This is what I will be up to today

While Snowflake provides strong default security capabilities, enterprises must take additional steps to lock down the identity and access layer to prevent unauthorized data access. In this article, we focus on front-end hardening, including authentication mechanisms, federated identity controls, network access constraints, and token lifecycle management. The goal is to ensure that only the right identities, coming from the right paths, under the right conditions, ever reach Snowflake.

Snowflake supports SAML 2.0 and OAuth 2.0-based SSO. You should disable native Snowflake usernames/passwords entirely for production accounts.

SAML (Okta, Azure AD, Ping)

• Create an enterprise application in your IdP.
• Configure SAML assertions to pass custom attributes like role, email, department.
• Use SCIM provisioning to sync Snowflake users/roles/groups from the IdP.
• Set the session timeout in your IdP lower than Snowflake’s to avoid dangling sessions.

Avoid provisioning ACCOUNTADMIN via SAML. Manage this break-glass account separately.

Use EXTERNAL_OAUTH instead of SAML for modern applications or service integrations.

---

Lock Down OAuth Access

Snowflake supports OAuth for both interactive and non-interactive use. You must restrict token scope, audience, and expiration windows to reduce risk.

Key Hardening Strategies:

• Use short-lived tokens (preferably < 15 minutes) for all automation.
• Configure audience (aud) and scopes strictly. Avoid issuing tokens with SESSION:ALL unless required.
• Rotate client secrets for OAuth apps regularly.
• For client credentials flow, ensure the client cannot impersonate high-privileged roles.
• Deny ACCOUNTADMIN access through any OAuth app.

Supported Scopes Examples:

Scope	Description
session:role:<role_name>	Restrict token to one role only
session:warehouse:<wh>	Bind session to specific warehouse

Snowflake OAuth Token Validation (under the hood)

sqlCopyEditSELECT SYSTEM$EXTRACT_OAUTH_TOKEN_CLAIM('aud', '<access_token>');

---

Restrict Native Auth with Network Policies

Even if federated auth is enforced, native logins can still exist and be exploited. Use Snowflake Network Policies to harden this path.

Strategy:

• Create two network policies:
  • admin_policy: Only allows break-glass IP ranges
  • default_policy: Allows enterprise proxy or VPN egress IPs only
• Apply the default to the account:

sqlCopyEditALTER ACCOUNT SET NETWORK_POLICY = default_policy;

• Apply admin_policy only to named break-glass users.

Consider a Cloudflare or Zscaler front-door to enforce geo/IP conditions dynamically.

---

Implement Role Hierarchy Discipline

Identity hardening isn’t complete without strict RBAC practices. Prevent role escalation and sprawl.

Best Practices:

• Disallow use of SET ROLE = ANY unless strictly required.
• Disable PUBLIC role from having any privileges:

sqlCopyEditREVOKE ALL PRIVILEGES ON DATABASE <db> FROM ROLE PUBLIC;

• Ensure OAuth apps assume dedicated roles, not shared ones.
• Create role chains with the principle of least privilege — don’t nest high-priv roles into commonly used ones.

---

Enable MFA Everywhere You Can

Snowflake itself doesn’t natively enforce MFA — this must be handled at the IdP or via authentication proxy.

Solutions:

• Require MFA on all interactive IdP logins (Okta, Azure, Ping).
• Use conditional access policies to block access if MFA isn’t passed.
• For break-glass accounts: Use hardware token MFA or a privileged access broker like CyberArk.

---

Monitor and Rotate OAuth Secrets & Certificates

Snowflake OAuth integrations (especially EXTERNAL_OAUTH) rely on JWT signing keys.

Operational Controls:

• Rotate JWT signing certs every 90 days.
• Monitor for expired or invalid tokens using:

sqlCopyEditSHOW INTEGRATIONS;

• Alert on integration usage via LOGIN_HISTORY or EVENT_HISTORY.

---

Harden Service Account Behavior

Service identities are often the weakest link. Use automation to provision/deprovision service roles and tokenize all secrets via a secrets manager like Vault.

Key Points:

• Never let a service identity own SECURITYADMIN or ACCOUNTADMIN.
• Tag tokens via session:user_agent, session:client_ip and audit the usage patterns.
• For zero trust, bind each service to its own network segment and OAuth flow.

---

Monitor Everything at the Edge

Don’t trust Snowflake alone for auditing — bring data into your SIEM.

Ingest from:

• LOGIN_HISTORY
• QUERY_HISTORY
• ACCESS_HISTORY
• EVENT_HISTORY

Pipe into Splunk, Snowflake, or S3 via Snowpipe and monitor:

• Role switching anomalies
• Login attempts outside normal hours
• OAuth token usage per integration

In an age where cybersecurity threats are relentless and disinformation moves faster than truth, we need leaders who are brave enough to speak facts—even when it’s inconvenient. Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA), has been that kind of leader from day one.

Krebs didn’t seek fame. He didn’t seek a fight. He sought the truth.

As director of CISA, he led one of the most critical missions in modern government: protecting the integrity of U.S. elections and critical infrastructure. Under his leadership, CISA declared the 2020 election “the most secure in American history”—a statement backed by career security experts, intelligence assessments, and hard data.

That statement, grounded in evidence, got him fired.

And now, years later, in a deeply concerning escalation, the current administration has reportedly revoked his security clearance and ordered an investigation into his work at CISA. Let’s be clear—this isn’t about security. It’s about political revenge.

Krebs has since continued to serve the public good, both as co-founder of the Krebs Stamos Group and in his role at SentinelOne. He remains one of the few voices in the field who speaks plainly, refuses to bend to political pressure, and puts the country before career.

If we want to live in a world where facts matter, where professionals are empowered to do the right thing, and where public servants don’t fear retaliation for speaking truth, then we must stand by Chris Krebs.

This isn’t about party. It’s about principle.

We owe our respect—and our support—to those who prioritize the safety of the country over the safety of their own jobs. Krebs did exactly that.

And we should all be damn grateful he did.

Creating the perfect PowerPoint presentation is an art—an equilibrium between compelling content and striking visuals. However, for professionals and developers who need to test the efficiency of co-authoring tools or presentation software, the content itself can sometimes be secondary to the functionality being tested. That’s where the power of automation comes in, particularly in generating mock data for PowerPoint presentations.

I’ve been working on a fun side project It’s a script that allows users to create ‘fake’ PowerPoint data to simulate various scenarios and test how long it takes to read through the content in a process akin to co-authoring. For those intrigued by how this automation operates and its potential benefits, you can delve into the details on my GitHub repository.

Why Automate PowerPoint Data Generation?

The reasons for automating data generation are numerous, especially in a corporate or development setting:

• Testing Efficiency: For software developers and IT professionals, having a tool that automatically generates data can significantly aid in testing the efficiency of co-authoring tools and other collaborative features in presentation software.
• Training: Automated mock presentations can serve as training material for new employees, helping them get acquainted with presentation tools and company-specific templates.
• Benchmarking: By standardizing the length and complexity of the generated content, teams can benchmark the performance of their software or the productivity of their staff.

How Does the Automation Work?

The automation script I developed is designed to be intuitive. It populates PowerPoint slides with random text, images, and data. The script takes into account different factors like text length and complexity, mimicking real-world presentations without the need for manual data entry.

Moreover, I incorporated a timing mechanism to assess how long a ‘co-authoring’ read-through would take. This feature is invaluable for software developers who aim to improve the collaborative aspects of presentation tool

It is up now on my github

As someone who hasn’t been using Terraform for years, something things I’m about to say are obvious to you, someone who likely already knows that it’s a powerful infrastructure-as-code (IAC) tool that allows you to automate the provisioning and management of your cloud resources. With Terraform, you can define your infrastructure using a declarative language, and then use that definition to create, update, and destroy your resources in a consistent and repeatable way.

It has been a fantastic tool to get to know. Most fun I’ve had in technology in a long time.

One of the key benefits of using Terraform is that it allows you to abstract away the complexity of the underlying cloud APIs and services. Instead of having to write custom scripts or manually configure each individual resource, you can define your infrastructure in a high-level, human-readable format that can be version-controlled and shared with your team. This makes it easier to collaborate, track changes, and ensure consistency across your infrastructure.

Terraform also provides a number of built-in features and plugins that make it easy to work with a wide range of cloud providers, services, and tools. For example, you can use Terraform to provision infrastructure on AWS, Azure, Google Cloud, and many other cloud providers. Additionally, Terraform supports a wide range of resource types, including compute instances, load balancers, databases, and more.

Another benefit of using Terraform is that it allows you to automate your infrastructure changes with confidence. Because Terraform is declarative, you can see exactly what changes will be made to your infrastructure before you apply them. This helps you avoid unexpected changes and ensures that your infrastructure remains stable and secure.

Terraform is a fantastic tool for automating your infrastructure and managing your cloud resources. Whether you’re working on a small project or a large-scale enterprise deployment, Terraform can help you achieve your goals quickly and efficiently.

I often wonder why haven’t more companies rolled out DKIM at this point as it is clearly a fix for so many phishing/SPAM issues.

DKIM, which stands for DomainKeys Identified Mail, is an email authentication method designed to detect email spoofing and phishing. It works by allowing an organization to attach a digital signature to an email message, which can be validated by the recipient’s email server. DKIM is an important security feature for any organization that sends email, as it helps to prevent fraudulent emails from being delivered to the recipient’s inbox.

In Office365 and Exchange online, not using DKIM can pose several dangers. Here are a few of them:

1. Increased risk of phishing attacks: Phishing attacks are a type of cyber attack that involve tricking users into revealing sensitive information, such as login credentials or credit card details. Without DKIM, it becomes easier for attackers to impersonate legitimate senders and convince recipients to provide their personal information.
2. Increased risk of email spoofing: Email spoofing is when an attacker sends an email that appears to be from a legitimate sender, but is actually from a fraudulent source. DKIM helps to prevent email spoofing by verifying that the email actually came from the sender’s domain. Without DKIM, it becomes easier for attackers to impersonate legitimate senders and deceive recipients.
3. Increased risk of email interception: Email interception is when an attacker intercepts an email in transit and reads its contents. Without DKIM, it becomes easier for attackers to intercept and read emails, as there is no digital signature to validate the authenticity of the email.
4. Decreased email deliverability: Many email providers, including O365, use DKIM as a factor in their spam filtering algorithms. Without DKIM, emails may be more likely to be flagged as spam or rejected by the recipient’s email server, resulting in decreased email deliverability.

Not using DKIM in O365 can pose several dangers, including increased risk of phishing attacks and email spoofing, increased risk of email interception, and decreased email deliverability. Therefore, it is highly recommended that organizations use DKIM to help ensure the security and authenticity of their email communications.

Introduction: The world of technology is continually evolving, and with it comes new challenges in ensuring the safety and security of our digital systems. One such challenge is the ever-present threat of memory exploits. These security breaches occur when hackers manipulate a program’s memory to gain unauthorized access, allowing them to steal sensitive data or execute malicious code. This article will discuss the dangers of memory exploits, the importance of developers securing their memory usage, and why using Rust, while helpful, is only part of the solution.

The Dangers of Memory Exploits: Memory exploits are a severe concern for several reasons. They have the potential to impact not only individual users but also large organizations and government institutions. Some of the most critical dangers include:

1. Data breaches: Hackers can use memory exploits to gain access to sensitive information, such as personal data, financial information, or trade secrets, which can lead to identity theft, financial losses, or corporate espionage.
2. System instability: When memory exploits occur, it can cause system crashes or introduce new vulnerabilities, leaving the door open for further exploits or rendering the system inoperable.
3. Loss of trust: Security breaches erode the trust users place in software and hardware products, potentially leading to reduced adoption, market share, and revenue.

The Need for Developers to Secure Memory Usage: Developers play a crucial role in mitigating the risks associated with memory exploits. They can implement various measures to ensure that the software they create is less susceptible to such attacks. Some of these measures include:

1. Adopting secure coding practices: Developers should follow industry best practices for secure coding, which can help prevent memory exploits by eliminating vulnerabilities from the outset.
2. Regularly updating and patching software: By keeping software up-to-date, developers can close known security vulnerabilities, reducing the risk of memory exploits.
3. Conducting security audits: Performing security audits can help identify and fix vulnerabilities in software, providing another layer of defense against memory exploits.
4. Leveraging secure programming languages: Using languages like Rust can help minimize memory-related vulnerabilities, but it is essential to recognize that this is only part of the solution.

Rust as a Partial Solution: Rust is a systems programming language designed with safety and performance in mind. Its syntax and unique features, such as its ownership system and the borrow checker, help prevent memory-related issues like data races, null pointer dereferences, and buffer overflows. While adopting Rust can significantly reduce the risk of memory exploits, it is not a magic bullet.

1. Rust’s learning curve: Rust’s unique features and syntax can be challenging for developers familiar with other programming languages, which can slow down adoption.
2. Existing software: Many applications are already written in other languages, and rewriting them entirely in Rust would be a time-consuming and expensive task.
3. Rust is not immune to all vulnerabilities: While Rust reduces the risk of memory exploits, it is not entirely immune to other vulnerabilities or programmer errors.

Conclusion: The dangers of memory exploits are very real and have far-reaching consequences. Developers play a vital role in securing their memory usage and should employ a multi-faceted approach to minimize the risk of memory exploits. While adopting Rust can be a step in the right direction, it is important to recognize that it is only part of the solution. By combining Rust with secure coding practices, regular software updates, and security audits, developers can create more secure software and help defend against the threat of memory exploits.