The recent Snowflake data breach has sparked concern across the cybersecurity field, showing that data continues to be a top target for attackers. This incident brings attention to identity management in protecting software-as-a-service (SaaS) environments and stresses the need for strong cooperation between service providers and their customers.
What happened
Snowflake, a Montana-based data platform and warehouse, suffered a breach affecting its broad client base. Mandiant reported that the attack compromised data from around 165 Snowflake customers. This included approximately 560 million customer records from Ticketmaster, 79 million from Advance Auto Parts, and 30 million from TEG.
The breach involved stolen credentials, leading attackers to attempt unauthorized access to customer accounts. Although Snowflake claimed that only a limited number of accounts were impacted, TechCrunch discovered hundreds of customer passwords online, accessible to cybercriminals.
See more: Snowflake faces massive data breach impacting 200 companies
The anatomy of the snowflake breach
The Snowflake attack proves how compromised credentials and weak security practices can leave organizations vulnerable, even when using cloud-based SaaS solutions. According to the Verizon 2024 Data Breach Investigations Report, stolen credentials are the primary means by which hackers gain access to web-based applications, accounting for 77% of such attacks.
The Snowflake breach was particularly concerning as it impacted 165 of the company's customers. The root cause of this incident was not a failure on Snowflake's part, but rather the lack of multi-factor authentication (MFA) implementation by the affected customers. This oversight allowed threat actors to exploit the credentials and gain unauthorized access to the SaaS platform.
The shared responsibility model
The Snowflake breach indicates the need for a shared responsibility model for effective SaaS security. In this model, both the service provider and the customer maintain identity management and access controls.
Service provider responsibilities
As the custodian of the underlying cloud infrastructure, the service provider must ensure the security and compliance of their platform. This includes:
- Securing the cloud infrastructure to meet relevant regulatory standards and certifications
- Continuously monitoring, updating, and maintaining the infrastructure to address vulnerabilities
- Offering tools and guidance to help customers secure their data and applications
- Delivering software that is free from defects and known vulnerabilities that could lead to unauthorized access
Customer responsibilities
While the service provider bears responsibility for the foundational infrastructure, customers must also take ownership of securing access to their SaaS applications and the data they store. This encompasses:
- Implementing identity security practices, such as enforcing MFA and conducting regular user access audits
- Securing their data through encryption, access controls, and backup procedures
- Ensuring that all apps and user accounts are properly configured, accounted for, and promptly offboarded when no longer needed
Related: What is identity access management
Embracing the secure business-led IT mindset
The rise of business-led IT, where employees can choose and use SaaS tools to improve their workflows, has introduced new security challenges. As leaders in departments like marketing, finance, and HR adopt these tools, they must also take on the associated risks.
To effectively use the shared responsibility model, business leaders need to make IT security a core aspect of their role. They should collaborate closely with IT teams to manage identity and security, particularly with the increasing adoption of SaaS applications.
Navigating SaaS security
Effective SaaS security demands an approach that encompasses the following elements:
- Visibility: Gaining a clear understanding of the SaaS applications in use across the organization, their associated risks, and the identities with access to data.
- Identity management: Implementing stringent identity and access controls, including MFA, regular user access reviews, and secure offboarding procedures.
- Data protection: Ensuring the confidentiality, integrity, and availability of data stored in SaaS environments through encryption, access controls, and backup strategies.
- Regulatory compliance: Align SaaS security practices with relevant industry standards and regulatory requirements, such as GDPR, HIPAA, and PCI-DSS.
- Continuous monitoring and improvement: Regularly reviewing and enhancing security protocols to address new threats and adapt to changing business needs.
Related: The underlying risks of using cloud storage
FAQs
What is a data breach?
A data breach is an incident where sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. This can include personal information such as names, social security numbers, credit card details, and medical records. Data breaches can occur through various means, such as hacking, malware attacks, insider threats, or inadequate security measures.
Can legal action result from a data breach?
Yes, legal action can result from a data breach, as affected individuals or organizations may sue for damages caused by the breach.
How can healthcare organizations prevent data breaches?
Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular security training for employees, and using encryption to protect sensitive data.
What should a healthcare organization do immediately after discovering a data breach?
Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.
Learn more: HIPAA Compliant Email: The Definitive Guide
Farah Amod
