Snowflake Admins Can Now Enforce Mandatory MFA
Snowflake is committed to helping customers protect their accounts and data. That’s why we have been working on product capabilities that allow Snowflake admins to make multifactor authentication (MFA) mandatory and monitor compliance with this new policy. As part of that effort, today we're announcing several key features:
1. A new authentication policy that requires MFA for all users in a Snowflake account
2. Snowsight prompting for user-level MFA setup
3. The general availability of Snowflake Trust Center for monitoring adherence to MFA policies
Snowflake’s security approach involves working with customers on three pillars:
- Prompt: Encourage users who are not using security best practices to adopt them (e.g., configure MFA)
- Enforce: Allow admins to enforce security by default (e.g., require all human users to use MFA)
- Monitor: Provide visibility into adherence to security policies (e.g., audit which users haven't configured MFA)
In this blog, we will give concrete examples of how these pillars would work with MFA.
Prompt
To help drive MFA adoption, we're taking steps to promote individual compliance for Snowflake users. Starting today, when users without MFA log on to Snowsight, they will be prompted to enable MFA and guided through the configuration steps. This dialog can be dismissed, but it will reappear in three days if MFA has not been configured for the user.
Enforce
To help admins enforce usage of MFA, we've enhanced our Snowflake Authentication Policies to include a new option that requires MFA for all users in an account. The admin can decide whether the scope of this policy should apply to local users or include single sign-on (SSO) users too.
Below is an example of how to configure this policy for only local users and exclude SSO users:
CREATE AUTHENTICATION POLICY mfa_enforcement_policy
MFA_ENROLLMENT = ‘REQUIRED’
MFA_AUTHENTICATION_METHODS = (‘PASSWORD’);
ALTER ACCOUNT SET AUTHENTICATION POLICY mfa_enforcement_policy;
Admins also have the option to enable/disable MFA at a finer granularity by setting the MFA authentication policy at the user level.
ALTER USER bob SET AUTHENTICATION POLICY mfa_enforcement_policy;
Service user principals are the industry norm to access resources in noninteractive ways, normally via automation. Using password authentication or enforcing MFA on such users is not recommended, and instead we recommend OAuth and key-pair authentication. To help exclude service users, we support setting MFA policies at the user level. The following example demonstrates how a service user can be excluded from MFA policy.
CREATE AUTHENTICATION POLICY mfa_override_policy
MFA_ENROLLMENT = ‘OPTIONAL’
MFA_AUTHENTICATION_METHODS = (‘PASSWORD’);
ALTER USER service_user SET AUTHENTICATION POLICY mfa_override_policy;
In an upcoming release, we will introduce a new user object type to help exclude service users from MFA policies at scale.
Monitor
Trust Center is the interface that helps you manage risk posture natively for Snowflake accounts.
As part of today’s release, we are introducing the general availability of the Trust Center Security Essentials scanner package to help mitigate credential theft issues. This package looks for MFA compliance, as well as the use of network policies. As the recommended tool for compliance monitoring, it is enabled by default and available free of charge in all Snowflake editions.
In addition to checks provided by the Security Essentials scanner package, we are also happy to announce general availability of the Trust Center CIS Benchmarks scanner package, which contains more scanners that evaluate your account against the CIS Snowflake Foundations Benchmark. These scanners, for example, can detect overprivileged entities, stale users who have not logged in for the past 90 days, ACCOUNTADMIN grants and more.
We will continue adding features to the Trust Center to help Snowflake customers better detect threats and attacks against their accounts. We will share more details in upcoming months.
Best practices
With the new features and products announced today, you can increase the security of accounts by following the steps below. For more details, read our white paper, “Best Practices to Mitigate the Risk of Credential Compromise.”
Enforce
1. Identify service users in your environment. For such users, move away from passwords to key-pair authentication or external OAuth.
2. Set up an authentication policy at the account level and require MFA. Make sure to set user-level policies to exclude service users.
3. Enable password policy and set PASSWORD_MIN_LENGTH to 14 and PASSWORD_MAX_AGE_DAYS to less than one year.
4. Enable network policy with network rules.
Monitor
5. Leverage Trust Center to monitor MFA usage and verify network policy configuration.
What’s next?
Snowflake is committed to continuing its investment into technology and tools that help our customers increase their security. Soon, Snowflake will require MFA for all human users in newly created Snowflake accounts. We recommend that all customers start using MFA authentication policies and Trust Center now to prepare their environments, and watch for additional features in the coming months.