Snowflake - Is account security the customer’s responsibility?

Snowflake's incident highlights that it doesn’t matter if a breach is “the customer’s fault” when enough of them are breached simultaneously. People won’t read the details and your company’s name will be publicly dragged through the mud alongside the B word. Is it the customer’s fault that they didn’t enable MFA and were susceptible to credentials stolen elsewhere being used to access their data?

Does it matter?

A large portion of employees at Snowflake are now distracted from being able to deliver value and are stuck dealing with the fallout. Snowflake’s name is being mentioned next to the word “breach” in every tech journal and newspaper. It’s not exactly where the marketing and brand teams want to be messaging from.

This was absolutely foreseeable.

It was also preventable, even with the shared responsibility model.

Snowflake is now paying the price for the choice to risk their own reputation by tying it to customers’ proven inability to secure individual accounts. It’s almost like the lessons from the 23 and me breach just vanished into the ether.

I’m sure there was some mention of “friction” when the authentication requirements were set but there’s more to it than a binary discussion of forcing MFA or not.

Preventing it from happening to you

💰  Stop charging extra money for SAML and SSO - Customer account security is too critical to your own brand’s well being. Why are you paywalling it?

✅  Make MFA a requirement for accounts with broad access to data or have admin rights - requiring MFA checks only for sessions from new IP addresses would stop most credential stuffing attacks with minimal user friction.

🔑  Ensure that MFA is easy to set up and use - Passkeys aren’t phishable and are impossibly easy for users. Outside of major providers however, most sites are yet to implement them. The sooner we move away from making people pull out their phones, unlock them, open their authenticator app, scroll to the right app and copy a number manually to their computer, the better.

👀  Check passwords against databases of known compromised credentials as they are created - Odds are a lot of the passwords used in the breaches were already known to be compromised or were commonly used, this is easily preventable with checks at password creation time to a site like haveibeenpwned.

🍪  Investigate device bound session credentials - session cookie theft from malware is a growing threat that can be mitigated by ensuring that session cookies only work in the browser they were generated from.

✈️  Bind sessions to an IP and force re-authentication when the address changes - It doesn’t take a security engineer to point out that a user always in Tacoma showing up 12 minutes later in Azerbaijan might be indicative of an account issue.

Service providers holding customer data should be taking steps to minimize the risk of a similarly unenviable situation, resorting to blaming their own customers who are already suffering from an account breach.