Data Security Posture Monitoring covering CIS Snowflake Benchmarks and Other Best Practices

In our previous blog, we explored how securing Snowflake’s cloud involves a shared responsibility model between Snowflake and its customers. To support customers with their security obligations, Snowflake has outlined its Shared Responsibility Model and partnered with the Center for Internet Security (CIS) to provide best practices for securing Snowflake environments. 

TrustLogix, as a trusted Snowflake partner enhances this framework by offering CIS-aligned guardrails and actionable insights across critical areas such as Identity and Access Management (IAM), Monitoring and Alerting, Network Security, and Data Protection.  TrustLogix’s solutions help automate security controls across Snowflake instances, enabling enterprises to effectively manage data security for compliance, risk management, and real-time visibility to maintain their end of shared responsibility model. Additionally, as part of Data Security Posture Management offering , Truslogix discovers and monitors data access and sharing activities. It alerts to any unexpected data sharing, data exfiltration risks, and overly privileged roles, allowing security teams to manage business risks and avoid data breaches

This, in turn, allows Data Engineering teams to focus on their core projects rather than managing data security, which accelerates data projects, boosts productivity, and reduces the time it takes for data consumers—such as analysts, bots, and AI models—to access data.

Monitoring Policies covering CIS Benchmarks

The CIS Benchmarks for Snowflake offer a comprehensive set of recommendations to securely configure Snowflake environments across several critical areas:

1. Identity and Access Management (IAM) : Guidance on multi-factor authentication(MFA), password policies, least privilege access, and separation of duties. 
2. Monitoring, Auditing, and Logging : Provides directives on enabling activity logging, monitoring log data.
3. Network Security :  Recommendations such as, VPN access, IP whitelisting, and TLS encryption for data in transit.
4. Data Protection:  Covers encryption at rest, key management, database firewalls, and data masking controls.

Based  on the Snowflake Shared Responsibility Model, customers are responsible for implementing security controls in each of the areas

1. Identity and Access Management :  Managing entitlements, separation of duties, maintaining least privileged access and MFA for end users is the customer's responsibility.
2. Monitoring, Auditing and Logging :  Customers are responsible for log review, analysis and integration with SIEM platforms.
3. Network Security : Customers must manage their privateLinks, VPCs, whitelisting of IP addresses, and encryption in transit.
4. Data Protection : Masking of sensitive data, enforcing appropriate row access policies, encryption of data at rest, key management, are owned by the customer.

1. Identity and Access Management

• Monitor nonmfa_users:  Snowflake offers various mechanisms to enable and enforce MFA, but the policy tracks users without MFA enabled, helping to identify vulnerabilities from those relying solely on username and password.
• Monitor_MFA_state_change: Detects any changes in the MFA status, ensuring transitions are legitimate and authorized.
• Monitor_inactive_users: Monitor inactive users to prevent unauthorized access via dormant accounts and ensure compliance with standards like GDPR, SOX, and HIPAA.
• Monitor_unused_system_role_grants : Tracks users with unused high-level system roles (e.g., ACCOUNTADMIN, USERADMIN), helping to manage access and improve security, control database vulnerabilities, manage Regulatory frameworks (like GDPR or HIPAA) 
• Detect_users_using_system_roles: Monitor users using highly privileged system roles,enforcing least privilege and protecting critical data.
• Monitor_system_roles_granted_as_default_roles: It tracks any default role assignments, alerting administrators to potential security gaps.
  

 2.Monitoring and Alerting

• Monitor_security_and_storage_integration_modifications: Tracks changes to security and storage settings to ensure data confidentiality, integrity, and compliance. Improper changes could lead to data breaches, loss of access, or data exposure.
• Detect_Stale_Client_versions : identifies outdated client versions, ensuring that users have the latest security updates preventing unpatched vulnerabilities, missing bugs/fixes that could be exploited by attackers potentially allowing unauthorized 
  access to your Snowflake environment. 

3.Network Security

• Detect_network_policy_modifications:  Monitor changes to the network policies to prevent unauthorized access or disruptions to operations. Improper modifications could expose your Snowflake account to unauthorized access  and compromise on meeting compliance standards. 

4. Data Protection

• Control_data_retention_Settings: Manages data retention policies to ensure compliance with regulations and best practices, keeping data only as long as necessary and deleting it when no longer needed to reduce security risks.
• Unprotected Sensitive Data :  Ensures data masking is enabled for sensitive information, preventing unauthorized sharing or exposure of critical data.

Some of the other monitoring policies that TrustLogix provides based on the CIS Benchmark are as follows : 

TrustLogix Monitoring Policies Other than CIS Benchmarks 

Beyond the CIS benchmarks, TrustLogix offers additional policies targeting Shadow IT risks and regulatory compliance. Here are a few notable examples:

• Monitor_login_requests_from_shadow_apps: Identifies logins from unapproved third-party apps (Shadow IT), reducing risks like data breaches, non-compliance, and exposure to malware or phishing attacks.
• Detect_password_based_logins_from_suspicious_ip_addresses: Detects password based logins from suspicious IP addresses to identify potential malicious activities such as brute force attacks, credential stuffing,
  or unauthorized access attempts from unusual or blacklisted locations. 
• Monitor_users_with_old_passwords: Tracks users with outdated passwords to reduce vulnerabilities, as old passwords may be compromised or no longer meet current security standards.This reduces the risk of unauthorized access, credential-based attacks, and other security breaches.
• Monitor_ddl_operations: Monitors Data Definition Language (DDL) operations (CREATE, ALTER, DROP) to prevent unauthorized changes or data loss in the database schema.
  
  

Some of the other monitoring policies that TrustLogix provides are as follows : 

Summary

TrustLogix's monitoring policies enhance Snowflake security by aligning with CIS benchmarks as well as by providing its own security best practices. These policies cover areas such as IAM, monitoring and alerting, network security, data protection, and additional risks such  as logins from Shadow Apps / Suspicious IP’s, monitoring users with old passwords and DDL operations. By addressing these threats, organizations can strengthen defenses against emerging risks. 

Through its partnership with Snowflake, TrustLogix helps enterprises securely manage data, ensure regulatory compliance, and accelerate data projects within the shared responsibility model. As a Data Security Posture Management vendor , Truslogix discovers and monitors data access and sharing activities,  alerts to any unexpected data sharing, data exfiltration risks, and overly privileged roles, allowing security teams to manage business risks and avoid data breaches

Want to learn more?

 Get a free data security assessment on your Snowflake accounts and secure sensitive data with TrustLogix’s out-of-the-box monitoring policies. Register for  free 90-day data protection service.