Snowflake has been under scrutiny after hacking clients including AT&T and Ticketmaster.
Experts said the breaches were not necessarily Snowflake's fault.
We have tips for organizations looking to better assess cloud security.
Snowflake has been in the grip of a severe heat wave lately. No, we’re not talking about extreme temperatures, but a series of customer data breaches that have thrust the company into an unwanted spotlight. But was this just a series of unfortunate events, or could it tell us something about cloud security more broadly?
First, there’s the question of who’s to blame for the breaches. Cloud computing company Snowflake (SNOW:NYSE) is the common denominator in the breaches that hit AT&T, Ticketmaster and others. But Snowflake has insisted — backed by CrowdStrike and Mandiant — that it wasn’t at fault.
So what's the truth? Well, it boils down to lax security practices.
“The breach occurred as a result of exploiting a vulnerability in single-factor credentials — stolen Snowflake customer credentials — which were then used in a credential stuffing attack to access customer databases,” Sean Dube, chief technology officer at Semperis, told Fierce.
“This underscores the need for a clear understanding of what the customer is responsible for and what the provider is responsible for in a SaaS shared responsibility model,” he continued. “It’s good that the vulnerability wasn’t exploited, but the weak enforcement of the password policy — the lack of a password change enforced by two-factor authentication upon notification of leaked credentials — on Snowflake’s part makes the threat actor’s job much easier.”
In some ways, Snowflake and its customers should have seen this coming.
Matt Shelton, head of threat research and analysis at Google Cloud, said that next to misconfigurations, identity access and management is the biggest vulnerability in cloud platforms of any size.
In fact, weak or non-credential-based attacks accounted for 47% of breaches in the first half of 2024, according to Google Cloud’s Threat Horizon report for the first half of 2024. (See chart below.)
“When data is stored in the cloud without any safeguards like MFA or IAM, you make it incredibly easy for threat actors to access a trove of data with just credentials,” Shelton explained. “They don’t even need to spend the time or resources to create any sophisticated backdoors or malware like they would with an on-premises system.”
What can help prevent attacks like the one that AT&T experienced are measures like Zero Trust controls to effectively manage who can access an organization's cloud environment, Shelton said.
Snow melting?
But whether these breaches are innocent or not, they don’t look good for Snowflake. Especially since AT&T has openly admitted that it was the third-party cloud platform that was accessed. Will these incidents push customers into the arms of giant competitors? And would they be safer if they did?
The answer to the first question is difficult.
“It’s hard to say how Snowflake’s customers, including AT&T, will respond. As we saw with the Solarwinds incident, no cloud service provider is immune to attacks and breaches that can come in many forms,” Leonard Lee of Next Curve said via email. However, “the data breach does not bode well for Snowflake and calls into question the security measures and practices they implemented to prevent the incident, such as enforcing multi-factor authentication (MFA).”
Cybersecurity experts often say that the best thing an organization can do to protect itself is to practice basic hygiene, no matter which cloud provider it works with, he added.
“Often disaster can be avoided by implementing and practicing the basics well,” he told me.
As for the final question – whether supercomputers are inherently the safest bet? The answer is not that simple.
“Cloud data platforms are able to implement the same cloud security controls as large cloud platforms,” Shelton said. “These security controls can be implemented with varying levels of effectiveness, making it important for businesses to choose a reliable cloud provider. Businesses should focus on understanding the security measures their cloud provider offers and supplement them with additional controls as needed.”
Shelton added that companies looking to evaluate the security of a cloud provider should ask some of the following questions:
How does the cloud provider address data sovereignty and data protection requirements? How does it handle identity and access management? What security measures are in place to protect against misconfigurations? How does the cloud provider detect and respond to threats? What does the cloud provider do to address third-party software risks?
At market close today, Snowflake shares were trading at $135.10, down 0.81%.
Read more about the AT&T data breach in our coverage below:
Serious repercussions for AT&T after massive data theft
Massive AT&T Cellphone and Text Message Records Breach Revealed
