Cloud Service Provider Breach: Lessons Learned From the Snowflake Attack

If your organization relies on a cloud service provider (CSP), the recent Snowflake data breach has likely created significant concern. As many as 165 Snowflake customers have been impacted by the data breach, which may include hundreds of millions of personal records. Even if your organization wasn’t directly impacted by the breach, it’s important to take note of the incident and consider whether your third-party risk management (TPRM) program is prepared to respond. This involves ensuring that your third-party CSPs are following best practices to keep data safe and secure.

Take this opportunity to learn about the Snowflake breach and determine its impact on your organization. Regardless of the impact, your organization can take away some important lessons that can strengthen your TPRM program and protect against future incidents. 

Cloud Service Provider Breach: What We Know About the Snowflake Attack

Snowflake noted unauthorized activity in some of its customers’ accounts in late May, though it was determined that the attack began in mid-April. Cybercriminals have since begun demanding ransom, ranging from hundreds of thousands to millions of dollars. While investigating the incident, Snowflake said the incident didn’t appear to be a breach of their system, nor was it caused by vulnerability or misconfiguration.

Instead, researchers investigating the incident noted that the organizations impacted didn’t have multi-factor authentication (MFA) turned on for their Snowflake accounts. Cybercriminals targeted those accounts and leveraged stolen credentials with info stealing malware. In response to the breach, Snowflake encouraged its customers to implement multi-factor authentication (MFA) to protect their accounts, which will eventually be applied as the default option. 

5 Third-Party Risk Management Lessons from the Snowflake Data Breach

Whether your organization was impacted by the breach or not, it offers important lessons that you can implement into your TPRM program. Many organizations rely on CSPs to store vast amounts of data, so it’s crucial to ensure the data remains safe and secure. You should also ensure that you’re appropriately assessing inherent risk and performing due diligence and ongoing monitoring to mitigate the identified risk. 

Here are some lessons to take away from the Snowflake breach:

• Enable MFA on all accounts – The Snowflake breach impacted organizations that lacked certain security controls like multi-factor authentication for remote access and network policies. Your organization should require these controls be implemented by any third parties that have access to your data, as well as within your own environment. 
• Perform periodic data mapping – Although CSPs offer more efficient and convenient options for data storage, it’s important to document the volume and types of data that’s involved. Data mapping will help your organization understand what types of data your CSP is storing, which can give more insight into the impact of a cyber incident. Also consider data mapping within your vendor inventories. This assists in ensuring you understand what data is held, by who, and how the data flows between systems and vendors. 
• Manage data access – The principle of least privilege is an important cybersecurity element, as it ensures users don’t access more data than what is necessary to perform their functions. Requiring access request and multi-level approvals across your third-party platforms can help keep data secure.
• Develop and test an incident response plan – The Snowflake breach serves as a reminder that your organization needs to be prepared for when, not if a third-party incident occurs. Most cybersecurity experts will agree that data breaches are inevitable, whether they impact your organization directly or indirectly through a third or fourth party. Developing and testing an incident response plan that includes third-party data breaches can help your organization be better prepared to detect, respond, and resolve incidents, while also notifying your customers of the impact. 
• Continuously monitor third parties – Ongoing monitoring is an essential TPRM activity, especially for cloud service providers that have access to your data. Consider developing specific metrics for CSPs such as key risk indicators (KRIs) and key performance indicators (KPIs). Monitoring these metrics can help identify issues that may increase the likelihood of a data breach.
• Assess cybersecurity practices – As part of your initial and periodic due diligence, make sure to assess your CSP’s cybersecurity practices, including security awareness training for employees and contractors, vulnerability management, and policies that govern the organization’s stance on implementing security controls. Security training, access management policies, social engineering testing, and more can help ensure that your CSP has appropriate controls in place to protect your data. 

The Snowflake data breach will likely be remembered in the months and years to come, but won’t be the last cloud service provider breach to make headlines. Learning from each new incident that occurs and prioritizing a robust TPRM program with cybersecurity controls can help lessen the impact of future third-party data breaches.