interview Being the chief information security officer at Snowflake is never an easy job, but last spring it was especially challenging.
In May 2024, some of the cloud storage and data analytics firm’s major customers, including Ticketmaster and banking giant Santander, disclosed significant data breaches. Attackers, the companies reported, had accessed their Snowflake-hosted environments and exfiltrated terabytes of data affecting hundreds of millions of individuals.
The breaches weren’t the result of a compromise in Snowflake’s infrastructure. Instead, more than 160 customer accounts were accessed using previously exposed credentials – many of which had been harvested by infostealer malware from customer systems and never rotated. None of the compromised accounts had multi-factor authentication enabled, a safeguard that likely would have prevented unauthorized access to the databases.
While incident response firms, including Mandiant and CrowdStrike, ultimately concluded that the attacks weren’t Snowflake’s fault – its enterprise environment was not breached, nor were employee credentials used to infiltrate customer environments – the whole security snafu left its mark on everyone involved.
And, according to Snowflake CISO Brad Jones, it made him and the company rethink the whole shared-responsibility security model.
“It was an unfortunate situation that our customers went through, and we’ve really pivoted from a shared-security model to more of a shared-destiny model with our customers,” Jones told The Register.
“If something’s in the news on Snowflake, or a customer that happens to involve Snowflake, it’s negative for both,” Jones continued. “So we’re trying to pivot as much as possible to play a proactive role with our customers to ensure they’re in the best security posture as possible.”
Shared destiny
In a shared-responsibility model, the cloud provider is responsible for protecting the infrastructure, while it’s up to the customer to secure their data and apps in the cloud, and to make sure that everything is configured properly to avoid any data leaks and the like.
In theory, this is a good idea for divvying up who is responsible for securing the different aspects of a cloud computing environment. But it still proves difficult for many customers to understand, and in the case of a large breach associated with a single third-party provider, it’s not going to keep the stain entirely off the cloud provider.
Moving from shared responsibility to shared destiny gives Snowflake a more proactive role in its customers’ security posture, and it makes things easier for the end users, too, according to Jones.
“From a shared-security model, there are certain controls that are under the control of our customers,” he said. “We provide those controls to implement security practices, but we believe we need to be strong partners with them to ensure that they’re leveraging these technologies and that we have this shared destiny.”
If something’s in the news on Snowflake or a customer that happens to involve Snowflake, it’s negative for both
First off: Snowflake became significantly more stringent in its authentication posture, enabling mandatory multi-factor authentication by default for all new accounts starting in October 2024. It also began a phased deprecation of single-factor password logins, with a full block scheduled to take effect by November 2025.
In addition to stronger authentication and identity management, this shared-destiny model also includes uniform security controls across multiple cloud service providers, private networking connectivity to Snowflake services to ensure customer traffic doesn’t traverse the public internet, and default encryption for all files stored internally within Snowflake.
It also incorporates “things like benchmarking controls against our CIS Benchmark, which has 31 controls that we think are best practices to leverage on the platform, [and] making sure that our account teams have visibility into the security posture of their customers,” Jones said.
Additionally, in the fall, Snowflake launched a leaked password protection service that scours the dark web for stolen Snowflake account credentials. “We go in and proactively validate if they’re still active credentials. If they are, we pivot immediately to locking that account and asking questions later,” Jones noted.
In addition to fighting old fires like stolen credentials and single-factor authentication, a slew of new security challenges are on the horizon, and “it’s always the unknowns” that keep Jones and his fellow CISOs awake at night.
March of the AI agents
“AI is a perfect example of something that you have to keep on top of because it’s changing so rapidly,” he said.
The two primary security challenges with AI involve data protection, which Jones admits isn’t a new problem.
“Probably the most primary concern that folks have is: How do they ensure that the data that they have is staying secure, or they’re not exposing data in unexpected ways? This could be with third-party services that may be capturing prompts or data that’s uploaded,” Jones said, noting DeepSeek is a perfect example.
“They said they weren’t capturing data, turns out they were capturing data,” he noted. “And beyond that, they accidentally exposed that data through poor security practices.”
The second security concern du jour around AI involves the pace of evolution, especially when it comes to agentic AI. “Getting to the point where it’s starting to think and do things on its own behalf without directly taking direction from a human – it’s both powerful and scary at the same time,” Jones said.
He pointed to Microsoft’s roadmap for the three stages of agentic AI [PDF]. These start with the chatbot phase: fetching information, answering questions, and summarizing and analyzing data. Next is taking action to automate workflows and replace repetitive tasks – but only when triggered by a human. And finally: operating independently and orchestrating other AI tools and systems.
“The third phase is where people will just be managing teams of agents, and you have to think a lot about the governance of how that will operate,” Jones said. “The more that you have that in a confined ecosystem with standard controls and governance, the easier that will be to accomplish.”
When asked if AI agents are a bad idea, security-wise, Jones said that “security [can’t] say whether it’s a good or bad idea. Security has to adapt. Security Teams can never be the team of no.”
He likened it to improv’s “yes, and” rule. “You can’t say no. You need to say yes, and here are the controls, or the right way to do it,” Jones continued.
“It’s important for security leaders to understand that they have to help the business in their business needs,” he said. “AI will be a part of that, whether security teams want it or not.” ®
