Snowflake's Security Warning Is Why Enterprises Need MFA Across All Their Resources
- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Recently, cloud computing company Snowflake issued a warning to its customers: hackers are actively targeting accounts that lack Multi-Factor Authentication (MFA). This warning comes amidst a rapidly unfolding saga that includes the high-profile Ticketmaster breach.
Don’t want the breach background? Skip ahead to learn why enterprises use MFA as an essential security measure.
Snowflake, alongside CrowdStrike and Mandiant, issued a joint statement
asserting they found no evidence of unauthorized access due to a software vulnerability, company breach, or product misconfiguration. Instead, they believe malicious actors used credentials obtained through infostealing malware to access customer accounts and stole credentials to access a former employee's demo accounts. The subsequent recommendation from Snowflake was clear: customers should turn on MFA.
The precise extent of the unauthorized access remains under investigation. However, if the hackers' claims are true, the personal information of at least 500 million people, including financial data and home addresses, could have been compromised.
Why MFA Is Necessary for Enterprise Security
According to Snowflake and common enterprise security best practices, all of this could have been avoided. What we’re seeing is a compound effect of two key issues affecting almost all digital organizations.
Why can’t legacy IT resources use MFA? Learn the limitations of legacy systems.
On one hand, so many organizations have invested heavily to gain competitive advantages by making their customer experience frustration-free and easy. Many perceive any additional security step-up procedures as an obstacle to those goals. The prevailing wisdom is you can make it fast and easy, or you can make it more secure - take your pick.
Secondly, most organizations are operating legacy resources that typically have not been able to work with MFA. If upgrading those systems is not in the IT plan, then security and operations teams simply move forward without the additional - and essential - element of MFA. Some will try to put some VPN fences around these resources, but often, they just get added to a long list of MFA exceptions in the security plan.
Security professionals have known for some time that MFA is like the bumpers in a bowling alley. It’s a critical guardrail that will prevent you from…well, while we’re on the metaphor…throwing gutterballs. And while we take no joy in this recent swath of breaches, there is no mistaking that they are the security professional’s equivalent of a gutterball.
StrongDM can help you apply MFA across your entire enterprise. Learn how.
It’s no secret credential theft is rampant. According to the 2023 Verizon Data Breach Investigations Report (DBIR), credential theft is the leading cause of data breaches, accounting for 61% of breaches involving hacking. To put this into perspective, the 2023 Microsoft Digital Defense Report says that Microsoft cloud identities are now facing an average of 4,000 password attacks every second this year. According to data on Microsoft Entra users, the volume of attempted identity-related attacks increased over tenfold from 2022 to 2023, escalating from around 3 billion per month to more than 30 billion.
And beyond password reuse, MFA is built to mitigate the impact of password reuse. Many users tend to reuse passwords across multiple sites, creating a significant vulnerability. If one password is compromised, attackers can potentially access multiple accounts. MFA prevents this by requiring an additional verification step, ensuring that even if a password is stolen, the attacker cannot easily gain access without the second factor. This additional layer of security is essential for protecting sensitive information and maintaining the integrity of an organization’s systems.
It is no wonder that organizations like NIST (National Institute of Standards and Technology) have been recommending MFA because it significantly reduces the attack surface, making it harder for cybercriminals to succeed. Ultimately, MFA provides dual-layered defense by preventing unauthorized access by ensuring that even if credentials are stolen, the attacker cannot easily access the account without secondary verifications, such as a text to a mobile device, a biometric verification, or another form of authentication. By requiring multiple forms of verification, MFA adds a robust barrier against unauthorized access, providing a higher level of security for sensitive information and legacy systems.
Legacy IT Resources Historically Have Been Unable to Use MFA
In fairness to IT and operations teams, it’s not that they’re necessarily stubbornly refusing to implement MFA. The tools they rely on were developed before the value of MFA was understood, and in the course of rapid change, there has hardly been time to adapt.
Here are some specific examples of IT infrastructure components where implementing MFA can be challenging:
Resources | Risk Without MFA | How MFA is Used |
---|---|---|
Mainframes: IBM z/OS mainframes running older versions | Without MFA, attackers with stolen credentials can gain direct access to sensitive information, leading to data breaches, financial loss, and operational disruptions. | Mainframes often handle critical business operations and store sensitive data. MFA adds an extra layer of security, ensuring that even if passwords are compromised, unauthorized access is still prevented. |
Routers and Switches: Cisco 2800 Series Integrated Services Routers, older Juniper EX Series Switches. | Compromised devices can lead to network breaches, allowing attackers to intercept data, launch attacks, or disrupt network services. | Network devices control access to the organization's internal network. MFA ensures that only authorized personnel can make configuration changes. |
Firewalls: SonicWall NSA 2400, Check Point UTM-1 Edge appliances. | Unauthorized access can lead to misconfigured firewalls, creating vulnerabilities that attackers can exploit to bypass security controls. | Firewalls are the first line of defense against external threats. MFA helps prevent unauthorized changes to firewall rules and configurations. |
Operational Technology (OT): Siemens SIMATIC S7-200 PLCs, Rockwell Automation Allen-Bradley PLC-5. | Unauthorized access can result in sabotage, operational downtime, and potentially dangerous situations in critical infrastructure. | OT systems control critical industrial processes. MFA prevents unauthorized access that could disrupt operations or cause physical damage. |
SCADA Systems: GE Proficy, Wonderware InTouch running on older versions. | Compromised SCADA systems can lead to loss of control over industrial processes, resulting in production halts, safety incidents, or environmental damage. | SCADA systems monitor and control industrial processes. MFA protects against unauthorized access that could manipulate process controls. |
IoT Devices: Early models of Nest Thermostats, older versions of Philips Hue smart lighting. | Unauthorized access can lead to privacy invasions, unauthorized control of devices, and exploitation as entry points for broader network attacks. | IoT devices often connect to networks and control home or business environments. MFA ensures that only authorized users can control these devices. |
Proprietary Embedded Systems: Legacy versions of medical devices like older Medtronic insulin pumps. | Unauthorized access can lead to incorrect medication dosages, compromising patient safety. | Medical devices require high security due to their impact on health. MFA ensures that only authorized personnel can make changes. |
VPNs: Older Cisco AnyConnect versions, older versions of Fortinet FortiClient. | Compromised VPN credentials can allow attackers to access internal networks, leading to data breaches and lateral movement within the network. | VPNs provide remote access to internal networks. MFA ensures that only legitimate users can establish VPN connections. |
RDP Servers: Windows Server 2003 RDP implementation. | Attackers can use stolen credentials to gain remote access, potentially compromising sensitive data and critical systems. | RDP servers allow remote access to systems. MFA prevents unauthorized users from accessing systems even if they have valid credentials. |
Legacy Databases: Oracle Database 10g, IBM DB2 running on older hardware. | Unauthorized access can result in data breaches, data manipulation, and loss of sensitive information. | Databases store critical and sensitive information. MFA ensures that only authorized users can access and manipulate data. |
Storage Devices: NetApp FAS2000 Series, EMC CLARiiON CX3 series. | Unauthorized users can gain access to sensitive data, leading to data theft, deletion, or corruption. | Storage devices hold large amounts of data. MFA protects against unauthorized access to stored data. |
PBX Systems: Avaya Definity PBX systems, Nortel Meridian PBX systems. | Unauthorized access can lead to eavesdropping, call fraud, and disruption of communication services. | PBX systems manage telephony services. MFA ensures that only authorized personnel can configure and manage these systems. |
The Compliance Mandate for MFA
Many industries have adopted MFA as a critical security measure, driven by various compliance standards that mandate or recommend its implementation. These standards ensure that sensitive information is protected through enhanced security practices, helping organizations mitigate the risk of data breaches and cyberattacks. These include:
Financial Services
- Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to implement MFA for both internal and external users accessing systems with customer data.
- Payments Services Directive (PSD2): As of December 31st, 2020, the European Union (EU) mandated that consumer electronic payments over €50 ($60) must use MFA. This requirement is part of the Payments Services Directive (PSD2), which took effect in January 2018.
Government
- Federal Information Security Management Act (FISMA): Requires federal agencies to implement MFA to protect federal information systems.
- NIST SP 800-63; NIST NIST 800-171: Provides guidelines for federal agencies, including the implementation of MFA for securing sensitive information.
Retail and E-commerce
- PCI DSS: Requires MFA for anyone with access to the Cardholder Data Environment (CDE).
Technology and Telecommunications
- Cybersecurity Maturity Model Certification (CMMC): Requires MFA for different levels of access within defense contractor networks.
- NIST Cybersecurity Framework: Recommends MFA as a part of identity and access management best practices.
Energy and Utilities
- North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP): Requires MFA for access to critical cyber assets within the energy sector.
Education
- Family Educational Rights and Privacy Act (FERPA): While not explicitly requiring MFA, it suggests strong security measures to protect student information, which often includes MFA.
Legal
- American Bar Association (ABA) Model Rules of Professional Conduct: Recommends the use of reasonable security measures, including MFA, to protect client data.
Insurance:
- New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500): Requires MFA for accessing nonpublic information.
The Good News: MFA Is Possible for Legacy Systems
Security experts are urging enterprises to adopt MFA. Compliance frameworks are increasingly mandating it. How can organizations move forward without having to re-tool or invest in new technology?
For starters, they need an access management solution that can meet the needs of dynamic modern environments. StrongDM applies a Zero Trust approach to this effort, which prioritizes full visibility, session-based control, and comprehensive audit trails across your entire infrastructure. We believe that achieving this requires frustration-free access, as it encourages high adoption rates while boosting security and productivity. The StrongDM Zero Trust Privileged Access Management (PAM) platform delivers this through simple, low-latency, and contextual access policy management and enforcement. At its core is granular control over all actions, manifested through precise, dynamic privileged action control for every infrastructure and application.
Embedded in this approach is the ability to layer MFA in to enterprise technologies irrespective of the diversity, age, or breadth of its stack. The StrongDM platform was created to go beyond any type of *BAC that is based on roles, and instead, apply discipline to evaluating user actions as the means of reducing the attack surface.
The reality is that many legacy IT resources have historically been unable to work with MFA. StrongDM changes this dynamic. Let’s look at some of these historical limitations, along with the corresponding ways that StrongDM overcomes them and delivers MFA, irrespective of an enterprise’s situation:
Lack of Built-in Support
Legacy systems were often designed and implemented before MFA became a standard security measure. As a result, these systems typically do not have the built-in capabilities to support MFA despite pleas from customers to add the feature.. Their architecture and software were developed in an era when single-factor authentication, primarily using passwords, was considered sufficient.
💡How StrongDM helps: StrongDM's PAM solution integrates MFA seamlessly, even with legacy systems. Our dynamic and Zero Trust approach ensures that MFA can be applied without needing to modify the original architecture of these systems. By acting as an intermediary layer, StrongDM enables secure authentication processes across all resources, old and new.
Compatibility Issues
Integrating MFA into legacy systems can be challenging due to compatibility issues. Legacy systems might use outdated protocols, programming languages, or interfaces that are not easily compatible with modern MFA solutions. This lack of compatibility makes it difficult to implement MFA without significant modifications or overhauls to the existing infrastructure.
💡How StrongDM helps: StrongDM bridges the gap between old and new technologies by providing a flexible middleware that translates and adapts modern MFA protocols to work with outdated systems. This compatibility layer ensures that legacy tools can leverage state-of-the-art MFA without extensive overhauls.
Cost and Complexity of Upgrades
Upgrading legacy systems to support MFA can be prohibitively expensive and complex. Many organizations rely on these systems for critical operations and cannot afford the downtime or resource allocation required for major upgrades. The cost of replacing or significantly modifying these systems to support MFA can be a major deterrent.
💡How StrongDM helps: With StrongDM, there's no need for costly and disruptive upgrades. Our PAM solution overlays your existing infrastructure, allowing for the implementation of MFA without requiring downtime or extensive modifications. This approach minimizes costs and operational impact while enhancing security.
Lack of Vendor Support
Many legacy systems are no longer supported by their original vendors, meaning that updates and security patches are not available. Without vendor support, implementing MFA becomes even more challenging, as there is no official guidance or updates to facilitate integration.
💡How StrongDM helps: StrongDM's PAM solution does not rely on vendor support to integrate MFA. Our platform independently provides the necessary security layers, ensuring that even unsupported legacy systems can benefit from the enhanced security of MFA.
Inflexible Architecture
Legacy systems often have inflexible, monolithic architectures that do not easily accommodate new security measures. Modern MFA solutions are designed to be integrated into systems that support modular, scalable, and flexible architectures. The rigid structure of legacy systems makes it difficult to add new layers of security without disrupting existing functionalities.
💡How StrongDM helps: StrongDM's architecture is designed to work with inflexible, monolithic systems. By adding a layer of abstraction, StrongDM allows MFA to be implemented without disrupting the core functionalities of legacy systems, ensuring that security enhancements do not interfere with operational stability.
Resistance to Change
There can be significant resistance to changing legacy systems, both from an organizational and technical perspective. Employees and IT staff may be accustomed to the existing systems and reluctant to adopt new security measures that might require retraining or changes in workflow. Additionally, the risk of introducing new vulnerabilities during the transition to MFA can make organizations hesitant to implement such changes.
💡How StrongDM helps: StrongDM simplifies the transition to MFA with minimal disruption to existing workflows. Our solution is user-friendly and designed to integrate smoothly with current operations, reducing the need for extensive retraining. Additionally, our Zero Trust model ensures that new vulnerabilities are not introduced during the transition.
Custom-built Systems
Many legacy systems are custom-built for specific business needs and may not have standard interfaces or protocols that modern MFA solutions can easily integrate with. These bespoke systems require tailored solutions for MFA implementation, which can be complex and resource-intensive to develop.
💡How StrongDM helps: StrongDM excels in integrating with custom-built systems through our adaptable and customizable PAM platform. We provide tailored solutions that fit the unique needs of bespoke systems, enabling them to utilize MFA without extensive redevelopment. Our approach ensures that even the most unique legacy systems can achieve modern security standards.
Are you ready to apply MFA across your enterprise environment – your ENTIRE environment? Book a demo of StrongDM and see how our Zero Trust PAM platform can provide what your legacy systems can’t.
About the Author
John Martinez, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.