The costly breach of customer databases on the Snowflake cloud data platform earlier this year put a spotlight on how all consumers of such platforms are securing—and governing—their data when adopting these technologies.
In an attack that affected over 150 Snowflake clients, the impact on AT&T alone resulted in disclosure to hackers of call and text records for over 110 million customer accounts—an incident estimated to cost the company between $50m and $100m in addition to reputational damage, and ongoing regulatory and legal repercussions.
But it wasn’t a technical issue or limitation of the platform that led to the issue—Snowflake has features to protect against just this kind of vulnerability. Instead, it was caused by the customers themselves who failed to follow best practices in how they managed and governed their systems.
With many asset owners and investment management firms in the process of considering or already implementing their data platforms on Snowflake or one of its competitors, the scale and the impact of the breach raised significant concerns not just around security, but more broadly how a cloud data platform must be managed and governed to avoid these types of risk.
Who is responsible?
A fundamental principle of cloud computing governance is the ‘shared responsibility model’—that the platform provider is responsible for ‘the security of the cloud’, but the customer is ultimately responsible for ‘security in the cloud’.
In this case, according to research by Mandiant, a cybersecurity firm and subsidiary of Google, a clear breach of best practice was at fault: the use of simple usernames and passwords as the sole means of securing database accounts. While the use of multi-factor authentication (the use of username/password in combination with a second verification method) was available on Snowflake, customers that were victims of the breach were not using it—so hackers were able to use usernames/passwords that had been compromised in the past to simply login and expose entire databases.
Snowflake moved quickly to enhance security by mandating that customers worldwide implement multi-factor authentication for all users. But regardless of the systems, vendors or service providers in play, the risk and responsibility ultimately rests with the customer to ensure that the tools are used the right way and that appropriate practices are in place.
Managing risk through governance
Clearly defined cloud data security procedures and responsibilities could have easily avoided this incident, but the risks of cloud data platforms extend beyond just data loss. The potential costs of bad data, unreliable or unsustainable processes, and regulatory breaches can be just as significant, and require a holistic data governance strategy to address them.
While the advances in cloud data technologies have made it quicker and easier than ever before to implement analytics solutions, the challenges of operating and maintaining them are often underestimated. As the first flush of implementation excitement wears off, however, the reality of the need for a sustainable operating model sets in. Assuring data quality, as well as maintaining, securing, and governing the end-to-end solution is essential to deriving net value from the technology platform.
While the importance of data governance and the availability of specialized data governance tools are nothing new, there have often been integration and cultural challenges in operationalising them effectively with cloud data platform environments. Cloud data platform vendors are now recognising this need themselves, however, and competing to implement data governance tooling integrated into their data platforms. Recent months have seen significant announcements and releases from Snowflake Horizon, Microsoft Purview, and AWS Datazone as the vendors recognise just how critical effective governance is to their customers’ success with their platforms.
A sustainable data operating model—for the cloud
A sustainable data operating model—able to deliver value nimbly and reliably from data in a secure, managed, and governed manner—requires more than just a new set of tools, however. It requires the interplay and tight integration of four key components of data management:
Data Governance: Pivotal to the success of any data operating model is an agile and effective data governance function ensuring that data is managed consistently, securely, and efficiently, and in compliance with regulatory requirements. This includes making sure that roles and responsibilities around data security are well-defined and resourced.
Data Architecture: The foundation of any data operating model are the underlying technologies and technical practices—enabling seamless data integration, storage, processing, and analytics, while ensuring data reliability, scalability, and performance. This includes ensuring that appropriate technical controls and security mechanisms are integral to the design and implemented on the platform.
Data Operations: There is no value in a data platform without timely, reliable data. Agile data operations are critical to ensuring that data is processed, maintained, and delivered efficiently, in a way that consistently supports the business’ needs. This includes making sure that secure processes are defined and being followed.
Data Analytics: A modern data strategy must be driven by business value. That journey is fueled by the target use cases for data analytics—an umbrella term referring to all outputs, including reporting, data extracts, and more advanced data science. Integrating and enabling the ideas and objectives of business data users should be a prime focus of the data operating model and the roadmap to get there. This includes ensuring that secure analytics practices are defined and being followed by analysts and data teams across your organization.
Realising benefits—while mitigating the risks
The potential that cloud platforms offer asset owners and investment managers in bringing agility, scalability, and efficiency to their data and analytics can’t be ignored—but neither can the importance of doing so in a managed, secure, and well-governed manner. The risks of failing to do so—as vividly illustrated by the Snowflake breach—make it worthwhile to consider outside perspectives that offer both technical and industry expertise as well as a holistic view of data management.
Citisoft’s depth of hands-on experience developing data operating models for our asset owner and investment management clients means that we have battle-tested frameworks, methodologies, and practical guidance to help you wherever you are on your cloud data journey.
Whether you are developing your vision and roadmap for delivering value from these technologies or seeking to more closely align an in-flight program with your business objectives, Citisoft has the experience and focus to help you map the path ahead—and to deliver your desired outcomes in a secure and well-governed manner.
Broc is a Citisoft Principal Consultant with over 20 years of experience leading architecture, analytics, and engineering efforts delivering data solutions across asset classes and throughout the investment management lifecycle. He has experience leading global teams for leading investment managers, managing programs as a senior level consulting resource, and implementing solutions on the vendor and service provider side. Broc’s breadth of experience, nuanced understanding of data architectures and best practices, and track record of leadership success make him a valuable resource on high visibility change programs.
Comments