www.securitymagazine.com/articles/100921-lessons-from-the-snowflake-breach-saas-security-needs-collaboration
Shaking hands

Image via Unsplash

Lessons from the Snowflake breach: SaaS security needs collaboration

August 15, 2024

The recent Snowflake attack is an important reminder that data remains king when it comes to cyberattacks, and identities are the gateway for threat actors to access this coveted information. While in the event of an attack, service providers typically take the brunt of the blame. In this case, Snowflake reflected that it was actually how the company’s customers — including major companies like Ticketmaster and Advanced Auto Parts — chose to leverage its SaaS product that created the risk.

The implication is that because the victims failed to enable multi-factor authentication (MFA), they left themselves open to attacks such as phishing, credential stuffing and credential theft. Although the accusations might not have been off base, finger-pointing at customers rarely builds trust or regains loyalty. Instead, this is an opportunity to foster collaboration and discuss the importance of shared responsibility between SaaS service providers and customers to prevent future incidents. 

All businesses can take away lessons on the critical importance of understanding and utilizing a shared responsibility model for better SaaS security. This model is pivotal for effectively managing and mitigating SaaS security risks, especially in cloud environments where responsibilities are distributed between service providers and customers. But what should both service providers and their customers know for successful implementation?

The solution for proper SaaS identity security

The Snowflake attack underscores how poor identity hygiene leaves companies vulnerable. This incident leveraged compromised credentials and exploited weak security practices in SaaS environments, and it has had a negative impact on 165 customers to date.

According to Verizon’s 2024 Data Breach Investigations Report, the number one way a hacker gains access to a system in a web-based application attack is through stolen credentials (77% of the time). This challenge grows more complex as organizations grapple with the explosion of SaaS apps in modern environments. Today it is common for businesses to use multiple apps in order to increase productivity and streamline workflows. Because of this, there are many points of entry into organizations, making these common workplace tools a potential security risk. 

A shared responsibility model is essential to combat such threats. In this model, the SaaS provider and users play active roles in maintaining robust security. Shared responsibility is pivotal for effectively managing and mitigating risks, especially in cloud environments, where responsibilities should be distributed between service providers and customers. Putting the onus on only one party is ineffective and only solves only half the problem, which is why sharing responsibilities is the key to robust identity management. 

But who is the customer in the shared responsibility model? It’s the business leaders downloading and implementing SaaS tools within organizations. To be most effective, these business leaders need to adopt a secure business-led IT mindset. Business-led IT is the idea that employees are empowered to make their own decisions when it comes to work-related tools or apps they would like to use and download, without approval from IT. It helps increase productivity and innovation by giving them autonomy over solutions to enhance their workflow, but also creates risk within companies. As leaders in different departments marketing, security, finance, etc. — adopt SaaS tools to be more efficient, they need to also share the burden created by the risk and champion "secure business-led IT.” This is how the shared responsibility model becomes effective. 

Breaking down the shared responsibility model for SaaS security

Both parties should be clear on expectations for proper security and to avoid the blame game if an incident occurs. By understanding who owns what responsibilities, companies will be better equipped to identify gaps and improve protocols on their end, while collaborating with providers to ensure that they are playing their roles in proper security hygiene.

The responsibilities should be broken down as the following:  

Service provider responsibilities

  • Securing the underlying cloud infrastructure. Providers must ensure that their infrastructure complies with relevant regulatory standards and certifications, facilitating a secure customer environment.
  • Ensuring that the cloud infrastructure is continually monitored, updated and compliant with security standards.
  • Offering tools and guidance to help customers secure their data and applications.
  • Producing software that is free from defects and known software vulnerabilities that could lead to unauthorized access. 

Customer responsibilities

  • Securing access to their apps and having processes and identity security tools in place to manage user access.
  • Securing their data, including implementing robust encryption, access controls and backup procedures.
  • Implementing robust security practices (including enforcing MFA and regular user access audits) and ensuring that all apps and accounts are accounted for, configured securely and promptly offboarded when no longer needed.

The importance of proper identity hygiene

The Snowflake attack is a lesson in the importance of proper identity hygiene. To prevent similar incidents, companies should align their SaaS security strategies with their service providers so that everyone is clear on what role they should play in mitigating threats. While not all threats can be avoided, being proactive can dramatically reduce risk to ensure that critical data is safe and identities don’t become easy entry points for bad actors.