Best practices to secure data access in Snowflake

Best practices to secure data access in Snowflake
Marta Dern

Marta Dern

Product Marketing

Publish on

June 5, 2024

In the last few days, there has been a lot of noise about an alleged Snowflake breach that impacted several companies' supply chains. While the details remain unconfirmed, it appears that the attack is once more identity-based. It is important to remain vigilant and ensure we are doing everything in our power to maximize the security posture of mission-critical systems that store sensitive data. In this article, we want to share best practices for implementing secure data access to Snowflake by humans and machines.

Access control in Snowflake

Snowflake uses various authentication methods for user accounts, including passwords combined with multi-factor authentication (MFA), client certificates, and OAuth2 tokens. An important aspect to be aware of is that Snowflake doesn’t use different types of accounts for humans and machines - in Snowflake, a user is a user regardless if human or not. It is a common best practice for organizations to follow a standardized naming convention for service accounts, a type of non-human identity (NHI) used for integrations and automated processes such as sfdc_svc_connector or api_usr. These accounts typically authenticate using certificates or OAuth2 tokens and, in some legacy systems, a password.
Snowflake recommends the following security measures:

  1. Enforce Multi-Factor Authentication on all accounts;
  2. Set up Network Policy Rules to only allow authorized sources or only allow traffic from trusted locations;
  3. Reset and rotate Snowflake credentials.

Furthermore, we recommend taking an additional step and disabling Snowflake password authentication for human users if your company has implemented a single sign-on (SSO) solution. 

Best practices to secure program access to Snowflake

Securing Snowflake user accounts used by programs and presents a unique challenge. These user accounts that often have wide-ranging privileges, but, like other Non-Human Identities, can’t rely on smartphones or other devices to support MFA. So, while employees enter codes from their mobile apps, these non-human users can’t and therefore are at higher risk.

To account for the different nature of NHIs, we recommend implementing the following security best practices:

  1. Contextual Visibility: Create and maintain a real-time inventory of NHIs with contextual information about consumers, owners, and access patterns. This helps identify unusual or unauthorized activities quickly.
  2. Rotate Credentials Regularly: To minimize the risk of unauthorized access, rotate credentials and secrets associated with NHIs regularly.
  3. Right-Size Privileges: Ensure that NHIs have the right level of necessary privileges required for their purpose. Overprivileged accounts increase the attack surface.
  4. Remove stale accounts: Ensure that accounts that are no longer in use, for example, user or program accounts previously owned by an offboarded employee, are properly and promptly decommissioned.

Oasis makes it easy to protect Snowflake non-human user accounts with a seamless integration

At Oasis, we understand the unique challenges of managing non-human identities. Our platform is designed to secure all NHIs throughout their lifecycle, providing visibility, automation, and robust security measures to protect your organization. Oasis integrates with Snowflake to make it easy to implement security best practices that will drastically reduce the risk of breaches from identity attacks. Simply set up a dedicated user and role in Snowflake, and share the details with Oasis.

Snowflake User in Oasis

This integration provides the following benefits:

  • Comprehensive NHI inventory: Oasis takes away the overhead of manually maintaining an accurate inventory of your NHIs within Snowflake. Once connected, Oasis automatically and continuously discovers all your Snowflake NHIs providing critical real-time visibility with detailed information about each identity. 
  • Critical contextual information: Oasis facilitates auditing activities and ensures accountability for actions performed by NHIs in Snowflake by providing insights into which consumers (users, applications, services) are utilizing each NHI and what resources these identities have access to.  
  • Posture violation detection: The integration continuously monitors and flags NHIs in stale or unrotated credentials, as well as other basic posture violations, enabling proactive risk mitigation.
  • Efficient credential rotation: As part of regular operations or in the event of a security breach, Oasis allows for efficient and automated rotation of credentials across all affected NHIs, minimizing operational disruptions.
  • Enhanced incident response: Oasis provides a comprehensive view of all NHIs, their access patterns, and interactions during an incident, enabling security teams to quickly identify potentially compromised identities and take immediate action to mitigate risks.

Contact us today for a free security assessment and to learn more about how Oasis can protect your assets and reputation. Don't wait for an identity breach to happen!

More like this