Leading Software Company Modernizes Snowflake Access with Aembit Workload IAM Platform
Inconsistent security access methods for Snowflake.
Widespread secrets sprawl and persistent secrets risks, with no identity-based access control.
Manual monitoring and key rotation, lacking dynamic control.
Identity-based access with Aembit’s attestation process.
Secretless access with dynamic credentials via Aembit Edge.
Enhanced security with conditional access policies and identity-based logging.
A major software company, managing a complex cloud environment featuring a mix of deployment environments and SaaS services, faced significant challenges in orchestrating seamless and secure access across its diverse IT infrastructure.
The company’s expansive data ecosystem, powered by leading data storage and analytics provider Snowflake, included sensitive customer data, transactional information, and proprietary intellectual assets, all of which require stringent access controls.
Recently, the company made the strategic decision to house security telemetry in Snowflake as well. This shift provided the opportunity to improve the method by which workloads securely access Snowflake, and at the same time automate the internal efforts to maintain security and compliance.
The company leveraged a number of workloads to both input data and visualize information from Snowflake. These were a mix of custom software as well as purchased, third-party software operated by the company. Workload developers and vendors typically implemented their own chosen methodology for securing access to Snowflake. This led to inconsistency, especially from third-party vendors. That variance also led to governance challenges in how credentials were stored, assigned, and managed, leaving a gap in secure, governed access to Snowflake.
- Secrets sprawl
The practice of hard-coding access secrets into workloads accessing Snowflake led to a widespread dispersion of sensitive credentials, heightening security risks and complicating credential management across various systems.
- Access to long-lived secrets
Developers and vendors may have had access to persistent secrets that represent additional risk.
- Manual efforts
Based on the current implementation model, security and DevOps needed to manually monitor and rotate keys to ensure secure access.
Despite these additional manual efforts, without an identity-driven approach, the team knew they lacked the ability to ensure that only authorized applications had access to Snowflake. They also wanted the ability to control access to Snowflake based on more dynamic conditions, such as the real-time security posture of the workload or other factors that are important to various workloads.
Aembit provided the company with its Workload IAM platform to seamlessly manage access across the company’s workloads and environments to Snowflake. This capability meant the company could move away from long-lived secrets stored in applications to a more dynamic, automated access management approach that includes greater visibility to meet monitoring and compliance requirements.
The company shifted to using identity as the basis for determining access. Aembit’s process of attestation allowed them to use metadata from the operating environment to cryptographically validate the identity of application upon each request.
Support for custom and third-party applications with no code changes
The deployment of the Ambit Edge component eliminated the need for developers to make code changes. Aembit Edge acts as a transparent proxy, injecting credentials without disrupting the application. This is particularly important for third-party applications, where the company couldn’t dictate changes in how the vendor implemented Snowflake access.
Move to secretless access
Because Snowflake supports short-lived JSON web tokens, Aembit injects short-lived credentials into access requests, even for applications that were originally configured with static credentials. Dynamic credentials greatly improved security by reducing the window of opportunity for credential compromise. Again, this happened without changes to the application itself.
Aembit enabled the company to use conditional access policies. These policies added an extra layer of security by ensuring that workloads not only authenticated their identity but also met specific security conditions before accessing sensitive data.
The platform provided centralized and detailed identity-based logging and monitoring. This feature is crucial for the company’s security operations, offering enhanced visibility for incident response and compliance and simplifying audit processes by tying activities directly to application identities rather than IP addresses or other less-reliable identifiers.
Benefits and Outcomes
The company saw a significant enhancement in its security and risk posture. Aembit’s solution moved to identity-based access across a variety of internal and external applications with short-lived credentials instead of long-lived secrets.
Streamlined secrets management, secrets rotation, and access management
Automated credential management and dynamic access controls significantly reduced the operational overhead linked to manual processes, such as credential rotation and verifying application access. This enabled the company’s IT and security teams to concentrate more on strategic initiatives.
Consistent access management across environments
Implementing Aembit allowed for a consistent approach to managing access, not only in the cloud but across the company’s entire technology stack. This consistency was particularly beneficial given the mix of cloud and on-premises environments, as well as using SaaS services like Snowflake.
Compliance and Incident Response Efficiency
The identity-based logging and monitoring capabilities significantly improved the company’s ability to comply with various regulatory requirements and enhanced its incident response effectiveness. This efficiency was a direct result of the more accurate and reliable tracking of access and usage patterns.
By adopting the Aembit Worklaod IAM Platform, the company not only streamlined its access management to Snowflake but also set a precedent for future-proofing its security infrastructure against evolving threats and complexities in workload management. It plans to extend Aembit’s workload IAM platform to other sensitive databases and applications, aiming for a unified approach to workload identity across its diverse environments.