Attack Vectors

You may be wondering how relevant these questions are to ensuring our Snowflake environment is secure. You find out later in this chapter .

Prevention Not Cure

As the adage says, “Prevention is better than cure.” If things go wrong, at least we immediately have some tools available to recover under certain scenarios. Snowflake has an immutable one-year query history of assisting investigations. The Time Travel feature covers any point in history for up to 90 days; if it is not enabled, please do so immediately for your production environments. Finally, Snowflake provisions a fail-safe for an additional seven days of data recovery, noting the need to engage Snowflake support for Fail-safe assistance.

But we are into prevention, not cure, so let’s look at defining our security posture, then we have a baseline to work from. Figure 4-1, referenced from www.nist.gov/cyberframework , illustrates the constituent parts of our security framework along with dependencies to be resolved.

Our first step is to identify the assets to protect. Some organizations have a central catalog of all systems, technologies, vendors, and products. But many don’t, and for those who do, is the product catalog up to date?

Recently, the Log4j zero-day exploit has focused on the mind. More sophisticated organizations also record software versions and have a robust patching and testing cycle to ensure their estate remains current, and patches don’t break their systems. With regard to Snowflake, no vulnerabilities for the Log4j zero-day exploit were found, and immediate communications were issued to reassure all customers.

Essential maintenance is the practice of updating code by applying patches. Preventative in nature, and, fortunately for us, it is all taken care of by Snowflake’s weekly patch updates, but see the section on change bundles later in this chapter.

Protection involves physical and logical prevention of unauthorized access to hardware, networks, offices, infrastructure, and so on. Protection also establishes guardrails and software specifically designed to prevent unauthorized access, such as firewalls, anti-virus, network policies, multi-factor authentication, break-glass for privileged account use, regular environment scanning, and a host of other preventative measures, of which a subset are applicable for Snowflake.

Alerting relates to monitoring the protections applied and raising an alert when a threshold is reached, or a security posture is breached to inform the monitoring team as soon as possible and enable rapid response. The faster we detect and respond to an alert, the quicker we can recover from the situation.

We have identified Snowflake as the asset to protect as the subject of this book. While our AWS, Azure, and GCP accounts are equally important, they are largely outside this book’s scope, but you will find that the same principles apply.

Returning to our focus on Snowflake, where can we find an agreed global suite of standards for reducing cyber risks to Snowflake?

Welcome to the National Institute of Standards and Technology (NIST) .

National Institute of Standards and Technology (NIST)

NIST is a U.S. Department of Commerce organization that publishes standards for cybersecurity www.nist.gov/cyberframework .

NIST is a large site; finding what you need isn’t trivial. A great starting point for defining Snowflake security controls and is directly referenced in the Snowflake security addendum is at https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=5.1

Select Security Controls → All Controls to view the complete list, which at the time of writing runs to 322 separate controls. Naturally, only a subset is appropriate for securing our Snowflake accounts. Each control must be considered in the context of the capabilities Snowflake deliver.

Now that we have identified a trustworthy security control source and reviewed the content, our next step is to identify corresponding Snowflake controls. We then protect our Snowflake account by implementing identified changes, then apply effective monitoring to detect breaches with alerting to inform our support team, who will respond, fix, and remediate, leading to effective service recovery. After which, we can conduct our post-mortem and management reporting .

Our First Control

From what you know of Snowflake and the preceding interpretation, you might say the first control (of many) relates to the use of Snowflake-supplied administrative roles and, therefore, could be used to put guardrails around the use of the most highly privileged Snowflake-supplied ACCOUNTADMIN role. If our organization has enabled ORGADMIN role, we might consider extending this control to cover both ACCOUNTADMIN and ORGADMIN roles. Alternatively, we might create a second control with different criteria .

In defining control, we must also implement effective monitoring and alerting. This is covered in Chapter 6, which proposes a pattern-based suite of tools.

The exact wording differs according to the requirements, but this is an outline of a typical action.

Note in our initial requirements the implicit assumption of the control being defined by one group, with implementation being devolved to a second. This is good practice and in accordance with the segregation of roles and responsibilities.

Wash, rinse, and repeat for every required control. In conjunction with Snowflake subject matter experts (SMEs) , your cybersecurity professionals typically define the appropriate controls.

Network Policies

Our first control, in my opinion, is the most important one to implement. Network policies restrict access to Snowflake from specific IP ranges. Depending upon our security posture and considering how we use our Snowflake accounts, we may take differing views on whether to implement network policies or not. A network policy is mandatory for highly regulated organizations utilizing Snowflake for internal business use only; for other organizations allowing third-party logins from the public Internet, probably not.

Whether required or not, knowing about network policies is wise. They provide defense-in-depth access control via an IP blacklist (applied first) and an IP whitelist (applied second), mitigating inappropriate access and data loss risks.

For this discussion , let’s assume we require two network policies; the first ring-fences our Snowflake account allowing access to known IP ranges only, and the second enables access for a specific service user from a known IP range. The corresponding control might be expressed as “All Snowflake Accounts must prevent unauthorized access from locations outside of <your organization> internal network boundary except those from a cybersecurity approved location.”

Our network policies must, therefore, not have any CIDR ranges with /0.

When creating a network policy , it is impossible to declare a network policy that blocks the IP range from the currently connected session and attempt to implement the network policy. Also, when using network policies, the optional BLOCKED_IP_LIST is applied first for any connecting session, after which the ALLOWED_IP_LIST is applied.

We can now proceed with confidence in creating our network policies, knowing we cannot lock ourselves out. Our first task is to identify valid IP ranges to allow. These may be from a variety of tools and sources. Your cybersecurity team should know the list and approve your network policy implementation. Naturally, cybersecurity may wish to satisfy themselves that the network policy has correctly been applied after the first implementation and ensure effective monitoring after that. With our approved IP ranges available, we may only need to define the ALLOWED_IP_LIST.

While we may have many account network policies declared, we can only have one account network policy in force at a given time.

To enable access from a known, approved Internet location, we require a second network policy, this time for a specific connection. We can declare as many network policies as we wish, each with a specific focus in addition to the single active account network policy. An example may be connecting Power BI from Azure to Snowflake on AWS. The east-west connectivity is from a known IP range, which your O365 administrators will know.

When the Power BI service user attempts to log in, their IP is checked against the ALLOWED_IP_LIST range for the assigned network policy.

Using these commands, we can manage our network policies. Monitoring and alerting are addressed later. There are a few hoops to jump through in common with implementing other monitoring patterns.

For monitoring in Chapter 6, this setting is referred to as SNOWFLAKE_NIST_NP1.

Preventing Unauthorized Data Unload

Our next control might be to prevent data from being unloaded to user-specified Internet locations. Of course, your security posture and use cases may need to allow data to be unloaded, in which case this control should be ignored. User-specified Internet locations can be any supported endpoint. Effectively, your user determines where they wish to unload data; for most organizations, it could be a primary source of data leaks.

For monitoring in Chapter 6, this setting is SNOWFLAKE_NIST_AC2.

Restricting Data Unload to Specified Locations

Our next control might restrict data unloads to specified, system-mapped Internet locations. Of course, your security posture and use cases may need to allow data to be unloaded to any user-defined location, in which case this control should be ignored. System mapped Internet locations can be any supported endpoint mapped via storage integration only, thus restricting data egress to known locations.

The advantages of implementing this control should be obvious. The rigor associated with software development ensures the locations are reviewed and approved before storage integrations are implemented.

For monitoring in Chapter 6, this setting is SNOWFLAKE_NIST_AC3 .

Single Sign-On (SSO)

When our Snowflake account is provisioned, all users are provisioned with a username and password. You know that usernames and passwords are vulnerable to bad actors acquiring our credentials, potentially leading to data loss, reputational impact, and financial penalties. Our cybersecurity colleagues rightly insist we protect our credentials. SSO is one of the tools we can use where we no longer rely upon username and password but instead authenticate via centralized tooling.

Snowflake SSO documentation is at https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-overview.html . Implementing SSO relies upon having federated authentication. This section explains the steps required to integrate ADFS and some troubleshooting information. Naturally, SSO integration varies according to available tooling, so apologies in advance for those using alternative SSO providers, space (and time) do not permit a wider examination of all available options.

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SPs). In our case, Snowflake is the service provider, and Microsoft ADFS is the identity provider. Due to the segregation of roles and responsibilities in organizations, setting up SSO requires both SME knowledge and administrative access to ADFS.

Step 4. Enable SSO

Once the preceding steps have been completed, SSO can be enabled.

USE ROLE accountadmin;

ALTER ACCOUNT SET sso_login_page = TRUE;

The SSO sign-in box appears when logging into Snowflake, as shown in Figure 4-2.

Future attempts to log in to Snowflake should produce the login dialog shown in Figure 4-2, where you should now be able to click the “Sign in using SSO” button. A dialog box appears, prompting for username and password, as shown in Figure 4-3.

Enter credentials for your organization domain login, which should authenticate against your IdP and allow access to Snowflake.

Troubleshooting

Occasionally , things go wrong with configuring SSO. This section provides troubleshooting information. I cannot cover every scenario but provide information on tools to help diagnose the root cause.

Using Firefox, search for “saml tracer firefox”. You should see results similar to those in Figure 4-4.

Download and install the browser SAML-tracer add-in, and when complete, in the top right-hand corner of your Firefox browser, look for the icon highlighted in Figure 4-5.

When you click the icon, a pop-up window appears with trace information. Note the trace automatically refreshes according to open browser tabs and pages displayed. For successful traces, a wall of green replies is seen. Where an alert is raised, the response is amber or red. Attempt to log in to Snowflake. You may see something like what’s shown in Figure 4-6.

Click each message and navigate to the SAML tab at the bottom of the tracer, where you see something similar to Figure 4-7.

You may need to work with our ADFS administrator to resolve the issue. Snowflake may also provide some clues though you need to enable the Snowflake Account Usage store, as described in Chapter 6, first. The following example code identifies login attempts along with the error code.

USE ROLE accountadmin;

SELECT *

FROM   snowflake.account_usage.login_history

WHERE  error_code IS NOT NULL

ORDER BY event_timestamp DESC;

Identify the error_code from the information presented at

https://docs.snowflake.com/en/user-guide/errors-saml.html .

Further information is at https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-use.html#using-sso-with-aws-privatelink-or-azure-private-link .

Multi-Factor Authentication (MFA)

MFA is not currently enabled by default. Each user must configure MFA manually. Snowflake documentation covering all aspects of MFA is at https://docs.snowflake.com/en/user-guide/security-mfa.html .

Figure 4-8 illustrates how to configure MFA using the Snowflake User Interface and assumes you are logged in. At the top right of the screen, click the down arrow to open Options, and then select Preferences.

After confirming your email address, click the “Enroll in MFA” link, as shown in Figure 4-9.

Download and install DUO Mobile onto your phone. A QR code is sent. Scan the QR code. Note you may be prompted to upgrade your phone operating system. Once enrolled, refresh the Preferences option. You see that your phone number is displayed.

System for Cross-domain Identity Management (SCIM)

Without SCIM integration, you cannot automate the creation and removal of Snowflake users and roles maintained in Active Directory. Supported IdPs are Microsoft Azure AD and Okta. SCIM integration automates the exchange of identity information between two endpoints.

In this example, we integrate Snowflake and Azure AD to automatically provision and de-provision users and roles, thus automating user and RBAC provisioning via Azure AD. Snowflake documentation is at https://docs.snowflake.com/en/user-guide/scim-azure.html . Figure 4-10 illustrates interactions between the various components required.

The returned value should look something like the value shown in Figure 4-11.

For the remaining steps, refer to Azure documentation at https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/snowflake-provisioning-tutorial , update Azure AD with the token generated in Figure 4-11 then test.

PrivateLink

PrivateLink is an AWS service for creating VPC direct connections with secure endpoints between the AWS account and Snowflake without traversing the public Internet. The corresponding component for direct connections with secure endpoints between AWS accounts and on-prem is AWS Direct Connect, as illustrated in Figure 4-12.

PrivateLink requires Snowflake support assistance and may take up to two working days to provision. Please refer to the documentation at https://docs.snowflake.com/en/user-guide/admin-security-privatelink.html for further information. Note that your corporate network configuration may require changes to allow connectivity.

If you experience connectivity issues, you may also need to use SnowCD for diagnosis and open ports on firewalls, specifically 80 and 443. Further information is at https://docs.snowflake.com/en/user-guide/snowcd.html#snowcd-connectivity-diagnostic-tool .

Data Encryption

Data encryption is a primary means of ensuring our data remains safe. Snowflake utilizes underlying cloud service provider storage, which for AWS is S3 buckets. We have not yet discussed how our data is protected in S3. We assume everyone knows why.

Snowflake takes security seriously, very seriously indeed. What is covered in the next few pages cannot do justice in explaining the immense work Snowflake has put into security. This whitepaper requires registration to download and is well worth investing the effort to read www.snowflake.com/resource/industrial-strength-security-by-default/ .

Tri-Secret Secure

Figure 4-13 is from Snowflake documentation at https://docs.snowflake.com/en/user-guide/security-encryption-manage.html#understanding-encryption-key-management-in-snowflake . It shows the relationship between the keys.

S3 Security Profile and Scanning

Strictly speaking, AWS S3 bucket security is not a Snowflake-specific issue, but in the context of external stages is mentioned to provide a holistic view of application security. Referenced throughout this book, S3 is a gateway into Snowflake.

Every organization has a policy or template security setting for S3 buckets with appropriate security scanning tools such as Checkpoint Software Technologies CloudGuard. Naturally, configuration and use of any scanning tools are beyond the scope of this book but are mentioned for completeness because artifacts loaded into S3 must also be protected from unauthorized access.

Penetration Test (Pen Test)

The subject of penetration testing occasionally reappears in organizations where new team members, management, and oversight look to reaffirm we have all our controls in place and pen testing is up to date. From a delivery perspective, pen testing is paradoxically out of our hands. It is not enough to make this statement without explaining why, and this section provides context and reasoning.

Understanding the objectives of pen testing provides part of the answer, with this definition from www.ncsc.gov.uk/guidance/penetration-testing .

Stress testing the Snowflake environment is naturally in Snowflake Inc.’s best interest, and much continual effort is expended to ensure Snowflake remains secure. But in so doing, the tools and techniques must remain confidential. Any bad actor would love to know which tools and techniques are deployed, and where gaps in coverage may identify weakness or opportunity. The last thing any product vendor needs is a zero-day exploit. Does anyone remember Log4j?

We must rely upon another means of validating the Snowflake approach as the direct understanding of tooling and approach are inaccessible. Fortunately, Snowflake provides external verification and attestations that we can rely upon, as shown in Figure 4-14.

But this section relates to pen tests. Apart from the generally available proofs, how can our organization be assured at a detailed level?

Figure 4-15 provides an overview of the actions Snowflake performs on our behalf.

Contractual negotiations between organizations and Snowflake Inc. include a provision for disclosing details of pen tests conducted to named individuals. The named individuals should be cybersecurity specialists as the information disclosed is highly sensitive. Therefore, the recipient list must be kept short.

The final body of evidence we can rely upon is Snowflake’s field security CTOs, specialists available to explain those topics of interest to our cybersecurity colleagues in presentation and document formats.

With this explanation in mind, I trust there is sufficient evidence to satisfy our immediate concerns while providing information on how to dig deeper. Finally, more information can be found at www.snowflake.com/product/security-and-trust-center/ from which some of the preceding content is sourced.

Time Travel

A brief discussion of the Time Travel account security feature is important. As discussed in Chapter 3, at a minimum, you must ensure your production environments have the Time Travel feature set to 90 days. It is recommended that all other environments have it enabled for the occasional mishaps during development. Yes, we have all been there. For monitoring in Chapter 6, this setting is SNOWFLAKE_NIST_TT1.