Fortifying Data Security: 5 Proactive Measures to Secure Your Data Cloud Environment

Picture of Doino Gretchenliev
Doino Gretchenliev
Director of Operations

In this article

Share

5 Measures to Secure Your Data Cloud Environment Post-Snowflake Breach

The recent data breach involving 165 Snowflake customers revealed a sophisticated extortion campaign targeting the cloud data warehousing platform. Hackers, identified by Google-owned Mandiant as UNC5537, exploited stolen customer credentials obtained from cybercrime forums and information-stealing malware. This malicious group systematically compromised Snowflake customer instances, using tools like the FROSTBITE reconnaissance utility and the legitimate DBeaver Ultimate to run unauthorized SQL queries, gather sensitive data, and extort victims.

The attack, which began in April 2024, exposed customer information by leveraging credentials from malware infections on contractor systems, often used for personal activities like gaming and downloading pirated software. This breach underscores the critical need for advanced security measures such as multi-factor authentication, regular credential rotation, and stringent access controls. While Kubit has not been impacted by the breach, we recognize the severity of such incidents and have implemented a comprehensive security strategy to protect our customers’ data.

Kubit, a leader in product analytics, offers advanced cloud-based analytics and data-driven product management solutions. Our commitment to security and data warehouse best practices ensures that our customers can trust us with their most sensitive information.

Direct Security Measures

We have applied a range of direct security measures to our Snowflake environment to ensure the highest level of protection. These measures are designed to provide strong, immediate defenses by controlling access points and ensuring that all user interactions are secure.

1. IP Whitelisting

We utilize IP whitelisting to ensure that only authorized IP addresses can access our network. This measure significantly reduces the risk of unauthorized access and provides a robust line of defense against potential breaches. By strictly controlling which IP addresses can connect, we enhance our overall security posture.

IP whitelisting can be configured at both the account and user levels in Snowflake. It’s important to note that using a whitelist, which specifies allowed IP addresses, is generally more secure than using a blacklist, which specifies blocked IP addresses. A whitelist ensures that only trusted sources can access your systems, while a blacklist merely blocks known threats, potentially leaving unknown threats unaddressed.

You can enable IP whitelisting in Snowflake by executing the following commands:

USE ROLE SECURITYADMIN;
CREATE NETWORK POLICY my_company_network_policy ALLOWED_IP_LIST = ('192.168.1.0/24');
ALTER ACCOUNT SET NETWORK_POLICY = my_company_network_policy;

By setting up IP whitelisting at the account level, you ensure that the entire Snowflake environment is protected while configuring it at the user level allows for granular control over specific user access.

In conclusion, implementing IP whitelisting at Kubit helps us maintain a secure and controlled environment by allowing access only from trusted IP ranges.

2. SSO Integration

We prioritize security by integrating Single Sign-On (SSO) into our systems. SSO streamlines the authentication process while ensuring robust security. By allowing users to access multiple applications with one set of login credentials, SSO reduces the number of attack vectors and simplifies user management, enforcing consistent security policies across all platforms.

You can enable SSO integration in Snowflake by following these steps:

  1. Set up your Identity Provider (IdP): Ensure your IdP (e.g., Okta, Azure AD, Google Workspace) is configured to work with Snowflake. This involves creating an application for Snowflake in your IdP and configuring the necessary settings.
  2. Retrieve IdP metadata: Obtain the SSO URL and the public certificate from your IdP. These details are needed to configure Snowflake.
  3. Configure Snowflake to use SSO:
CREATE SECURITY INTEGRATION my_company_idp
TYPE = saml2
ENABLED = true
SAML2_ISSUER = 'https://example.com'
SAML2_SSO_URL = 'http://myssoprovider.com'
SAML2_PROVIDER = 'ADFS'
SAML2_X509_CERT = 'MIICr…'
SAML2_SNOWFLAKE_ISSUER_URL = 'https://-.snowflakecomputing.com'
SAML2_SNOWFLAKE_ACS_URL = 'https://-.snowflakecomputing.com/fed/login';

4. Test the SSO configuration: Ensure that users can log in to Snowflake using their SSO credentials. Verify that the authentication process works seamlessly.

Implementing SSO allows Kubit to streamline authentication, enhance security, and simplify user management. By centralizing authentication through a trusted IdP, strong security policies are consistently applied across all connected applications. This approach enables the enforcement of Multi-Factor Authentication (MFA), robust password policies, credential rotation, and leak monitoring. These measures collectively provide an additional layer of security, making it significantly harder for attackers to compromise accounts and ensuring that any potential threats are quickly detected and addressed.

Indirect Security Measures

In addition to direct security measures, Kubit employs several indirect measures to ensure the highest level of security for our systems and data. These measures provide comprehensive monitoring and protection, enhancing our ability to detect, respond to, and mitigate potential threats.

3. Security Information and Event Management (SIEM)

Our Security Information and Event Management (SIEM) system is a cornerstone of our security infrastructure. By collecting and analyzing data from various sources across our network, SIEM provides real-time analysis of security alerts generated by applications, network hardware, and other connected devices. This comprehensive monitoring enables us to:

  • Monitor and Analyze: Continuously monitor network activities to detect unusual patterns or suspicious behaviors. By analyzing vast amounts of data in real time, SIEM helps identify potential security incidents before they escalate.
  • Detect Threats: Quickly detect and respond to potential threats. SIEM’s advanced detection capabilities allow us to identify and address threats such as unauthorized access, malware infections, and other security breaches promptly.
  • Correlate Events: Correlate security events from multiple sources to provide a unified view of potential threats. By linking related events, SIEM helps us understand the context of security incidents, making it easier to determine their root causes and impacts.
  • Compliance: Ensure compliance with regulatory requirements by maintaining comprehensive logs and audit trails. SIEM helps us meet industry standards and legal obligations by providing detailed records of all security-related activities, which can be crucial during audits and investigations.

By leveraging SIEM, we can maintain a proactive stance against potential threats, ensuring our network remains secure and resilient. This sophisticated system not only enhances our ability to detect and respond to incidents but also supports our overall strategy to safeguard our customers’ data.

4. Endpoint Monitoring

We recognize the critical importance of securing all endpoints to maintain the integrity and security of our network. To this end, we enforce stringent endpoint security measures designed to protect every device connected to our network, ensuring comprehensive defense against potential threats.

This includes:

  • Antivirus Software: All endpoints are equipped with up-to-date antivirus software to detect and prevent malware infections.
  • Disk Encryption: Disk encryption is enforced on all devices to protect data in case of device theft or loss.
  • Lock Screen Policies: Automatic lock screen policies are implemented to ensure devices are secure when not in use.

By continuously monitoring endpoints, we can detect suspicious activities early and take immediate corrective actions to prevent breaches.

5. Regular penetration testing

Regular penetration testing and audits are critical components of a robust security strategy. These proactive measures involve simulating cyberattacks on systems to identify vulnerabilities before malicious actors can exploit them. Regular audits ensure compliance with industry standards and help maintain the integrity of security protocols. By continuously testing and assessing their security infrastructure, organizations can address potential weaknesses, reinforce defenses, and ensure the ongoing protection of sensitive data against emerging threats.

Conclusion

At Kubit, we are deeply committed to protecting our customers. We recognize the critical importance of security and have implemented a multi-layer security platform that combines various robust defenses to mitigate potential threats effectively. Our commitment to maintaining a secure environment is reinforced by our compliance with industry standards and independent audits. Additionally, we conduct regular penetration testing to identify and address vulnerabilities proactively. These measures reinforce the trust and confidence our customers place in us, ensuring the safety and integrity of their data.

Doino Gretchenliev
Director of Operations

Resources that might be useful for you