Snowflake lets admins make MFA mandatory across all user accounts

A month after incident response giant Mandiant suggested the litany of data thefts linked to Snowflake account intrusions had the common component of lacking multi-factor authentication (MFA) controls, the cloud storage and data analytics company is offering a mandatory MFA option to admins.

Snowflake hasn’t mentioned the spate of attacks specifically, but does reference credential compromise frequently. To combat this, a new authentication policy is now available that requires all users of a Snowflake account to enable MFA.

Customers can decide whether to apply the policy only to local users, to those using single sign-on (SSO) too, or on a user-by-user basis. Snowflake doesn’t recommend the latter for service users, for example, where OAuth or key-pair authentication is recommended, it said.

The general availability of Snowflake Trust Center (STC) was also announced concurrently – a framework for customers to monitor compliance with the MFA policies Snowflake hopes will be applied more broadly.

Included in the STC are two packages that also went GA this week: The Security Essentials scanner package and the CIS Benchmarks scanner package.

The first works to prevent credential theft by examining the degree to which MFA and network policies are being adopted, while the other evaluates a customer’s account against the CIS Snowflake Foundations Benchmark, which comprises secure configurations guidelines.

Snowflake’s web interface, Snowsight, will also prompt users who haven’t enabled MFA policies to do so.

“To help drive MFA adoption, we’re taking steps to promote individual compliance for Snowflake users,” the company said in a blog post.

“Starting today, when users without MFA log on to Snowsight, they will be prompted to enable MFA and guided through the configuration steps. This dialog can be dismissed, but it will reappear in three days if MFA has not been configured for the user.”

Snowflake’s app-based MFA solution is powered by Duo and this is the only option for customers. The default for Snowflake customers is to enable MFA on a per-user basis, and MFA is still not enabled by default. It’s at the admin’s discretion for now, although the company teased this week that this is expected to change in the future so all human users are required to use it.

The quiet part

Researchers at Hudson Rock were the first to shine a light on the intrusions at Ticketmaster and Santander, which were linked to Snowflake accounts in late May in a report since pulled after Snowflake’s lawyers stepped in.

Hudson Rock originally alleged that the data compromises potentially impacting millions of people were carried out after Snowflake itself was attacked, rather than the accounts of individual customers – a claim Snowflake vehemently and consistently still denies.

Snowflake ended up admitting that a former employee’s credentials were used by a malicious third party to access a few demo accounts, but that was the extent of it. 

Snowflake denies responsibility for the break-ins at Santander and Ticketmaster, the latter of which is still facing continued extortion threats from the group behind the intrusions. It was criminals at the ShinyHunters operation who claimed the attack, and have since leaked alleged barcodes to major events supported by the ticketing giant.

The number of Snowflake victims is up for debate. Mandiant’s report in early June put the number at around 165 organizations, but it’s not clear if this number has risen since then.

Some intrusions have emerged since the Snowflake saga began, such as those at US car part dealer Advance Auto Parts and Aussie ticketing company Ticketek, but haven’t explicitly cited Snowflake accounts as the sources. ®