflake can say it provided MFA, and customers should be using it, the company truly did not help itself with its poorly-implemented, poorly-considered MFA policy of the past.

As a former Snowflake administrator myself, I can only lament the frustration of asking all my ACCOUNTADMINs and other users to please, please execute this command to enroll yourself into MFA. I had no power to turn it on for anyone but myself; I had no power to make it mandatory for new accounts.

Happily, and thankfully, that changes now. The new Snowflake feature allows admins - finally, hoorah, and not a nanosecond too soon - to enforce MFA.

This is enabled via an AUTHENTICATION POLICY object, to force users to enroll in MFA on login. It can be set account-wide, or on a per-user basis. But seriously, do it account-wide.

iTWire's advice is that a well-rounded authentication policy should include (at a minimum):

  • Any user accounts used by people should use SSO or MFA

  • Service accounts should use keypair authentication or OAuth

  • A break-glass admin account should be set up with a very strong password

You should also ensure this policy is part of any infrastructure-as-code that you have. It's supported already by Titan Core, and you should check your other IaC tooling.

Further, Snowflake admins can monitor compliance, as well as identify other issues, with the new Snowflake trust centre.

What will you do after reading this announcement?

  • If you are a Snowflake customer, you should set up the authentication policy now. Right now.
  • If you have other accounts on any other system anywhere that does not have MFA enabled, do it. Right now.
  • If you are a software provider that's been dragging the chain on MFA then, far out, make it available to your customers. Right now. Otherwise you'll be sure to be on the front page of iTWire next, and not for good reasons.

This iTWire writer and CIO never takes delight in browbeating any company but let's learn from Snowflake here. Security is too important to be left to chance, to be left to end users being relied on to always do the right thing.

I'm grateful and glad Snowflake has now given admins the tools to enforce MFA across their organisation. I only wish it hadn't taken front-page news of weakness, and multi-company exploitation, to force it to happen.

 

Read 2757 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here




IDC WHITE PAPER: The Business Value of Aiven Data Cloud Solutions

According to IDC, Aiven enables your teams to perform more efficiently, reduce direct infrastructure costs, and provide improved database performance, agility and scalability.

Find out how Aiven makes teams 48% more efficient, allowing staff to focus on high-value activities that drive real business results:

340% 3-year ROI – break even in 5 months (average)

37% lower 3-year cost of operations

78% reduction in staff time for database deployments

Download the IDC White Paper now

DOWNLOAD WHITE PAPER!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Published in The Wired CIO
Tagged under
David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Latest from David M Williams

Related items

More in this category: « Cloud migration 101: how to plan, execute and optimise your cloud strategy
Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top

Subscribe to Newsletter

*  Enter the security code shown: