In May 2024, SnowFlake experienced a data breach as a result of exposed credentials that allowed a threat actor to access customer accounts that weren’t secured with MFA.
The fallout from this data breach ultimately impacted large SnowFlake customers like Ticketmaster, AutoZone, Santander Bank, and AT&T. Following the announcement of the breach, SnowFlake implemented refined security measures to avoid similar incidents in the future.
However, the question remains, why aren’t publicly accessible cloud companies secure by default?
A Pervasive Stigma Against Security
Before we can answer the question about why companies aren’t secure by default, we need to look at the underlying psychology and motivation for companies and in particular the arguments that are made against implementing security.
Startup Mentality
One of the most pervasive (and quite frankly horrible) arguments against building in security by default is the “move fast and break things” mentality that is pervasive at startups.
Startup life is a tough one and a good metaphor is you are building your parachute as you are falling. Either you succeed and live, or you burn in and cease to exist. The problem with startup mentality is when you succeed and live, most startups fail to shift from survival mode to maturity mode as the company grows and matures.
In maturity mode, companies need to resolve all of the debt they incurred just to survive. This can be operational debt, technical debt, or security debt.
Unfortunately, if the survival mentality persists, this debt continues to accrue and can kill the company because the cost to continue to operate exceeds the incoming revenue.
Security Is Bad For Productivity
Another argument that frequently pops up against implementing security is the perception that security is bad for productivity.
I find this argument particularly ironic since employees seem willing to tolerate bad processes, bad experiences, and other examples of bad friction, yet they complain the loudest about new security controls (like being required to change their password periodically).
My own opinion about this perception is employees are largely indifferent to security (or in general they think it is a good thing). However, security often results in very visible changes to processes and ways of working and it is the change that employees don’t like. They associate security with change and since change is bad, security is bad.
This is similar to the argument that security increases friction and the assumption that all friction is bad. While this assumption is not only false, it also leads to the thought process that any friction in the customer experience will lead to lost customers and sales.
The reality is some friction is good and acts as safeguards to steer people towards a desired (secure) outcome.
Security As An Upsell
One last reason for failing to implement security by default is when companies choose to profit from security as an upsell (I’m looking at you Microsoft).
By charging extra for the most useful or best features, these companies are implicitly and explicitly placing a cost on adding in security, which is perpetuating the stigma that security is bad.
“The reality is some friction is good and acts as safeguards to steer people towards the desired (secure) outcome.”
Changing Perception
Leading research for high-performing cultures indicates teams that can effectively prioritize and execute all of their demands are the highest-performing teams.
In particular, teams that were able to incorporate security into their processes actually went faster and performed better than teams that struggled with or ignored security altogether.
One other thing we can do to change this negative perception of security is to stop allowing members of the security function to introduce bad friction. We have all experienced bad friction in the form of time wasters, security theater, and the dreaded “no”. This behavior doesn’t help the mission of security and perpetuates the stigma against our profession.
Default Opted-In
Assuming companies can overcome the startup mentality, successfully incorporate security into their development processes, and overcome the stigma of security as being bad, what should they be doing to make their products and services secure by default?
The first thing companies can do is discard the notion that increased security will inhibit sales or drive customers away. Instead, companies should use security as a selling point and configure their services to be secure by default, which means customers will need to go through some sort of initial security setup when they purchase the product or service.
Customers who don’t want to do this will need to explicitly opt-out or seek alternate providers, firmly placing the liability for not meeting security best practices on their shoulders.
Enforce Security Best Practices
What security functionality should companies offer by default to their customers? Here is a short list:
- Multi-Factor Authentication – Including the option for one-time passwords, secure tokens, and passkeys.
- Encryption – All data and transport protocols should be encrypted by default with the latest versions available.
- Access Control and Detection – Default deny access to resources and make customers explicitly allow access. This includes making resources non-public by default until a customer specifies otherwise. Detect changes in the state of resources and notify customer contacts of abnormalities.
- Easy Button For Fundamentals – Make it easy for customers to pull a comprehensive asset inventory, control their instance or tenancy with a master account, and offer simple reports for ways they can improve their security posture.
The Wrap
There are lots of reasons why security becomes an afterthought for companies. Often, it is because they fail to shift from survival mode to maturity mode. Other times, their culture persists in the notion that security has a bad stigma and inhibits the business.
Some companies even upsell customers on security functionality, which limits the adoption of security controls. The reality is companies that practice security by design and incorporate security into development cultures move faster and outpace their competition. Companies that offer publicly available software and services need to shift their mentality to make security a default setting that is turned on at the onset of the relationship, like any other core product feature.
Until companies start making security default opt-in, we will continue to experience massive data breaches like the one from SnowFlake.