Cloud Service Provider Breach: Lessons Learned From the Snowflake Attack
By: Venminder Experts on June 24 2024
5 min read
If your organization relies on a cloud service provider (CSP), the recent Snowflake data breach has likely created significant concern. As many as 165 Snowflake customers have been impacted by the data breach, which may include hundreds of millions of personal records. Even if your organization wasn’t directly impacted by the breach, it’s important to take note of the incident and consider whether your third-party risk management (TPRM) program is prepared to respond. This involves ensuring that your third-party CSPs are following best practices to keep data safe and secure.
Take this opportunity to learn about the Snowflake breach and determine its impact on your organization. Regardless of the impact, your organization can take away some important lessons that can strengthen your TPRM program and protect against future incidents.
Cloud Service Provider Breach: What We Know About the Snowflake Attack
Snowflake noted unauthorized activity in some of its customers’ accounts in late May, though it was determined that the attack began in mid-April. Cybercriminals have since begun demanding ransom, ranging from hundreds of thousands to millions of dollars. While investigating the incident, Snowflake said the incident didn’t appear to be a breach of their system, nor was it caused by vulnerability or misconfiguration.
Instead, researchers investigating the incident noted that the organizations impacted didn’t have multi-factor authentication (MFA) turned on for their Snowflake accounts. Cybercriminals targeted those accounts and leveraged stolen credentials with info stealing malware. In response to the breach, Snowflake encouraged its customers to implement multi-factor authentication (MFA) to protect their accounts, which will eventually be applied as the default option.
5 Third-Party Risk Management Lessons from the Snowflake Data Breach
Whether your organization was impacted by the breach or not, it offers important lessons that you can implement into your TPRM program. Many organizations rely on CSPs to store vast amounts of data, so it’s crucial to ensure the data remains safe and secure. You should also ensure that you’re appropriately assessing inherent risk and performing due diligence and ongoing monitoring to mitigate the identified risk.
Here are some lessons to take away from the Snowflake breach:
- Enable MFA on all accounts – The Snowflake breach impacted organizations that lacked certain security controls like multi-factor authentication for remote access and network policies. Your organization should require these controls be implemented by any third parties that have access to your data, as well as within your own environment.
- Perform periodic data mapping – Although CSPs offer more efficient and convenient options for data storage, it’s important to document the volume and types of data that’s involved. Data mapping will help your organization understand what types of data your CSP is storing, which can give more insight into the impact of a cyber incident. Also consider data mapping within your vendor inventories. This assists in ensuring you understand what data is held, by who, and how the data flows between systems and vendors.
- Manage data access – The principle of least privilege is an important cybersecurity element, as it ensures users don’t access more data than what is necessary to perform their functions. Requiring access request and multi-level approvals across your third-party platforms can help keep data secure.
- Develop and test an incident response plan – The Snowflake breach serves as a reminder that your organization needs to be prepared for when, not if a third-party incident occurs. Most cybersecurity experts will agree that data breaches are inevitable, whether they impact your organization directly or indirectly through a third or fourth party. Developing and testing an incident response plan that includes third-party data breaches can help your organization be better prepared to detect, respond, and resolve incidents, while also notifying your customers of the impact.
- Continuously monitor third parties – Ongoing monitoring is an essential TPRM activity, especially for cloud service providers that have access to your data. Consider developing specific metrics for CSPs such as key risk indicators (KRIs) and key performance indicators (KPIs). Monitoring these metrics can help identify issues that may increase the likelihood of a data breach.
- Assess cybersecurity practices – As part of your initial and periodic due diligence, make sure to assess your CSP’s cybersecurity practices, including security awareness training for employees and contractors, vulnerability management, and policies that govern the organization’s stance on implementing security controls. Security training, access management policies, social engineering testing, and more can help ensure that your CSP has appropriate controls in place to protect your data.
4 Immediate Steps After a Cloud Service Provider Breach
The scope of the Snowflake data breach is widespread and many organizations may still not know whether they were impacted. However, it’s essential not to take a “wait and see” approach when it comes to responding to a CSP data breach. A proactive response can help identify the impact more quickly, allowing your organization to take the necessary steps to protect your data.
Here are some suggested steps to take after a CSP data breach:
- Communicate with the CSP – If your organization was directly impacted, communicate with the CSP about the scope of the breach to ensure you have relevant information to notify customers, regulators, and law enforcement, as needed. Also make sure to implement any security recommendations the third party provides, such as stronger user authentication procedures using multi-factor authentication (MFA).
- Identify any exposure – Your organization may not have been directly impacted by the CSP breach, but that doesn’t mean you haven’t been exposed. Consider all the third parties, fourth parties, and nth parties that are included in your vendor ecosystem and may have been impacted in the breach. Although you have limited oversight in your fourth and nth parties, it’s important to identify any exposure within your critical and high-risk vendors and verify that they’re meeting their contractual data breach notification requirements.
- Review your incident response plan and security protocols – Regardless of the breach impact or exposure, it’s important to evaluate your internal incident response plan and security protocols. Plans should be up to date, with clearly defined roles and responsibilities so your organization is prepared to take any next steps. Security protocols such as employee training and testing should also be reviewed and updated, as needed.
- Increase ongoing monitoring – Any vendors that were impacted in the breach should be monitored and re-assessed more frequently to identify any performance or risk issues that may need to be addressed. Additionally, your organization should continue monitoring its own system for any unusual activity that may have resulted from the breach. This is especially critical with vendors who have access to your infrastructure or have software installed within your infrastructure, with the SolarWinds attack of 2020 being a great example.
The Snowflake data breach will likely be remembered in the months and years to come, but won’t be the last cloud service provider breach to make headlines. Learning from each new incident that occurs and prioritizing a robust TPRM program with cybersecurity controls can help lessen the impact of future third-party data breaches.
Related Posts
What Are Third-Party Security Risks?
Third-party vendors are essential for most organizations as they provide necessary resources and...
Meeting HIPAA Third-Party Risk Requirements
Certain industries, like finance and healthcare, are at a higher risk of data breaches because they...
Third-Party Data Protection: Are Your Vendors Prepared?
Cybersecurity incidents, such as data breaches and ransomware attacks, have become increasingly...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.