Case Study
Snowflake Uses Aembit to Secure Workload Access
Snowflake has revolutionized its security approach by implementing Aembit’s Workload IAM to enhance access management across its ecosystem. This transition allows automated, secure access handling, boosting efficiency and compliance while reducing manual oversight and security risks. The partnership exemplifies cutting-edge security and operational enhancement.
Snowflake originally published this blog post on Medium.
Inconsistent security access methods for Snowflake.
Widespread secrets sprawl and persistent secrets risks, with no identity-based access control.
Manual monitoring and key rotation, lacking dynamic control.
Save 2 FTEs while hardening workload security.
Secretless and identity-based access cuts 85% of credential issuance, credential rotation, and auditing followup.
Enhanced security with conditional access policies and identity-based logging.
Securing Workload Access: Snowflake’s Journey to Workload Identity and Access Management (Workload IAM)
Story written by Cameron Tekiyeh, Sr. Manager, Global Security Analytics at Snowflake.
Today I’m excited to share some of the things that Snowflake has been working on behind the scenes to make our ecosystem of applications more secure, and by extension making Snowflake an even more secure place for your data and AI strategies.
We’re big believers in automation, and as a company we’ve invested in creating and implementing tools that allow us to simplify and streamline the work our teams need to do on a regular basis. Beyond simply eliminating repetitive tasks, investing in automation allows us to improve security by reducing blindspots, onboarding employees faster, and allowing less experienced team members to accomplish more.
Yet, as we built a more robust and capable ecosystem of tools to support our activities, it was essential that these tools could securely access Snowflake (and where necessary, each other) in a controlled, compliant, and automated manner. It’s here where our path to building a Workload Identity and Access Management (Workload IAM) strategy began, culminating with our partnership with Aembit.
Access Management: Credentials, Secrets, and Identities
Snowflake had developed a mature process for handling access between workloads. In fact, it looks much like what other organizations probably do. When developers need access to another service (whether it was to Snowflake, to another SaaS service, or even to an internal service), they filed a request with a IT CloudOps team who are responsible for creating a service account and an access credential, and securely delivering the access credential to the original, requesting party. That credential and the related service account could then be stored in Active Directory and synced to Okta, if necessary.
The original party was then responsible for inputting the credential into their application, and they were set. Yet each connection we set up created a significant, ongoing tax in terms of maintenance and security:
- Service accounts and Access Credentials needed to be stored and cataloged
- Credentials needed to be regularly rotated, creating work for both SecOps and the application owner
- Ongoing compliance and audits required us to regularly track down the owners of applications and assess whether the credential was still required.
- Compliance required visibility and reporting into the whole process.
In addition, we saw potential security risks that we could address:
- Many workloads depended on long-lived versus short-lived access credentials.
- Once a credential was issued, it was possible that it could be used for multiple workloads, beyond what it was originally intended for.
- We did not know anything about the posture of the workload: is it healthy enough to provide the access it is requesting?
- Finally, multiple humans may touch these highly privileged credentials that are really meant to be used by workloads.
While the original process had served us well, we knew, both from the development of our own software and the continuing expansion of the Snowflake ecosystem, that workload-to-workload access was only growing, and at the same time this was becoming a targeted attack surface at other organizations. The combination of this emerging risk and the opportunity to automate a critical workflow elevated the priority of addressing workflow access management.
Automating Secure Access with Aembit
As we began crafting a solution to this problem, we considered User IAM as a model for how we’d like to operate: we wanted to have workload identities that could be verified upon access, with policies, and dynamically issued credentials delivered in real-time.
We looked at a number of available tools. For example, we considered our existing secrets managers and vaults, but we knew of existing challenges to credential issuance and credential usage processes. We also knew this tool would likely add a new burden to our developers and application owners. We also considered using the native IAM tools of our Cloud providers, but those tools were limited to their own environments, and we needed something that would give us a single, consistent way to automate access across all of our environments.
As a result of our research, we began working with Aembit. They provide a Workload IAM system that allows us to move from managing credentials to managing access. Aembit is designed to work as an independent workload identity broker that can validate the identity of a client workload (a SaaS Service, Container/VM, or even a script) using the identity natively provided by its operating environment, and then issue an access credential based on a policy we set.
Aembit integrates into the broad range of services we need to access by supporting a broad set of access credentials types and protocols. On the other side, they support our client workloads by supporting identity federation with cloud, on-premise, and SaaS services. Moreover, that integration can happen via API or by way of a clever auth proxy called Aembit Edge that transparently provides all the auth logic and credential management for the workload. More on that in a bit.
Not surprisingly, our initial use case with Aembit was to specifically secure access between a number of workloads and our own internal Snowflake instance.
Working with Aembit, we were proactively able to improve our environment in a number of ways:
- Automate credentials issuance, just-in-time. Workload access requests are intercepted and evaluated by Aembit on an ongoing basis, injecting credentials when a policy is met. This means workloads no longer need to store long-lived credentials, and humans don’t need to touch them either. We’ve also eliminated the need for the manual credential rotation process in workloads and the potential of breaking critical application flows as a result.
- Go secretless. Since Snowflake (and a growing number of other services) support dynamic access credentials, Aembit can issue short lived credentials instead of long-lived keys. The Aembit Edge can inject these credentials into a request, even when the workload thinks it is using an API key. This gives us the flexibility to improve security without burdening developers, or without asking our vendors to change how their product works.
- Enable zero trust conditional access. Not only can we provide access based on an identity, we can assess related characteristics of the workload before providing access. For example, is the workload being actively managed by our Cloud Security tool? Is it performing its operation during the time of day we would expect? There are a range of conditions we can check based on the workload, its request, and the sensitivity of the service it requires.
- Provide a highly automated, compliant system of record. We see every access request, the policy it met, and what credential was issued. No more chasing down application owners, and no need to undergo complex reporting tasks for auditors.
First and foremost, working with Aembit allows us to improve our security posture and introduce a new line of defense: Workload Identities create a new control plane with which we can secure access to our sensitive data and resources. This is essential today, and even more critical as our workload footprint grows.
Along with making us more secure, Aembit also helps automate existing processes. As we expand the scope of Aembit within Snowflake, we estimate that across credential issuance, credential management, compliance reviews, reporting, auditing, and overall process management, that Aembit can save us 5–10 hours a day.
What’s Next: Empowering A Secure Snowflake Ecosystem
We’re excited to have started this Workload IAM journey, and we have many plans on where it can help us. First, we’ll continue to expand the scope of our usage, covering areas such as our Software Supply Chain, building more sophisticated dynamic policies, and building a central “system of record” for our workload-to-workload access.
But we also think that Workload IAM is an important element of the Snowflake ecosystem. We are forging ahead on this path so that our customers can also securely automate their workload to workload access with confidence. Part of the value of us securing Snowflake internally in this manner is that it will be battle-tested for customers who would also like to secure their use of Snowflake access from workloads. We also believe that this can play an important role in Snowflake Native Apps as they become a part of your data & AI fabric.
We look forward to continuing this work with Aembit and also using it to benefit you.