Stop leaving it up to the users
Great transparency from Snowflake to allow the publication of this report from their IR provider, Mandiant. It goes to add further weight behind their argument that this wasn't some deep intrusion of Snowflake themselves, but user account compromise.
The attackers were simply stealing passwords and logging on.
https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
At a technical level, I support their recommendations - the use of MFA, bar some bypass technique, would have absolutely have prevented account compromise; and network allow-listing, would have added an extra layer of security (although there are some issues to consider in the era of WFH and split-tunnel VPNs).
But with this recent report, I reflect a little on 2 key points:
This doesn't seem to have been an attack targeting TicketMaster nor Santander, nor just opportunistically stumbling over the right credentials. The threat actor concerned was "...systematically compromising Snowflake customer instances..." with "...intelligence identifying a broader campaign targeting ... Snowflake customer instances...".
Security should be (wherever possible) transparent to the user, but also something that recognises the fallibility of the human.
Both of these lead me to question the stance, for which the Mandiant blog seems to double down on: "It was the user's fault for not doing XYZ"
I fully recognise the "shared security responsibility model" adopted by many (if not all) cloud providers, and that "technically" it is the users responsibility for securing account access - but this feels like an opportunity to establish a fairly decent differentiator with competitors, if you decide to lean-in and provide some account security for "free".
When you're looking to encourage more users to host their data on your platform, making what feels like fairly standard security protections "opt-out" rather than "opt-in", sets the tone that you take security seriously. MFA, account monitoring, notifications of "suspicious behaviour"... my local supermarket loyalty card scheme does this by default - in fact, I'm not even sure I can disable it.
For companies, you should be understanding the risk of SaaS/Cloud usage, and requiring use of MFA and other techniques from your users. But, I'm guessing in the cases we're reading about, this is more likely to be Shadow IT.
So a question for you - if a user registered for a 3rd party SaaS service using their corporate email, how would you know?