Snowflake strengthens standard sign-in security

Welcome to Runtime! Today: Snowflake admins can now set stronger login security practices for their users, how the AI boom is forcing Google to acknowledge that carbon offsets don't work, and the latest funding rounds in enterprise tech.

Was this email forwarded to you? Sign up here to get Runtime each week.)

The M factor

Multifactor authentication — which combines the traditional login/password combination with a unique code sent to a device in the user's possession — is quickly becoming a requirement across cloud services that store the crown jewels of their customers. In the wake of the discovery last month of multiple large data breaches at Snowflake customers that didn't enforce MFA, CEO Sridhar Ramaswamy promised to roll out a policy that would require Snowflake users to enable one of the most basic security precautions demanded by today's hostile environment.

As the fallout from those breaches continues to spread, Snowflake announced new features Tuesday to encourage the use of MFA, but stopped short of making it a mandate for existing users across the platform. It is, however, making the MFA option more prominent and making it easier for admins to set their own policies.

The next time Snowflake users log into their accounts they'll be prompted to enable MFA, and while they can dismiss that prompt it will pop back up in three days.
Snowflake administrators can now require their corporate users to set up MFA the next time they log into the service.
Snowflake also made its Trust Center, first announced last year as a private preview, generally available for administrators to monitor compliance with these policies as well as flag dormant accounts or accounts that have higher access privileges than they should.
Snowflake also recommended that administrators of service accounts — automated, non-human accounts used to connect data across applications — get rid of password logins for those accounts and instead use OAuth or key-pair authentication.

The announcement arrived the same week two prominent Snowflake customers — Ticketmaster and Nieman Marcus — continued to grapple with the fallout from data stolen from their accounts.

Bar codes for thousands of print-at-home concert tickets sold by Ticketmaster for prominent acts such as Pearl Jam and Carrie Underwood have been leaked by hackers who claim Ticketmaster won't be able to issue new, legitimate codes to their customers.
Meanwhile, security researcher Troy Hunt found evidence that personal data belonging to 31 million people was exposed in the Neiman Marcus breach.
And we still don't know the full extent of how much information was stolen from poorly protected Snowflake customers, with only a dozen or so confirming breaches out of an estimated 165 customers that were affected.

Snowflake said Tuesday it would require anyone who creates an account after today to enable MFA, but it's not clear if it will ever require existing customers to do so. That stands in contrast to policies recently adopted by some of the cloud providers.

Microsoft is set to start enforcing MFA use for Azure logins this month, after GitHub rolled out that mandate in January.
AWS also announced last year that it will require users with root access to an AWS Organizations account to start using MFA "in mid-2024."
These mandates are trickier to implement in practice than they sound, and can break existing identity-management workflows if customers aren't given enough time to prepare.
But as threat actors become more sophisticated every month and companies store ever-increasing amounts of sensitive data in cloud services, default MFA should become table stakes for any serious cloud services provider.

Burning down the house

The carbon-neutral goals expressed by the hyperscalers have always felt like they should be taken with a grain of salt, worthy but ineffective efforts to offset the enormous amount of energy required to run their services. Thanks to the AI boom, Google is done pretending that the old methods work.

The company announced this week that it no longer considers itself "carbon neutral" and has stopped buying carbon offsets in hopes of balancing the ledger against the energy consumption of its massive network of data centers. Google is now focused on carbon removal projects, according to Bloomberg, and hopes to achieve "net-zero carbon emissions" by 2030.

Google is not alone in putting aside its climate goals in pursuit of AI business: Microsoft, which has thrown itself into the AI boom with everything it has, acknowledged in May that emissions related to data-center construction and operation rose 30% compared to 2020. And AWS, which still quotes former CEO Adam Selipsky on its sustainability page, was well behind its competitors even before the AI boom with plans to be carbon neutral by 2040.

Enterprise funding

Command Zero launched with $21 million in seed funding to build out a platform that uses AI to automate security event detection.

Tembo raised $14 million in Series A funding to help developers use the open-source Postgres database across multiple operating environments.

The Runtime roundup

Cloudflare introduced a block button for website operators that want to prevent AI bots from crawling their sites, after the discovery by Robb Knight that AI search engines like Perplexity are not respecting the robots.txt honor system.

AWS's Graviton 4 processors became generally available today, and they should offer about a 30% jump in performance compared to the previous generation.

Oracle is no longer in talks to provide GPUs to Elon Musk's XAI thing, after "Musk’s demand that the supercomputer be built faster than Oracle thought possible," according to The Information.

UiPath announced plans to lay off 10% of its workforce, or about 400 employees, as AI-powered headwinds continue to impact the once-bright future of RPA.

Charges that GitHub illegally used code samples to train its Copilot coding assistant were largely dismissed by a federal judge in San Francisco.

Thanks for reading — see you Thursday!