September 16, 2024 at 12:53PM
Snowflake has made multi-factor authentication (MFA) the default for all new user accounts, following investigations into data thefts. This change follows pressure to enhance security, with additional password strength measures also being implemented. Snowflake aims to eliminate password-only authentication in the long term and advises users to consult security best practices.
From the meeting notes, it is evident that Snowflake is taking significant steps to enhance the cybersecurity of its users. The key takeaways include:
1. Multi-Factor Authentication (MFA):
– Snowflake has made MFA the default for all new accounts, aiming to strengthen the cybersecurity posture.
– Incident response and threat intel specialist Mandiant found that the absence of MFA was a common factor in data theft incidents at Snowflake customers such as Ticketmaster and Santander Bank.
– Snowflake’s CISO and principal product manager announced that MFA will be enforced by default for all human users in any Snowflake account created in October 2024, with exceptions for service users.
2. Password Policies:
– Snowflake has increased the minimum password length from 8 to 14 characters.
– Users will be unable to reuse their previous five passwords. These changes will apply to all newly created and changed passwords starting in October.
3. Long-Term Security Ambitions:
– Snowflake aims to eliminate password-only authentication from its platform in the long term, although no specific date has been provided.
– Users are advised to consult Snowflake’s white paper on security best practices to strengthen their accounts.
4. Recommendations for Enhancing Security:
– Snowflake recommends using single sign-on (SSO) when possible and enabling MFA through the identity provider. In “break-glass” scenarios, the built-in MFA can be used.
– For service accounts, external OAuth and key pair authentication with network policies are recommended.
Overall, Snowflake is actively responding to security incidents and is committed to enhancing its users’ cybersecurity measures through MFA enforcement and password policy changes, as well as offering recommendations for further security enhancements.