Snowflake Ransomware Guardrails

Ransomware is a type of malicious software that encrypts a victim's data or locks their device, demanding a ransom to restore access or to not expose the data. It poses significant risks to companies, including financial losses from ransom payments and data restoration, operational disruptions, legal consequences and reputational damage. Additionally, sensitive data may be stolen and leaked, leading to further harm.

While no capability or measure can guarantee 100% protection against malicious actors, using a layered security approach with Snowflake's advanced capabilities helps mitigate such security threats.

Customers want to know the level of protection their cloud providers offer to help mitigate the risk of ransomware. In this blog post, we will explore the mitigation techniques that Snowflake offers, which fall into two categories: the Snowflake platform's default capabilities, which require no customer implementation, and capabilities that require customer implementation.

Here we introduce platform and customer-facing mitigation controls that Snowflake provides in the form of prevention, detection and recovery measures.

Snowflake platform: Strong security foundations

Snowflake is a SaaS with robust security by design. For more details, see the Snowflake Security Hub and Security Addendum.

Prevention 

Access controls 

Access to Snowflake infrastructure is protected by multiple layers of security (defense in depth and zero trust). For instance, only authorized corporate-issued machines via multifactor authentication can be used to access the infrastructure and Snowflake services. Snowflake implements least-privilege access and separation of duties; access to infrastructure resources is based on principles of role-based access and least privilege. Furthermore, access requests go through an approval workflow and are audited for compliance. You can visit our Snowflake Compliance Center to learn more about the latest security reports (such as SOC2, HITRUST, ISO 27001, 27017, 27018 and more) and request them directly from the portal.

Snowflake compute software controls 

Snowflake compute software is continuously scanned and patched according to our vulnerability management policies, which helps in mitigating any tampering with those images or code to introduce any ransomware malicious code.

Detection 

Snowflake implements a 24/7 security operating center for continuous security monitoring and detection of suspicious activities. 

Recovery: Snowflake resiliency

A Snowflake region is built across at least three availability zones within a cloud provider region. This supports redundancy in case of failure and provides fault isolation to mitigate malware propagation. To provide cross-regional and/or cross-cloud high availability and business continuity, customers can leverage Snowflake replication.

For more details about Snowflake security by design, see Snowflake Technical Tools for Protecting Sensitive Customer Data, pages 10 and 11. 

Customer-facing ransomware mitigation 

Snowflake provides customers with a set of capabilities to help mitigate the risk of ransomware. We are continuously improving these capabilities. Customers can leverage defense in depth to allow authorized access to their Snowflake accounts while restricting malicious actors from accessing their Snowflake resources and introducing ransomware.

Prevention 

Customers should harden their Snowflake accounts to mitigate ransomware attacks by leveraging the following guidelines.

Mitigating network attack vectors: To limit ingress and egress attacks, surface customers can leverage the following protections.

• Ingress network-level protection: Limit the attack surface by leveraging ingress network policies to restrict access from only authorized IP addresses. If customers are using inbound private connectivity, they can also leverage CSP tags such as VPCID and LinkID.

• Egress network-level protection: Customers can leverage egress network rules to restrict access to only authorized resources in their network, and customers can leverage outbound private connectivity when connecting to resources such as Iceberg, external stages or APIs. 

Mitigating stolen identities attack vectors: To limit unauthorized access and mitigate stolen credential attacks, Snowflake is enabling the following protections.

• Retiring password-only access to Snowflake: Customers are encouraged to leverage stronger authentication methods such as OAuth and SAML. Check out our best practices to mitigate the risk of credential compromise.

• Investing in security capabilities and innovation: Snowflake will continue investing in the security capabilities of our customer accounts and bring more products and innovations to this space, such as native support for passkeys and time-based one-time passwords (TOTP), including authenticator apps. These will all work hand-in-hand with Snowflake’s other recently announced capabilities, including Leaked Password Protection, Trust Center and MFA policies. 

Mitigating unauthorized data access attack vectors: Customers can leverage Snowflake sensitive data classification, tagging, role-based access controls (RBAC), data masking policies and row access policies to implement least-privilege access and mitigate unauthorized data access.

Detection 

• Continuous auditing and monitoring: Customers should leverage access history and login history to continuously monitor suspicious activity such as elevated roles (sysadmin, account admin) used to query data or access from unauthorized IP addresses.

• Identification of risky users: Customers should leverage Trust Center or the Threat Intelligence package to list the risky users who need to be protected with better authentication methods.

• Mitigation of ransomware metadata manipulation attack vector: Customers can leverage change management notifications by using Snowflake alerts and notifications to know when changes have been made, such as change of Time Travel setting, elevated RBAC change, use of account admin role and so on.

Recovery 

Customers should leverage Snowflake Time Travel, which allows them to access previous versions of modified or deleted data.

As mentioned above, ransomware risks can’t be fully eliminated because of many other attack vectors, such as a compromised customer secret manager where the encryption keys are stored or a bad actor gaining access to account admin due to compromised customer machines. If a bad actor gains access to the system after all the above controls have failed and has managed to turn off Time Travel, Snowflake has another capability, Fail-Safe, that can protect customers.

Fail-Safe is not a new capability. Previous versions of data are kept in separate customer storage for seven days, and customers can contact Snowflake support to help restore their data before it was manipulated by ransomware. The bad actor cannot change this seven-day period, as it is baked and built into the platform. 

Conclusion

Snowflake strengthens customer trust and improves cyber-resilience by implementing and facilitating a defense-in-depth approach to mitigate ransomware attack vectors. For additional information, please visit the Snowflake Security Hub.

Forward Looking Statements

This article contains forward-looking statements, including about our future product offerings, and are not commitments to deliver any product offerings. Actual results and offerings may differ and are subject to known and unknown risk and uncertainties. See our latest 10-Q for more information.